Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 01-11-2021 04:08:55

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 868

Website Hacking Attacks

We got bombarded with over 180,000 hits amounting to 25% of our January Kbytes total from a “Russian” server “91-121-88-210.serverhub.ru” on Saturday.

Nearly a hundred nonsense product reviews left with email "sample@email.tst".

A list of Errors in cPanel running into thousands of hits from “client 91.121.88.210” involving index.php and also “/ShoppingCartMove/media/jquery-plugins/media/ecom/”.

They do not appear to have had any success in breaching the site but it slowed the server down and affected other users. This is not the first time we have been attacked like this (a near identical one came from 91.241.19.84 a few months ago). I have added both those IPs to K9’s “Banned IP Addresses”, cPanel’s “IP Blocker” and WHM’s Hulk.

I have also banned “91.” which may be a bit OTT. Is there a way that we can automatically ban, on the fly, an IP that is undertaking such activity as I only caught this attack by chance as I was working on the site and picked up the unusually high number of pageviews?

Last edited by sdn (01-11-2021 04:11:08)


Simon

Offline

 

#2 01-11-2021 11:45:50

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19717
Website

Re: Website Hacking Attacks

It looks like you took all the appropriate steps on your end to mitigate these.

We've DDOS attacks get past firewalls and through to the webserver at an increasing rate lately.  The attackers have been getting very creative.  Currently we are working on a method of throttling requests which will make it into a version post-9.0.4. 

Do you currently have anything running which would prevent this sort of activity from reaching the webserver?  Assuming this was a more vanilla attack, Fail2Ban running on various ports (including port 80 monitoring for excessive requests) should/would have picked it up.


Nick Hendler

Offline

 

#3 01-13-2021 02:10:04

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 868

Re: Website Hacking Attacks

We have cPHulk set to ban most countries from logging into the server and OWASP ModSecurity is active. Our host also has an additional firewall in place of their own that traffic runs through although you have to pay extra for their top level DDOSx protection.

Not heard of Fail2Ban so will investigate that.


Simon

Offline

 

#4 01-13-2021 09:38:29

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19717
Website

Re: Website Hacking Attacks

ModSecurity can be configured to prevent DDOS.  I believe it utilizes Fail2Ban to interact with the iptables firewall.  It's really best to cut DDOS off before the webserver attempts to serve a page.  That will be most effective, even with throttling functionality added to K9 (forthcoming).


Nick Hendler

Offline

 

#5 01-15-2021 10:44:21

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 868

Re: Website Hacking Attacks

Have you any experience with EasyApache 4’s mod_evasive as described at https://blog.cpanel.com/blocking-attack … _evasive/?


Simon

Offline

 

#6 01-18-2021 09:39:39

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19717
Website

Re: Website Hacking Attacks

No, but it looks very interesting.  I wonder if it's configurable.  The default rules:

- Requests the same page more than a few times per second.
- Makes more than 50 concurrent requests on the same child per second.
- Makes any request while temporarily blacklisted.

Would fend off heavy attacks, but setting the rules looser:

- Limit to index.php and admin.php
- Requests the same page more than 4 times over a 15 second span
- Makes more than 4 concurrent requests on the same child per second

Would be effective for protecting the store without disrupting real traffic and SE crawlers.  Also, it would be nice to have an auto-remove function for the blacklist, after 15 minutes.  If all that can be tuned/done, I'd say it's worth a shot - even though you're using the webserver to fend off attacks.  Using fail2ban with ModSecurity (or on it's own) fends off the attacks before they get to Apache, and it is configurable as described above.  Food for thought.


Nick Hendler

Offline

 

#7 01-23-2021 14:55:56

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 868

Re: Website Hacking Attacks

I gave it a trial but ran into a problem. I noticed a large number of errors in the cPanel log (client denied by server configuration) but from legit looking ip addresses.

Later, I did a product search on our site and got presented with a page not found error when clicking on one of the results which was odd as I know the page is present. Then I clicked on the home page link and got another page not found. After a bit of investigation it became clear the mod_evasive was locking me out when using site search.

I tried increasing the DOSPageCount from 4 to 10 but no change. Do you have any suggestions on how I might get round the issue without loosing the protection completely? Many of the client denied by server configuration errors were for index.php but there were also web pages and pdf files in the log as well.

Instructions are at https://documentation.cpanel.net/displa … figuration

Last edited by sdn (01-23-2021 14:58:06)


Simon

Offline

 

#8 01-25-2021 08:19:39

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19717
Website

Re: Website Hacking Attacks

I have no experience configuring mod_evasive, so it would be trial and error on a test domain here if we tried to activate it.


Nick Hendler

Offline

 

Board footer