Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2017-05-28, 02:47:25

Author Topic: How to prevent too many connections from one IP address  (Read 274 times)

0 Members and 1 Guest are viewing this topic.

Offline idove

  • Junior Member
  • *
  • Posts: 41
  • Karma: +0/-0
    • View Profile
In cases when one IP address take too much connections to my apache, apache "freeze" stop working.
Then I restart httpd, and immediately check server-status, before foreign address occupies server again.

Here you can see "attacker" with IP address 113.20.118.237 which took 16 connections (in only 6 seconds) on apache to domain1.com.

What is easiest way to prevent this? I'm thinking of writing script which analyse this server-status every one minute and add problematic IP to firewall.
But sometimes, apache/server is so much occupied that server can't open 127.0.0.1/server-status at all :).

Can I somehow prevent/analyse with netstat/ss? Thank you.

Code: [Select]
Apache Server Status for server.com

Server Version: Apache/2.2.22 (Unix) DAV/2 PHP/5.2.17 mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5
Server Built: Feb 1 2012 18:59:25
Current Time: Thursday, 30-Mar-2017 16:55:44 CEST
Restart Time: Thursday, 30-Mar-2017 16:55:38 CEST
Parent Server Generation: 2
Server uptime: 6 seconds
Total accesses: 90 - Total Traffic: 3.2 MB
CPU Usage: u4.08 s.42 cu0 cs0 - 75% CPU load
15 requests/sec - 0.5 MB/second - 36.1 kB/request
60 requests currently being processed, 4 idle workers
WWWWWWKWWWWWWWRWWWWWWWWWWWWWWWWKWWWW_WWWWRWWKWWWRWWWWW_WWW_RWWR_
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-2 1849 0/4/4 W 0.03 5 0 0.0 0.01 0.01 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
1-2 1850 0/2/2 W 0.38 5 0 0.0 0.01 0.01 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
2-2 1851 0/7/7 W 0.10 3 0 0.0 1.00 1.00 180.76.15.5 domain3.com GET /cropped-kira_baner_new2-jpg/ HTTP/1.1
3-2 1852 0/1/1 W 0.38 5 0 0.0 0.00 0.00 5.9.112.6 domain2.com GET /voornaam/gerhard/h/ HTTP/1.1
4-2 1853 0/0/0 W 0.00 6 0 0.0 0.00 0.00 5.9.145.132 domain2.com GET /voornaam/yvonne/e/ HTTP/1.1
5-2 1864 0/4/4 W 0.02 4 0 0.0 1.00 1.00 136.243.17.161 domain2.com GET /voornaam/linda/h/ HTTP/1.1
6-2 1876 1/7/7 K 0.03 2 106 0.0 1.00 1.00 66.249.89.13 domain4.com GET /nome/corradino/a/ HTTP/1.1
7-2 1877 0/0/0 W 0.00 4 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
8-2 1883 0/1/1 W 0.00 2 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
9-2 1884 0/3/3 W 0.00 3 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
10-2 1885 0/1/1 W 0.30 2 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
11-2 1886 0/3/3 W 0.33 2 0 0.0 0.01 0.01 176.76.242.209 domain8.com GET /simona-kukovec/ HTTP/1.1
12-2 1896 0/0/0 W 0.00 2 0 0.0 0.00 0.00 88.99.27.172 domain4.com GET /silvana-petitto/ HTTP/1.1
13-2 1897 0/2/2 W 0.01 1 0 0.0 0.00 0.00 88.99.27.172 domain2.com GET /voornaam/jeltje/k/ HTTP/1.1
14-2 1898 0/2/2 R 0.00 1 0 0.0 0.00 0.00 ? ? ..reading..
15-2 1899 0/2/2 W 0.42 1 0 0.0 0.00 0.00 88.99.27.172 domain4.com GET /cognome/letizia/a/ HTTP/1.1
16-2 1900 0/4/4 W 0.47 1 0 0.0 0.01 0.01 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
17-2 1901 0/5/5 W 0.59 1 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
18-2 1903 0/2/2 W 0.27 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
19-2 1905 0/5/5 W 0.58 0 0 0.0 0.00 0.00 77.81.243.112 domain3.com POST /wp-cron.php?doing_wp_cron=1490885588.22876405715942382812
20-2 1925 0/4/4 W 0.02 0 0 0.0 0.00 0.00 51.255.65.93 domain5.com GET /name/liane/ HTTP/1.1
21-2 1926 0/1/1 W 0.00 0 0 0.0 0.00 0.00 163.172.65.198 domanin10.com GET /dogadjaji/poziv-na-predbozicnu-vecer/ HTTP/1.1
22-2 1927 0/1/1 W 0.00 1 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
23-2 1928 0/1/1 W 0.01 0 0 0.0 0.01 0.01 5.9.145.132 domain2.com GET /voornaam/laurens/a/ HTTP/1.1
24-2 1929 0/0/0 W 0.00 1 0 0.0 0.00 0.00 88.99.27.172 domain2.com GET /voornaam/arnoud/k/ HTTP/1.1
25-2 1930 0/3/3 W 0.00 0 0 0.0 0.00 0.00 77.81.243.112 domain6.net POST /wp-cron.php?doing_wp_cron=1490885588.00175690650939941406
26-2 1931 0/6/6 W 0.04 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
27-2 1932 0/4/4 W 0.39 0 0 0.0 0.00 0.00 157.55.39.204 domain2.com GET /voornaam/wolter/z/ HTTP/1.1
28-2 1933 0/2/2 W 0.00 0 0 0.0 0.01 0.01 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
29-2 1934 0/2/2 W 0.00 1 0 0.0 0.12 0.12 88.99.27.172 domain4.com GET /nome/rosalia/n/ HTTP/1.1
30-2 1935 0/1/1 W 0.00 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
31-2 1936 1/5/5 K 0.03 0 149 0.0 0.01 0.01 141.8.142.71 domain4.com GET /cognome/giangrande/q/ HTTP/1.1
32-2 1937 1/2/2 W 0.09 0 0 0.0 0.00 0.00 78.134.247.128 webmail.domain6.net GET /roundcube/?_task=mail HTTP/1.1
33-2 1938 0/1/1 W 0.00 0 0 0.0 0.00 0.00 88.99.27.172 domain2.com GET /voornaam/hendrika/s/ HTTP/1.1
34-2 1939 0/1/1 W 0.01 0 0 0.0 0.00 0.00 141.8.142.71 domain3.com GET /category/uncategorized/ HTTP/1.1
35-2 1940 0/0/0 W 0.00 1 0 0.0 0.00 0.00 141.8.142.71 domain3.com GET /category/uncategorized/ HTTP/1.1
37-2 1979 0/0/0 W 0.00 0 0 0.0 0.00 0.00 163.172.66.30 domain7.com GET /prezime/ancic/c/ HTTP/1.1
38-2 1980 0/0/0 W 0.00 0 0 0.0 0.00 0.00 77.81.243.112 domain6.net POST /wp-cron.php?doing_wp_cron=1490885739.24519109725952148437
39-2 1981 0/0/0 W 0.00 0 0 0.0 0.00 0.00 62.198.21.158 domain1.com GET /downloadfile.php?filename=minecraft_server.1.8.0.jar&direc
40-2 1982 0/0/0 W 0.00 0 0 0.0 0.00 0.00 105.107.81.111 domain1.com GET /downloadfile.php?filename=minecraft_server.1.7.10.jar&dire
41-2 1983 0/0/0 R 0.00 0 0 0.0 0.00 0.00 ? ? ..reading..
42-2 1984 0/0/0 W 0.00 0 0 0.0 0.00 0.00 143.176.41.68 domain2.com GET /jaap-buit/ HTTP/1.1
43-2 1985 0/0/0 W 0.00 0 0 0.0 0.00 0.00 136.243.17.161 domain2.com GET /voornaam/edith/h/ HTTP/1.1
44-2 1986 1/1/1 K 0.00 0 15 0.3 0.00 0.00 207.46.13.141 domain4.com GET /marisa-barretto HTTP/1.1
45-2 1987 0/0/0 W 0.00 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
46-2 1988 0/0/0 W 0.00 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
47-2 1989 0/0/0 W 0.00 0 0 0.0 0.00 0.00 51.255.65.40 domain5.com GET /familienname/drawer/p/ HTTP/1.1
48-2 1990 0/0/0 R 0.00 0 0 0.0 0.00 0.00 ? ? ..reading..
49-2 1991 0/0/0 W 0.00 0 0 0.0 0.00 0.00 207.46.13.170 domain8.com GET /ime/ales/%C3%83%C6%92%C3%86%E2%80%99%C3%83%E2%80%A0%C3%A2%
50-2 1992 0/0/0 W 0.00 0 0 0.0 0.00 0.00 51.255.65.4 domain9.com GET /lazine-com/ HTTP/1.1
51-2 1993 0/0/0 W 0.00 0 0 0.0 0.00 0.00 77.81.243.112 domain3.com POST /wp-cron.php?doing_wp_cron=1490885741.50980401039123535156
52-2 1994 0/0/0 W 0.00 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
53-2 1995 0/0/0 W 0.00 0 0 0.0 0.00 0.00 93.142.18.211 server.com GET /server-status HTTP/1.1
55-2 1997 0/0/0 W 0.00 0 0 0.0 0.00 0.00 136.243.17.161 domain2.com GET /voornaam/edith/h/ HTTP/1.1
56-2 1998 0/0/0 W 0.00 0 0 0.0 0.00 0.00 93.142.18.211 server.com GET /server-status HTTP/1.1
57-2 1999 0/0/0 W 0.00 0 0 0.0 0.00 0.00 5.9.106.81 domain2.com GET /voornaam/luuk/v/ HTTP/1.1
59-2 2001 0/0/0 R 0.00 0 0 0.0 0.00 0.00 ? ? ..reading..
60-2 2002 0/0/0 W 0.00 0 0 0.0 0.00 0.00 78.46.156.169 domain4.com GET /cognome/filippi/a/ HTTP/1.1
61-2 2003 0/0/0 W 0.00 0 0 0.0 0.00 0.00 66.249.64.33 domain9.com GET /wp-content/uploads/2015/02/121.jpg HTTP/1.1
62-2 2006 1/1/1 K 0.00 0 1 0.3 0.00 0.00 157.55.39.206 domain2.com GET /ina-nijssen HTTP/1.1
Srv Child Server number - generation
PID OS process ID
Acc Number of accesses this connection / this child / this slot
M Mode of operation
CPU CPU usage, number of seconds
SS Seconds since beginning of most recent request
Req Milliseconds required to process most recent request
Conn Kilobytes transferred this connection
Child Megabytes transferred this child
Slot Total megabytes transferred this slot
SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current sessions: 0
subcaches: 32, indexes per subcache: 133
index usage: 0%, cache usage: 0%
total sessions stored since starting: 0
total sessions expired since starting: 0
total (pre-expiry) sessions scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss
Apache/2.2.22 (CentOS) Server at server.com Port 80

Online MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,490
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: How to prevent too many connections from one IP address
« Reply #1 on: 2017-03-30, 17:35:14 »
Add this IP in 'Blocked IP Address' (for Kloxo-MR 7.0).
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline fossxplorer

  • Master
  • **
  • Posts: 602
  • Karma: +0/-0
    • View Profile
Re: How to prevent too many connections from one IP address
« Reply #2 on: 2017-03-30, 17:44:37 »
In addition to what Mustafa mentions, you should really be running CSF or similar firewall to keep the unwanted off your Kloxo-MR server. IMO, it's really a must security wise when the server is exposing so many ports to the public web!

Also, Nginx and Hiawatha have built-in support for connection limiting and other very nice security features.
Hiawatha is known for it!
Kloxo-MR!

Online MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,490
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: How to prevent too many connections from one IP address
« Reply #3 on: 2017-03-30, 18:02:25 »
Yes, for more secure using nginx-proxy or hiawatha-proxy instead pure apache.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline idove

  • Junior Member
  • *
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: How to prevent too many connections from one IP address
« Reply #4 on: 2017-03-30, 18:21:02 »
I'm used to apache, how much different is nginx or hiawatha?
How much work is to change from apache to hiawatha on live server with 20-30 domains? (wordpress, drupal, custom scripts, portals, forums)

Thank you for CSF tip, I wiil try it ;).
« Last Edit: 2017-03-30, 18:28:07 by idove »

 


Top 10 Social Networking:    Facebook    Twitter    LinkedIn    Pinterest    Google Plus    Tumblr    Instagram    VK    Flickr    Vine
Click Here

Page created in 0.052 seconds with 18 queries.

web stats analysis