[opencms-dev] Ddos attack

[Диканский Андрей Юрьевич]

We've tried fail2ban. I guess we misconfigured something because I saw in fail2ban log messages like "Ip already banned". So it scaned access.log, banned ip, but some how it is again in access.log.  I goggled the problem. It happens. So we are trying to solve it.



________________________________
От: opencms-dev <opencms-dev-bounces at opencms.org> от имени Andreas Ernst via opencms-dev <opencms-dev at opencms.org>
Отправлено: 23 июня 2022 г. 19:26
Кому: opencms-dev at opencms.org
Копия: Andreas Ernst
Тема: Re: [opencms-dev] Ddos attack

Hi Andrew,

Am 23.06.22 um 14:05 schrieb Диканский Андрей Юрьевич via opencms-dev:
> Hello All!
>
>
> Our site is under ddos attack. We are using OpenCMS 10.5.4.
>
> We have lots of entries in accecss log in apache like this:
>
> 111.119.195.30 - - [20/Jun/2022:08:49:55 +0300] "GET / HTTP/1.1" 301
> 6264
> "http://www.villamagnoliarelais.com/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=https%3A//www.ncfu.ru/"
> "Links (2.1pre20; NetBSD 2.1_STABLE i386; 145x54)"
>
> We made apache rule in our config
>
> RewriteCond “{HTTP_REFERER}” “plugin_googlemap2”
>
> RewriteRule ^.*$ - [F]
>
> Now we have 403 in access log in apache. But server still losses
> connection. And we have timed out connection error.
>
> We made another virtual machine with ngnix in order to filter traffic
> and pass to openCms only filtered request.
>
> But when we turn on our traffic with ngnix machine, openCms works a
> little time and then failed. In open CMS log I can see error:
> MySQLNonTransientConnectionException: Data source rejected establishment
> of connection, message from server: “Too many connections”.
>
> Ngnix server machine generates enormous traffic top openCms machine. And
> it can not to manage it.
>
> Log in ngnix looks like this:
>
> - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1"
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 301

this does not answer your question directly.

Why not use fail2ban, filter the access.log for 301 errors, with let's
say 5 to 10 fails and then block this IP with the Firewall?

HTH
Andreas
--
ae | Andreas Ernst | IT Spektrum
Postfach 5, 65612 Beselich
Schupbacher Str. 32, 65614 Beselich, Germany
Tel: +49-6484-91002 Fax: +49-6484-91003
ae at ae-online.de | www.ae-online.de<http://www.ae-online.de>
www.tachyon-online.de<http://www.tachyon-online.de>
_______________________________________________
This mail is sent to you from the opencms-dev mailing list
To change your list options, or to unsubscribe from the list, please visit
https://lists.opencms.org/mailman/listinfo/opencms-dev



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20220623/60a53290/attachment.htm>