On Sun, Apr 19, 2020 at 8:58 AM Jeffrey Walton noloader@gmail.com wrote:
Hi Everyone,
We rent a CentOS 7 VM from GoDaddy. We received a warning about excessive cpu usage, and a threat to cancel our service. We tracked it down to Apache and someone hammering our web server.
The offending host is 59.64.129.175. To err on the side of caution we attempted to block the entire netblock. According to whois data, that's 59.64.128.0-59.64.159.255.
iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROPAfter reboot cpu usage is still high and access_log still shows useless requests from the host:
59.64.129.175 - - [19/Apr/2020:08:53:53 -0400] "GET /w/index.php?title=Special:WhatLinksHere&limit=50& printable=yes HTTP/1.1" 301 311I seem to be missing something. That's not surprising since I am not a server administrator.
How do I filter the unwanted traffic from the netblock?
Thanks Mike and Mark.
This is where I am at... I'm following https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-f... because GoDaddy has not published any documents on this (other then use cPanel, which I don't have access to).
The rule is persisted but it is being ignored.
# iptables -L | grep policy Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT)
# iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP # /sbin/service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK]
<reboot, top still shows high usage, logs still show requests from offender>
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited DROP tcp -- 59.64.128.0/19 anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT) target prot opt source destination
We really need the server to honor this rule. How do we get CentOS to use this rule?
Jeff