Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[SOLVED] Webserver hammered by random external ip's

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
xjumper84
Posts: 5
Joined: 2008-08-28 20:33

[SOLVED] Webserver hammered by random external ip's

#1 Post by xjumper84 »

I've got apache2 running on my debian box and everytime i open port 8080 (what apache2 is set to listen on) my box gets hammered from over 1000 external IP addresses.

I watch the connections by

Code: Select all

tail -f /var/log/apache2/access.log
and

Code: Select all

netstat -ta
Here is what i'm getting when I do a netstat:

Code: Select all

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:nfs                   *:*                     LISTEN
tcp        0      0 *:swat                  *:*                     LISTEN
tcp        0      0 *:34310                 *:*                     LISTEN
tcp        0      0 *:mysql                 *:*                     LISTEN
tcp        0      0 *:41483                 *:*                     LISTEN
tcp        0      0 *:netbios-ssn           *:*                     LISTEN
tcp        0      0 *:sunrpc                *:*                     LISTEN
tcp        0      0 bitch.local:http-alt    61.149.211.48:4027      SYN_RECV
tcp        0      0 *:auth                  *:*                     LISTEN
tcp        0      0 *:ftp                   *:*                     LISTEN
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp        0      0 *:42936                 *:*                     LISTEN
tcp        0      0 localhost:smtp          *:*                     LISTEN
tcp        0      0 *:microsoft-ds          *:*                     LISTEN
tcp        0      0 bitch.loca:microsoft-ds titan.local:3878        ESTABLISHED
tcp        0      0 bitch.local:50439       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:50429       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:54362       207.114.197.72:www      TIME_WAIT
tcp        0      0 bitch.local:40993       brwapp10.mpire.com:www  TIME_WAIT
tcp        0      0 bitch.local:33048       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:33047       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:40997       brwapp10.mpire.com:www  TIME_WAIT
tcp        0      0 bitch.local:34875       a.tribalfusion.com:www  TIME_WAIT
tcp        0      0 bitch.local:50474       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.loca:microsoft-ds titan.local:4059        ESTABLISHED
tcp        0      0 bitch.local:38626       ad1.p3.vip.rm.sp1.y:www ESTABLISHED
tcp        0      0 bitch.local:50528       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:46403       media6.snv.vcmedia.:www TIME_WAIT
tcp        0      0 bitch.local:33048       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:33047       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:54380       207.114.197.72:www      TIME_WAIT
tcp        0      0 bitch.local:40997       brwapp10.mpire.com:www  TIME_WAIT
tcp        0      0 bitch.local:50540       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:34875       a.tribalfusion.com:www  TIME_WAIT
tcp     2896      0 bitch.local:60460       ip67-88-217-231.z21:www ESTABLISHED
tcp        0      0 bitch.local:54393       207.114.197.72:www      TIME_WAIT
tcp        0      0 bitch.local:50474       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.loca:microsoft-ds titan.local:4059        ESTABLISHED
tcp        0      0 bitch.local:54348       207.114.197.72:www      TIME_WAIT
tcp        0      0 bitch.local:41780       www.clickboothlnk.c:www TIME_WAIT
tcp        0      0 bitch.local:56484       66.179.234.169:www      TIME_WAIT
tcp        0      0 bitch.local:45742       cf-in-f147.google.c:www TIME_WAIT
tcp        0      0 bitch.local:50523       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:38576       ad1.p3.vip.rm.sp1.y:www TIME_WAIT
tcp        0      0 bitch.local:41817       rd6.apmebf.com:www      TIME_WAIT
tcp        0      0 bitch.local:50464       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:50536       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:38677       ad1.p3.vip.rm.sp1.y:www TIME_WAIT
tcp        0      0 bitch.local:46487       media6.snv.vcmedia.:www TIME_WAIT
tcp        0      0 bitch.local:38490       lax-agg-n14.panther:www TIME_WAIT
tcp        0      0 bitch.local:52755       integraclick.wip.di:www TIME_WAIT
tcp        0      0 bitch.local:50448       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:56372       207.114.197.71:www      TIME_WAIT
tcp        0      0 bitch.local:38490       lax-agg-n14.panther:www TIME_WAIT
tcp        0      0 bitch.local:52755       integraclick.wip.di:www TIME_WAIT
tcp        0      0 bitch.local:50448       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:56372       207.114.197.71:www      TIME_WAIT
tcp        0      0 bitch.local:33105       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:56427       207.114.197.94:www      TIME_WAIT
tcp        0      0 bitch.local:33025       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:42478       cf-in-f127.google.c:www TIME_WAIT
tcp        0      0 bitch.local:56360       207.114.197.71:www      TIME_WAIT
tcp        0      0 bitch.local:41053       brwapp10.mpire.com:www  TIME_WAIT
tcp        0      0 bitch.local:50591       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:45434       74-203-60-109.stati:www TIME_WAIT
tcp6       0      0 [::]:http-alt           [::]:*                  LISTEN
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:1678 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 58.55.82.117%30867:3436 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 58.55.82.117%30867:3572 FIN_WAIT2
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:3403 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.135%308:2924 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 58.55.82.117%30867:1582 FIN_WAIT2
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:4059 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 60.215.111.31%308:59084 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 222.90.191.21%3086:4406 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:3644 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 222.90.191.21%3086:2189 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:2900 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 143.109.56.59.bro:63750 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 58.55.82.117%30867:1677 FIN_WAIT2
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.135%308:1226 TIME_WAIT
tcp6       0    584 192.168.1.103%8191:ssh  66-126-189-162.ce:10583 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:1147 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 158.111.56.59.bro:61815 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 143.109.56.59.bro:63073 TIME_WAIT
When i update my awstats.pl file i always get 20k lines of new records, even when i've only had the server netside for < 5 minutes.

This is what my log file is full of:

Code: Select all

68.188.181.163 - - [28/Aug/2008:13:40:00 -0700] "GET http://adserving.cpxinteractive.com/st?ad_type=pop&ad_size=0x0&section=256058&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1" 200 4225 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
68.188.181.163 - - [28/Aug/2008:13:40:00 -0700] "GET http://adserving.cpxinteractive.com/st?ad_type=pop&ad_size=0x0&section=256058&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1" 200 4224 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"
69.20.123.148 - - [28/Aug/2008:13:40:00 -0700] "GET http://ad.adserverplus.com/st?ad_type=pop&ad_size=0x0&section=289946&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1" 200 4225 "http%3A%2F%2Fwww.vafq.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; (R1 1.5))"
70.184.245.196 - - [28/Aug/2008:13:40:00 -0700] "GET http://adserving.cpxinteractive.com/rw?title=New%20offer%21&qs=iframe3%3FoNFKABenBACKpQwA%2DDcEAAIAAAAAAP8AA%3D%2C%2Chttp%3A%2F%2Fwww%2Esecommission%2Ecom%2Findex%2Ehtml HTTP/1.1" 200 560 "http%3A%2F%2Fwww.secommission.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; TencentT"
59.56.109.143 - - [28/Aug/2008:13:40:00 -0700] "GET http://a.tribalfusion.com/jr.ad?site=educationatlas&adSpace=ros&tagKey=3973172069&size=728x90|468x60&p=15944259&a=1&flashVer=0&ver=1.14&center=1&url=http%3A%2F%2Fwww.education-atlas.org%2F&rnd=15952700 HTTP/1.0" 200 1375 "http://www.education-atlas.org/" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
59.56.111.158 - - [28/Aug/2008:13:40:00 -0700] "GET http://ad.yieldmanager.com/iframe3?q8FPALemBADvAA0A-08EAAIAAAAAAP8AAAAFDgIAAgNfDQYAbE0DAKxvBgAAAAAA//www.mobilemastee.com/ HTTP/1.0" 200 1074 "http://optimizedby.rmxads.com/st?ad_type=iframe&ad_size=300x250&section=304823" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
69.20.123.148 - - [28/Aug/2008:13:40:00 -0700] "GET http://ad.yieldmanager.com/imp?Z=0x0&y=29&s=289946&_salt=3871810475&B=2&u=http%3A%2F%2Fwww.vafq.com%2Findex.html HTTP/1.1" 200 6649 "http%3A%2F%2Fwww.vafq.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; (R1 1.5))"
::1 - - [28/Aug/2008:13:40:01 -0700] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (Debian) PHP/5.2.6-3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 (internal dummy connection)"
68.188.181.163 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.yieldmanager.com/imp?Z=0x0&y=29&s=256058&_salt=1928825373&B=2&u=http%3A%2F%2Fwww.megafast.info%2Findex.html HTTP/1.1" 200 6663 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
69.20.123.148 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.adserverplus.com/rw?title=&qs=iframe3%3Fks9PAJpsBABswwsAIDECAAIAAAAAAP8AAAAFD%3D%2C%2Chttp%3A%2F%2Fwww%2Evafq%2Ecom%2Findex%2Ehtml HTTP/1.1" 200 542 "http%3A%2F%2Fwww.vafq.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; (R1 1.5))"
68.188.181.163 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.yieldmanager.com/imp?Z=0x0&y=29&s=256058&_salt=224375794&B=2&u=http%3A%2F%2Fwww.megafast.info%2Findex.html HTTP/1.1" 200 6681 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"
221.2.225.234 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.media-servers.net/st?ad_type=ad&ad_size=120x600&section=267069 HTTP/1.0" 200 4159 "http://www.it2net.com/software/softgrp.htm" "Mozilla/4.76 (Macintosh; U; PPC)"
68.188.181.163 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.yieldmanager.com/imp?Z=0x0&y=29&s=256058&_salt=2233512953&B=2&u=http%3A%2F%2Fwww.megafast.info%2Findex.html HTTP/1.1" 200 6663 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)"
::1 - - [28/Aug/2008:13:40:02 -0700] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (Debian) PHP/5.2.6-3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 (internal dummy connection)"
68.188.181.163 - - [28/Aug/2008:13:40:02 -0700] "GET http://adserving.cpxinteractive.com/rw?title=&qs=iframe3%3FahM7ADroAwAaeA8AYF8EAAIAAAAAAP8AAAAF%2E%2E%2E8fUJek5z8AgNrQpMPhP%2E%2E%2Eb23Ts%2EM%2EAAAAAAAAAAD%2E%2Ez%2EnGUX6PwAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D%2C%2Chttp%3A%2F%2Fwww%2Emegafast%2Einfo%2Findex%2Ehtml HTTP/1.1" 200 547 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"
68.188.181.163 - - [28/Aug/2008:13:40:03 -0700] "GET http://adserving.cpxinteractive.com/rw?title=&qs=iframe3%3FahM7ADroAwBPAgwA268DAAIAAAAAAP8AAAAA%3D%2C%2Chttp%3A%2F%2Fwww%2Emegafast%2Einfo%2Findex%2Ehtml HTTP/1.1" 200 547 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)"
I would like to be able to deny access to nearly all everything except for a couple of known IP addresses.

I've tried setting up LIMIT directives in .htaccess but that doesn't do it. I've read the links off google that talks about mod_rewrite and i've added the generic stuff to my .htaccess files but no go.

So what are my options to limit this? Can I add information to my /etc/hosts.allow and /etc/hosts.deny to only allow certain IP's from accessing the machine and would this work? and if so how would i properly set it up?


side note: the machine is a dev box that i use for testing when i'm at home and it sits in my closet. when i am at work i like to use it for other ... "purposes".

any help is greatly appreciated.
Last edited by xjumper84 on 2008-08-29 17:19, edited 1 time in total.

Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

#2 Post by Bulkley »

What are you using for a firewall?

xjumper84
Posts: 5
Joined: 2008-08-28 20:33

#3 Post by xjumper84 »

I've got my linksys router as my network firewall..


or did i make the "uber n00b" error of not having a firewall on my debian box?

Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

#4 Post by Bulkley »

I'm not the best one to answer that but since you are getting "hammered from over 1000 external IP addresses" I think you need a firewall. We all have our favourites which are all based on iptables.

User avatar
industrialpunk
Posts: 731
Joined: 2007-03-07 22:30
Location: San Diego, CA, USA

#5 Post by industrialpunk »

The ones that say:
"tcp 0 0 bitch.local:52755 integraclick.wip.di:www TIME_WAIT "

Appear to be connections from your machine to the outside world. Looks like you have a browser open downloading ads.

These one should be incoming connections:
"tcp6 0 0 192.168.1.103%:http-alt %308:1678 ESTABLISHED"

I picked one of these incoming connections randomly and it is an attack site. So these are probably your average random brute force attempts to hit your webserver.
-Josh Willingham

xjumper84
Posts: 5
Joined: 2008-08-28 20:33

#6 Post by xjumper84 »

industrialpunk ->


The machine is solely ssh accessible.. its got a power cord and a network cable running to it so I don't know how I could have a browser running that would be requesting the ads. Almost everything, except for hellanzb, awstats, zussaweb, joomla, phpmyadmin and a media wiki install has been written by myself (as far as web related software goes), so i'm not sure how this would work.



So then here is my question: what can I do to stop these connections from happening? (i'll need some step by step guides) My bandwidth goes to crap when ports are open.. and it totally sucks..

:heart: /darn.. not a vbull site.. haha

Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

#7 Post by Bulkley »

As an experiment, try installing Firestarter.

Code: Select all

aptitude install firestarter
Firestarter is easy to set up, so you might be able to quickly see what a firewall can do.

xjumper84
Posts: 5
Joined: 2008-08-28 20:33

#8 Post by xjumper84 »

firestarter won't work for me because i don't use X on the machine. Everything i do is through terminal/ssh connection... so I can't run their installation wizard.

any other options?

User avatar
izar
Posts: 1714
Joined: 2007-01-01 18:34
Location: Euskal Herria

#9 Post by izar »

I would suggest using shorewall.

xjumper84
Posts: 5
Joined: 2008-08-28 20:33

#10 Post by xjumper84 »

this is so exciting... with this firewall setup... i don't get hammered any more.. very nice!

thank you guys.. <3

my log now shows what it is supposed to and nothing extra... maybe i should ask the other debian questions i have here too... (in a new thread of course / after using search to keep repeat questions down).

Post Reply