Hi. I have ispconfig 3 on ubuntu server 10.04 and since this morning the webs are too slow. The server itself is OK, the mail its OK, the load average is below 1 and I can connect to SSH very fast. In var/log/apache2/access.log I have a lot of connections from russian and china IP, but I dont know where web they area accessing. My idea is to block foreing IP. I know I can do this from htaccess, but I have to do this site by site. Is there someway to block IPs in all the vhosts at once? Thanks in advance
When the accesses are in /var/log/apache2/access.log, then the requests are not to a specific website as no website access is logged in that file. So if you want to block them, add the block rule in the default vhost of the os.
Thanks for the reply. What I do is to deny from all but still the same. Before this the access.log entries where like that: "POST / HTTP/1.1" 200 492 " And now they are: "POST / HTTP/1.1" 403 525 " I understand that before, the post requests recieve the 200 (OK) response and now receive the 403 (forbidden), so the config it's OK. What can I do? Can i disable POST Requests?
Still the same. I want to try stopping the apache server all night long, but it autostart after a few minutes. How can I prevent apache from autostart when i stop it?
Maybe you enabled the automatic restart and monitoring of apache (rescue system) under System > server config in ispconfig?
You should also consider to install apache mod_evasive module which can block dos attacks automatically.
Ill install it, thanks a lot. As i said before i didnt find anything about automatic restart in system config. Im using ispconfig 3.0.3.3. Maybe the option is in another version?
I'am nt sure in which version this was added. If it is there, then you can find it under System > server config > rescue. Btw. you should really update your system, your ispconfig version is several years old.
Still the same. I talked with the ISP and he tell me it is very difficult to solved. Only today we have access from almost 300000 different IPs. He tell me there is an apache module that can help with this (I think he said qdos, Im not sure) but its not compatible with our OS system. We have Ubuntu 10.04. Can we update this to 12.04? What happens to ispconfig if we do this? What we have to config if we do the update? Thanks in advance
Did you try mod_evasive? It offers also dos protection. You might also want to check out cludflare, it is a service that filters out such attacks on the network level and they have a free plan as well which might enough for your purpose.
I install it and configured yesterday but I didnt see any diference. Im going to tell it to my ISP. What about the OS upgrade? Your lack of reply let me think its something very difficult
By default, mod_evasive blocks the requests in apache. But you can also use it to block the requests with iptables on network level: http://tellini.info/2011/11/keeping-script-kiddies-at-bay-with-mod_evasive-and-iptables/ just follow the normal upgrade instructions from ubuntu. after the ubuntu update, run the ispconfig update and choose to reconfigure services during update.
My ISP is working on it. He said its a Slowloris Attack and mod_evasive is not helping. He is using fail2ban and apache mod reqtimeout. I'll tell the news about the problem. Thanks a lot for your interest.
My ISP make iptables rules to block IPs and now it works, but I still see entries in access.log. I wonder if they would stop someday
