MRatWork Forum by Mustafa Ramadhan

Sawo Project - Kloxo-MR Discussions => Kloxo-MR Tips and Tricks => Topic started by: idove on 2017-03-30, 17:11:12

Title: How to prevent too many connections from one IP address
Post by: idove on 2017-03-30, 17:11:12
In cases when one IP address take too much connections to my apache, apache "freeze" stop working.
Then I restart httpd, and immediately check server-status, before foreign address occupies server again.

Here you can see "attacker" with IP address 113.20.118.237 which took 16 connections (in only 6 seconds) on apache to domain1.com.

What is easiest way to prevent this? I'm thinking of writing script which analyse this server-status every one minute and add problematic IP to firewall.
But sometimes, apache/server is so much occupied that server can't open 127.0.0.1/server-status at all :).

Can I somehow prevent/analyse with netstat/ss? Thank you.

Code: [Select]
Apache Server Status for server.com

Server Version: Apache/2.2.22 (Unix) DAV/2 PHP/5.2.17 mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5
Server Built: Feb 1 2012 18:59:25
Current Time: Thursday, 30-Mar-2017 16:55:44 CEST
Restart Time: Thursday, 30-Mar-2017 16:55:38 CEST
Parent Server Generation: 2
Server uptime: 6 seconds
Total accesses: 90 - Total Traffic: 3.2 MB
CPU Usage: u4.08 s.42 cu0 cs0 - 75% CPU load
15 requests/sec - 0.5 MB/second - 36.1 kB/request
60 requests currently being processed, 4 idle workers
WWWWWWKWWWWWWWRWWWWWWWWWWWWWWWWKWWWW_WWWWRWWKWWWRWWWWW_WWW_RWWR_
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-2 1849 0/4/4 W 0.03 5 0 0.0 0.01 0.01 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
1-2 1850 0/2/2 W 0.38 5 0 0.0 0.01 0.01 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
2-2 1851 0/7/7 W 0.10 3 0 0.0 1.00 1.00 180.76.15.5 domain3.com GET /cropped-kira_baner_new2-jpg/ HTTP/1.1
3-2 1852 0/1/1 W 0.38 5 0 0.0 0.00 0.00 5.9.112.6 domain2.com GET /voornaam/gerhard/h/ HTTP/1.1
4-2 1853 0/0/0 W 0.00 6 0 0.0 0.00 0.00 5.9.145.132 domain2.com GET /voornaam/yvonne/e/ HTTP/1.1
5-2 1864 0/4/4 W 0.02 4 0 0.0 1.00 1.00 136.243.17.161 domain2.com GET /voornaam/linda/h/ HTTP/1.1
6-2 1876 1/7/7 K 0.03 2 106 0.0 1.00 1.00 66.249.89.13 domain4.com GET /nome/corradino/a/ HTTP/1.1
7-2 1877 0/0/0 W 0.00 4 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
8-2 1883 0/1/1 W 0.00 2 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
9-2 1884 0/3/3 W 0.00 3 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
10-2 1885 0/1/1 W 0.30 2 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
11-2 1886 0/3/3 W 0.33 2 0 0.0 0.01 0.01 176.76.242.209 domain8.com GET /simona-kukovec/ HTTP/1.1
12-2 1896 0/0/0 W 0.00 2 0 0.0 0.00 0.00 88.99.27.172 domain4.com GET /silvana-petitto/ HTTP/1.1
13-2 1897 0/2/2 W 0.01 1 0 0.0 0.00 0.00 88.99.27.172 domain2.com GET /voornaam/jeltje/k/ HTTP/1.1
14-2 1898 0/2/2 R 0.00 1 0 0.0 0.00 0.00 ? ? ..reading..
15-2 1899 0/2/2 W 0.42 1 0 0.0 0.00 0.00 88.99.27.172 domain4.com GET /cognome/letizia/a/ HTTP/1.1
16-2 1900 0/4/4 W 0.47 1 0 0.0 0.01 0.01 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
17-2 1901 0/5/5 W 0.59 1 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
18-2 1903 0/2/2 W 0.27 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
19-2 1905 0/5/5 W 0.58 0 0 0.0 0.00 0.00 77.81.243.112 domain3.com POST /wp-cron.php?doing_wp_cron=1490885588.22876405715942382812
20-2 1925 0/4/4 W 0.02 0 0 0.0 0.00 0.00 51.255.65.93 domain5.com GET /name/liane/ HTTP/1.1
21-2 1926 0/1/1 W 0.00 0 0 0.0 0.00 0.00 163.172.65.198 domanin10.com GET /dogadjaji/poziv-na-predbozicnu-vecer/ HTTP/1.1
22-2 1927 0/1/1 W 0.00 1 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
23-2 1928 0/1/1 W 0.01 0 0 0.0 0.01 0.01 5.9.145.132 domain2.com GET /voornaam/laurens/a/ HTTP/1.1
24-2 1929 0/0/0 W 0.00 1 0 0.0 0.00 0.00 88.99.27.172 domain2.com GET /voornaam/arnoud/k/ HTTP/1.1
25-2 1930 0/3/3 W 0.00 0 0 0.0 0.00 0.00 77.81.243.112 domain6.net POST /wp-cron.php?doing_wp_cron=1490885588.00175690650939941406
26-2 1931 0/6/6 W 0.04 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
27-2 1932 0/4/4 W 0.39 0 0 0.0 0.00 0.00 157.55.39.204 domain2.com GET /voornaam/wolter/z/ HTTP/1.1
28-2 1933 0/2/2 W 0.00 0 0 0.0 0.01 0.01 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
29-2 1934 0/2/2 W 0.00 1 0 0.0 0.12 0.12 88.99.27.172 domain4.com GET /nome/rosalia/n/ HTTP/1.1
30-2 1935 0/1/1 W 0.00 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
31-2 1936 1/5/5 K 0.03 0 149 0.0 0.01 0.01 141.8.142.71 domain4.com GET /cognome/giangrande/q/ HTTP/1.1
32-2 1937 1/2/2 W 0.09 0 0 0.0 0.00 0.00 78.134.247.128 webmail.domain6.net GET /roundcube/?_task=mail HTTP/1.1
33-2 1938 0/1/1 W 0.00 0 0 0.0 0.00 0.00 88.99.27.172 domain2.com GET /voornaam/hendrika/s/ HTTP/1.1
34-2 1939 0/1/1 W 0.01 0 0 0.0 0.00 0.00 141.8.142.71 domain3.com GET /category/uncategorized/ HTTP/1.1
35-2 1940 0/0/0 W 0.00 1 0 0.0 0.00 0.00 141.8.142.71 domain3.com GET /category/uncategorized/ HTTP/1.1
37-2 1979 0/0/0 W 0.00 0 0 0.0 0.00 0.00 163.172.66.30 domain7.com GET /prezime/ancic/c/ HTTP/1.1
38-2 1980 0/0/0 W 0.00 0 0 0.0 0.00 0.00 77.81.243.112 domain6.net POST /wp-cron.php?doing_wp_cron=1490885739.24519109725952148437
39-2 1981 0/0/0 W 0.00 0 0 0.0 0.00 0.00 62.198.21.158 domain1.com GET /downloadfile.php?filename=minecraft_server.1.8.0.jar&direc
40-2 1982 0/0/0 W 0.00 0 0 0.0 0.00 0.00 105.107.81.111 domain1.com GET /downloadfile.php?filename=minecraft_server.1.7.10.jar&dire
41-2 1983 0/0/0 R 0.00 0 0 0.0 0.00 0.00 ? ? ..reading..
42-2 1984 0/0/0 W 0.00 0 0 0.0 0.00 0.00 143.176.41.68 domain2.com GET /jaap-buit/ HTTP/1.1
43-2 1985 0/0/0 W 0.00 0 0 0.0 0.00 0.00 136.243.17.161 domain2.com GET /voornaam/edith/h/ HTTP/1.1
44-2 1986 1/1/1 K 0.00 0 15 0.3 0.00 0.00 207.46.13.141 domain4.com GET /marisa-barretto HTTP/1.1
45-2 1987 0/0/0 W 0.00 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
46-2 1988 0/0/0 W 0.00 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
47-2 1989 0/0/0 W 0.00 0 0 0.0 0.00 0.00 51.255.65.40 domain5.com GET /familienname/drawer/p/ HTTP/1.1
48-2 1990 0/0/0 R 0.00 0 0 0.0 0.00 0.00 ? ? ..reading..
49-2 1991 0/0/0 W 0.00 0 0 0.0 0.00 0.00 207.46.13.170 domain8.com GET /ime/ales/%C3%83%C6%92%C3%86%E2%80%99%C3%83%E2%80%A0%C3%A2%
50-2 1992 0/0/0 W 0.00 0 0 0.0 0.00 0.00 51.255.65.4 domain9.com GET /lazine-com/ HTTP/1.1
51-2 1993 0/0/0 W 0.00 0 0 0.0 0.00 0.00 77.81.243.112 domain3.com POST /wp-cron.php?doing_wp_cron=1490885741.50980401039123535156
52-2 1994 0/0/0 W 0.00 0 0 0.0 0.00 0.00 113.20.118.237 domain1.com GET /index.php?action=downloadfile&filename=minecraft_server.1.
53-2 1995 0/0/0 W 0.00 0 0 0.0 0.00 0.00 93.142.18.211 server.com GET /server-status HTTP/1.1
55-2 1997 0/0/0 W 0.00 0 0 0.0 0.00 0.00 136.243.17.161 domain2.com GET /voornaam/edith/h/ HTTP/1.1
56-2 1998 0/0/0 W 0.00 0 0 0.0 0.00 0.00 93.142.18.211 server.com GET /server-status HTTP/1.1
57-2 1999 0/0/0 W 0.00 0 0 0.0 0.00 0.00 5.9.106.81 domain2.com GET /voornaam/luuk/v/ HTTP/1.1
59-2 2001 0/0/0 R 0.00 0 0 0.0 0.00 0.00 ? ? ..reading..
60-2 2002 0/0/0 W 0.00 0 0 0.0 0.00 0.00 78.46.156.169 domain4.com GET /cognome/filippi/a/ HTTP/1.1
61-2 2003 0/0/0 W 0.00 0 0 0.0 0.00 0.00 66.249.64.33 domain9.com GET /wp-content/uploads/2015/02/121.jpg HTTP/1.1
62-2 2006 1/1/1 K 0.00 0 1 0.3 0.00 0.00 157.55.39.206 domain2.com GET /ina-nijssen HTTP/1.1
Srv Child Server number - generation
PID OS process ID
Acc Number of accesses this connection / this child / this slot
M Mode of operation
CPU CPU usage, number of seconds
SS Seconds since beginning of most recent request
Req Milliseconds required to process most recent request
Conn Kilobytes transferred this connection
Child Megabytes transferred this child
Slot Total megabytes transferred this slot
SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current sessions: 0
subcaches: 32, indexes per subcache: 133
index usage: 0%, cache usage: 0%
total sessions stored since starting: 0
total sessions expired since starting: 0
total (pre-expiry) sessions scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss
Apache/2.2.22 (CentOS) Server at server.com Port 80
Title: Re: How to prevent too many connections from one IP address
Post by: MRatWork on 2017-03-30, 17:35:14
Add this IP in 'Blocked IP Address' (for Kloxo-MR 7.0).
Title: Re: How to prevent too many connections from one IP address
Post by: fossxplorer on 2017-03-30, 17:44:37
In addition to what Mustafa mentions, you should really be running CSF or similar firewall to keep the unwanted off your Kloxo-MR server. IMO, it's really a must security wise when the server is exposing so many ports to the public web!

Also, Nginx and Hiawatha have built-in support for connection limiting and other very nice security features.
Hiawatha is known for it!
Title: Re: How to prevent too many connections from one IP address
Post by: MRatWork on 2017-03-30, 18:02:25
Yes, for more secure using nginx-proxy or hiawatha-proxy instead pure apache.
Title: Re: How to prevent too many connections from one IP address
Post by: idove on 2017-03-30, 18:21:02
I'm used to apache, how much different is nginx or hiawatha?
How much work is to change from apache to hiawatha on live server with 20-30 domains? (wordpress, drupal, custom scripts, portals, forums)

Thank you for CSF tip, I wiil try it ;).