[opencms-dev] Ddos attack
Andreas Ernst
ae at ae-online.de
Thu Jun 23 18:26:00 CEST 2022
Hi Andrew,
Am 23.06.22 um 14:05 schrieb Диканский Андрей Юрьевич via opencms-dev:
> Hello All!
>
>
> Our site is under ddos attack. We are using OpenCMS 10.5.4.
>
> We have lots of entries in accecss log in apache like this:
>
> 111.119.195.30 - - [20/Jun/2022:08:49:55 +0300] "GET / HTTP/1.1" 301
> 6264
> "http://www.villamagnoliarelais.com/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=https%3A//www.ncfu.ru/"
> "Links (2.1pre20; NetBSD 2.1_STABLE i386; 145x54)"
>
> We made apache rule in our config
>
> RewriteCond “{HTTP_REFERER}” “plugin_googlemap2”
>
> RewriteRule ^.*$ - [F]
>
> Now we have 403 in access log in apache. But server still losses
> connection. And we have timed out connection error.
>
> We made another virtual machine with ngnix in order to filter traffic
> and pass to openCms only filtered request.
>
> But when we turn on our traffic with ngnix machine, openCms works a
> little time and then failed. In open CMS log I can see error:
> MySQLNonTransientConnectionException: Data source rejected establishment
> of connection, message from server: “Too many connections”.
>
> Ngnix server machine generates enormous traffic top openCms machine. And
> it can not to manage it.
>
> Log in ngnix looks like this:
>
> - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 301
this does not answer your question directly.
Why not use fail2ban, filter the access.log for 301 errors, with let's
say 5 to 10 fails and then block this IP with the Firewall?
HTH
Andreas
--
ae | Andreas Ernst | IT Spektrum
Postfach 5, 65612 Beselich
Schupbacher Str. 32, 65614 Beselich, Germany
Tel: +49-6484-91002 Fax: +49-6484-91003
ae at ae-online.de | www.ae-online.de
www.tachyon-online.de
More information about the opencms-dev
mailing list