store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Oct 22, 2014 11:45 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: Stop brute force attack
Unread postPosted: Wed Feb 15, 2012 12:19 pm 
Offline
Forum User
Forum User

Joined: Thu Jul 15, 2010 9:42 am
Posts: 29
I'm having a problem with someone attacking one of my websites. The attacks come from completely random IP addresses and I have been fighting it for 2 weeks. I block all the addresses for about 2-3 hours each night which stops the attack until the next day when it starts up again from completely new addresses.

7.19.170.34 - - [13/Feb/2012:18:15:12 -0600] "GET /#98456 HTTP/1.0" 301 - "-" "-"
74.208.16.82 - - [13/Feb/2012:18:15:12 -0600] "GET /#25721 HTTP/1.0" 301 - "-" "-"
67.19.170.34 - - [13/Feb/2012:18:15:12 -0600] "GET /#98456 HTTP/1.0" 301 - "-" "-"
74.208.16.82 - - [13/Feb/2012:18:15:13 -0600] "GET /#25721 HTTP/1.0" 301 - "-" "-"
67.19.170.34 - - [13/Feb/2012:18:15:13 -0600] "GET /#98456 HTTP/1.0" 301 - "-" "-"
74.208.16.82 - - [13/Feb/2012:18:15:13 -0600] "GET /#25721 HTTP/1.0" 301 - "-" "-"
67.19.170.34 - - [13/Feb/2012:18:15:13 -0600] "GET /#98456 HTTP/1.0" 301 - "-" "-"
74.208.16.82 - - [13/Feb/2012:18:15:14 -0600] "GET /#25721 HTTP/1.0" 301 - "-" "-"
67.19.170.34 - - [13/Feb/2012:18:15:14 -0600] "GET /#98456 HTTP/1.0" 301 - "-" "-"
74.208.16.82 - - [13/Feb/2012:18:15:14 -0600] "GET /#25721 HTTP/1.0" 301 - "-" "-"
67.19.170.34 - - [13/Feb/2012:18:15:14 -0600] "GET /#98456 HTTP/1.0" 301 - "-" "-"

I'm trying to find a way to stop them but no success is there anything I can do with Mod Security to prevent these connections. They open 200 + connections per ip bringing my server down


Top
 Profile  
 
 Post subject: Re: Stop brute force attack
Unread postPosted: Wed Feb 15, 2012 12:25 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
Do you have the ASL DOS protection activated?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Stop brute force attack
Unread postPosted: Wed Feb 15, 2012 12:40 pm 
Offline
Forum User
Forum User

Joined: Thu Jul 15, 2010 9:42 am
Posts: 29
I have all the ASL was downloaded by my subscription I don't see anything that specifically says DOS


Top
 Profile  
 
 Post subject: Re: Stop brute force attack
Unread postPosted: Wed Feb 15, 2012 12:54 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
In the dashboard you will see in the Signatures and Modules window "Dos Protection". What does that say on your system?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Stop brute force attack
Unread postPosted: Wed Feb 15, 2012 2:36 pm 
Offline
Forum User
Forum User

Joined: Thu Jul 15, 2010 9:42 am
Posts: 29
Mike I'm running ASL-Lite with auto updates to my rules.


Top
 Profile  
 
 Post subject: Re: Stop brute force attack
Unread postPosted: Thu Feb 16, 2012 11:50 am 
Offline
Forum User
Forum User

Joined: Thu Jul 15, 2010 9:42 am
Posts: 29
Mike are you referring to ASL the full version? Or is there a rule for DOS? I really need to find a solution for this.

Thanks in advance


Top
 Profile  
 
 Post subject: Re: Stop brute force attack
Unread postPosted: Thu Feb 16, 2012 1:56 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
Denial of service protection is not handled by mod_security in ASL, but by mod_evasive. ASL lite only consists of mod_security rules and ClamAV signatures AFAIK.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Stop brute force attack
Unread postPosted: Thu Feb 16, 2012 10:37 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
Thats correct. Web DOS protection via mod_security is a losing proposition, even when its possible. The damage is already done - apache has already done the work, so even if you could detect it there (which isnt ideal) its too late to do enough about it. So, to stop these kinds of issues, you want to catch it sooner, so we we use other tools to do that.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Stop brute force attack
Unread postPosted: Tue Feb 21, 2012 12:06 am 
Offline
Forum User
Forum User

Joined: Thu Jul 15, 2010 9:42 am
Posts: 29
Michael so I purchased ASL however DOS is disabled, and how would create a rule to block the traffic I referenced?


Top
 Profile  
 
 Post subject: Re: Stop brute force attack
Unread postPosted: Tue Feb 21, 2012 7:55 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
Are you using cpanel?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group