Server very high load when wordpress was attacked
Hi All
My wordpress was attacked and it made my server very high load. After that users couldn't connect to all other websites in the same server. It seems wordpress took all resources of the server at that time. I checked and found so many strange logs from an unique IP. Quote:
Could you please help in this issue? Thanks a lot. |
|
I stuck abdullkarem into my filter.conf a while ago.
1 hit and they're toast. |
Thanks a lot for your help angle115 and Habitual
But this log came from an attack? What attack? Brute force or something else? Could you please explain me more about this? Thank you. |
Random attacks and port scans are a fact of online life.
Not nice folks are constantly looking for vulnerabilities. They don't care who you are. They just want you for your vulnerabilities. |
Thank you Frankbell
|
Need help please
Hi Habitual,
Quote:
Any help you can provide in blocking this scan would be really appreciated. I have lost my peace of mind because of this ongoing attacks (and my server has sky rocketed to 80 load as I type this) Help :-( |
Also, I do have some basic tools in place such as :
- ConfigServer Security Firewall - ConfigServer Exploit Scanner - Comodo's WAF Mod Security Ruleset - wp-login protection script (that challenges wordpress's login page) but none of them seem to help in this case. Please help. |
Quote:
WHM is CentOS-flavored, so Code:
sudo yum install fail2ban |
I would also suggest some iptable rules to prevent a ip to DOS'ing you.
Something like this Code:
iptables -A INPUT -p tcp -m hashlimit --hashlimit-name NORMAL_USAGE --hashlimit-mode srcip --hashlimit 25/minute --hashlimit-burst 120 -j ACCEPT |
Quote:
I have successfully installed Fail2ban and copied the conf files as advised. What should be done next ? Thanks for your help. |
To make sure that Fail2ban is working you can do 3 things
|
Thanks for your input angel, but I haven't really added any rules for the wordpress "abdullkarem" attacks that are going on my server right now.
My fail2ban is working fine, but I believe I will have to add some specific rule, which habitual said he added in filter.conf ? Please help and thank you in advance. |
I forgot to ask you to create the action.conf, so
we'll do that below. ;) You'll need to edit /etc/fail2ban/jail.local and add Code:
[myfilter] before this edit and adjust as necessary. NOTES: Spacing counts here! So use either a constant tab or spaces in the edits, but not both. I suggest spaces. Just make certain that they all "line up" equally on the right-side of the "=" in the jail.local and all .conf files you edit, and you should be good. <do_not_ban0> and <do_not_ban1> are IPs that are excluded from fail2ban, such as your home IP address and or work ip, other... eg: Code:
123.123.123.123/32 I also include the server's external internet-facing IP as good measure. The filter and action statements: Code:
filter = myfilter action points to /etc/fail2ban/action.d/myaction.conf in the (should be) empty file at /etc/fail2ban/filter.d/myfilter.conf, use Code:
[Definition] Spacing counts here (in all .conf files for fail2ban) also. Now the forgotten myaction.conf: Create by edit /etc/fail2ban/action.d/myaction.conf and add: Code:
[Definition] Code:
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/myfilter.conf The "tell" that it is correctly catching bad guys is this line in the Summary of the output: Code:
Success, the total number of match is <some_number> If the test is NOT successful, verify your edits and re-check manually. More NOTES: the reason we use /etc/fail2ban/jail.local /etc/fail2ban/filter.d/myfilter.conf /etc/fail2ban/action.d/myfilter.conf is because fail2ban 'reads' jail.conf files first then jail.local and custom actions and custom filters are excluded during package upgrades if they are so named. jail.local is safe from upgrades also. I included wp-login.php above because that is usually the first thing attackers go after, brute forcing your admin account. IF your site allows other 'users' to login (editors and contributors of 'content' other that the admin account), you will need to exclude their IPs, or remove wp-login.php from badadmin in myfilter.conf myfilter.conf and myaction.conf in those directories can be any name you choose, and will be excluded if fail2ban is upgraded. If the test is successful, you then start fail2ban, but... I suggest you save your IP tables rules first, as fail2ban restarts iptables and those are stored in memory, so I tend to use Code:
/sbin/iptables-save > /root/safe.rules When fail2ban starts, stops or ban using the above myaction.conf, it will save the iptables to /root/safe.rules as a safety measure. Code:
bantime = 31556926 ; 1 year in seconds I hope this helps you out. fail2ban out of the box, starts sshd protection, but you may wish to add your home and/or work IPs to the Code:
[ssh] That should get you started. I probably forgot something but I pray it's not a fatal omission. :) Subscribed with interest... |
Hi,
Thank you so much for taking time to write this easy-to-understand steps. In my /etc/fail2ban/jail.local, I added my apache logpath as : Code:
logpath = /usr/local/apache/logs/access_log Code:
docroot = /usr/local/apache/htdocs Then when I test fail2ban (while fail2ban service is still off ), I see this : Code:
root@lsn5 [~]# fail2ban-regex /usr/local/apache/logs/access_log /etc/fail2ban/filter.d/myfilter.conf |
All times are GMT -5. The time now is 01:48 PM. |