How block sending ip
Hi,
I received abuse email that my server is sending attack on specfic ip.
Here are the details
------------------------------------ I would like to report hacking attempts against my webserver. Attacker IP address: 65.21.207.57 Attacker Source Port: 56986 My Server IP: 173.255.242.227
Please tell me how can i blcok or prevent my server that does not attack any other server ip
II have csf firewall on my Centos OS 7 with whm.
-
Hey, Abu Hassan
It seems your server had DDoS attacks hence you received an abuse mail.As you are using WHM and CSF firewall then refer to the below steps to prevent the DDOS attack
To check server is under a DDoS attack:
You can run the below commands to check whether the server is under attack or not.To show the number of connections and IP address,
netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n
If the server has more IP addresses configured in it, then the above result will help you to find which server IP is under attack.For example, if the result is huge such as 1000, then you can suppose that the server is under a DDoS attack
Tweaking the CSF settings:
1) Open the CSF config file.vi /etc/csf/csf.conf
2) Restricting the number of simultaneous connections from a single IP would be quite effective in managing DDOS attacks. So reduce the value of CT_Limit to a reasonable range. Here I am changing it to 50
CT_LIMIT=50
It means that the maximum number of connections from an IP is 50. However the value is not an arbitrary one, you should change the value in accordance with your settings.
3) Change the connection tracking interval CT_INTERVAL
CT_INTERVEAL=30
Here, the connection tracking value is set to 30 seconds which is recommendable. If you decrease the interval to some lower value, then there will be a chance to generate false positives and will block legit connections.
4) To enable protection for a particular port, you can specify them in the configuration variable ‘CT_PORTS’. For eg. In the majority of the cases, DDOS will be targeted to the web server and DNS server. So the port numbers to be specified in such instances for a default installation are 80 and 53.
In the below example, I am tweaking the protection for the web server both for normal and SSL connections
CT_PORTS=80,443
5) By default, SYNFLOOD (SYNFLOOD = “0”) is disabled in CSF. If the server is under SYNFLOOD attack, you make it enable temporarily as below.
SYNFLOOD = “1"
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “30"If 30 connections are received from an IP/sec 30 times, then it will block the concerned IP. You can adjust the SYNFLOOD_BURST rate depending on your server.
6. You can set a limit for the number of connections to a particular port by altering the value “CONLIMIT”.
CONNLIMIT = 80;20,443;15
The above value will limit only 20 connections to port 80 and 15 connections to port 443 from a single IP
7 ) Now the modifications are complete. To make them effective, we need to restart the CSF service with the new configuration parameters.
/etc/init.d/csf restart
or
csf -rI hope the above measure will help you to prevent the server from DDoS.
0 -
MilesWeb - that information would be for DDoS attacks *against* the user, not outbound traffic.
Abu Hasaan - you should work with your hosting provider to check the network traffic on your machine for any outbound traffic to that specific IP address.
0
Please sign in to leave a comment.
Comments
2 comments