cPanel Server Services from Way to The Web Ltd
|
ConfigServer Services cPanel Server Services from Way to The Web Ltd |
|
#1
19-06-2009, 01:19 PM
|
|||
|
|||
Slowloris attack
A New hack tool is online.
 see ha.ckers.org/slowloris/ now the question. Does / how can we prevent a slowliris attack with csf or apache config. 
|
|
#2
19-06-2009, 04:24 PM
|
|||
|
|||
|
I would imagine that using Connection Tracking in csf should help with this.
|
|
#3
19-06-2009, 05:49 PM
|
|||
|
|||
|
On th Dutch "webhostingtalk" website is placed a workaround for it. Maybe someone can take a look at this:
There has been a public release of a Apache DoS tool. You can read about it on the following URL\\\'s http://isc.sans.org/diary.html?storyid=6601 http://ha.ckers.org/slowloris/ All versions of Apache are vulnerable. There are a couple of solutions, one of them is limitipconn http://dominia.org/djao/limitipconn2.html However we have found it does not work as it should on all distributions. We have put together a quick shell script that should give you protection in case your server is being attacked. It currently is a crude version, if you see it does not work on your server please contact our support and we will try and get it working for you. If you suspect your server is being attacked you can download the following to your linux webserver. This script does not work on BSD or windows. http://www.leaseweb.com/antiloris.sh Place the file in some directory and make it executable. # wget -O /usr/local/sbin/antilotis.sh http://www.leaseweb.com/antiloris.sh # chmod 755 /usr/local/sbin/antilotis.sh # echo \"* * * * * /usr/local/sbin/antilotis.sh\" >> /etc/crontab Then edit the file. In the beginning of the file there are a couple of variables: LIMIT=50 EMAILADDRESS=your-email@example.com SENDEMAIL=1 RESTARTAPACHE=1 LIMIT is used for the amount of sessions the attacker has to open before his IP address will be blocked. EMAILADDRESS is the email address you want to receive email alerts on SENDMAIL can be 1 or 0. Set to 0 to no longer receive email. RESTARTAPACHE This variable can restart apache after the IP address has been blocked. Some customers may not want to restart their apache after eac attack, but wait for regular apache time-outs.
|
|
#4
20-06-2009, 02:28 AM
|
|||
|
|||
|
scary stuff
Thanks for the info - I have added it to one of my servers P
|
|
#5
21-06-2009, 02:24 PM
|
|||
|
|||
|
Quote:
Running a script every minute isn't such a smart thing longterm; although it could help if you are under attack. I'd think the connection tracking stuff in CSF would be more likely to a be a good solution?
|
|
#6
22-06-2009, 10:30 AM
|
|||
|
|||
|
Hi
Please share, what options in CSF configuration we should use/configure to prevent such attacks?
|
|
#7
22-06-2009, 02:41 PM
|
|||
|
|||
|
Quote:
PORTFLOOD = "80;tcp;20;5" This means 20 connection within 5 seconds, will trigger a wait of 5 seconds for the source IP.
|
|
#8
23-06-2009, 12:00 AM
|
|||
|
|||
|
But doesn't PORTFLOOD limit connections globally? So, in your example you would be penalizing new connections if the server is simply handling requests from 20 different browsers.
What is wrong with Chirpy's recommendation of using Connection Tracking? This penalizes only the IP addresses that are trying to make too many connections. Right?
|
|
#9
24-06-2009, 04:05 PM
|
|||
|
|||
|
PORTFLOOD is ip address and port specific, so should be fine as a defence against slowloris and the like (it's the SYNFLOOD setting that is indiscriminate when under attack). That said, simple Connection Tracking should also work.
|
|
#10
24-06-2009, 04:17 PM
|
|||
|
|||
|
Anyone could share what setting should be put inside port flood protection in csf.conf? Maybe chirpy could put his word about this kind of attack and possible solutions. This would be great!
|
 |
| Thread Tools | |
|
|
