Join Log in
Score:0
Piyush Mittal avatar Server

Apache2 server getting so many unusal requests again and again

in flag
Piyush Mittal

I am trying to configure the WordPress and NodeJS website together and I am using an apache2 server and ubuntu(20.04) virtual machine. I configured both applications successfully on my machine but after some time, I start getting unusual site down notifications from my monitoring system. When I checked my Ubuntu machine using htop then I found that there are so many tasks going on and when I checked things in more detail then I found that the apache server calling itself again and again which creates load on apache server and ultimately leads to site down.

I also checked the number of requests which my server is getting then I found that my server is also getting so many unusual requests from different IPs. So, I think it may be a DDos attack. So, I terminated my machine and create a new machine for this but got the same issue on my new machine.

I have no idea why this happening to my machine. If anyone has any idea then please reply.

HTOP output: htop output

Apache status output: apache status output

IP requests output: IP address requests

43
0 + 0
Gerrit avatar
cn flag
Gerrit
It certainly looks like your server is getting a lot of requests from parties that probably don't have anything to do with your server. Try mod_qos https://fedingo.com/how-to-limit-requests-per-ip-in-apache/ or request a different IP address.
0
Reply
me flag
Sharuzzaman Ahmat Raslan
this is common. bots are randomly scanning servers all over the Internet, and they randomly testing URL that might be vulnerable, and will exploit it when they found it
0
Reply
Piyush Mittal avatar
in flag
Piyush Mittal
@SharuzzamanAhmatRaslan Is there any solution to this issue because it's occurring again and again with me every instance.
0
Reply
Piyush Mittal avatar
in flag
Piyush Mittal
@Gerrit I tried your solution but nothing happened. everything is same.
0
Reply
Score:0
Gerrit avatar Server
cn flag
Gerrit

So, apparently, mod_qos did not help. Sometimes, the load is too low-level on the network, for Apache modules to effectively mitigate it.

A more low-level block can be tried with iptables.

iptables -I INPUT 2 -p tcp -s z.y.z.w -m comment --comment "whitelist ip 1" -j ACCEPT
iptables -I INPUT 2 -p tcp -s z.a.b.c -m comment --comment "whitelist ip 2" -j ACCEPT
iptables -N WEBTHROTTLE
iptables -A WEBTHROTTLE -m recent --set --name WEB --rsource
iptables -A WEBTHROTTLE -m recent --update --seconds 60 --hitcount 200 --name WEB --rsource -j LOG --log-prefix "Anti Web-Bruteforce: " --log-level notice
iptables -A WEBTHROTTLE -m recent --update --seconds 60 --hitcount 200 --name WEB --rsource -j DROP
iptables -I INPUT 4 -i if-entry -p tcp -m tcp --dport 443 -m state --state NEW -j WEBTHROTTLE

This does require that you already have some INPUT rules. The numbers directly after INPUT are the insertion point in the order of the rules. Everything after that number will shift one number up. In the last rule you should replace with something like eth0/ens192, the interface of entry.

Similar rules can be used on ip6tables.

To get a list of your current rules:

iptables -S INPUT
0 + 0
Piyush Mittal avatar
in flag
Piyush Mittal
I implemented the above commands on my machine. But I am getting some errors for the above two commands. iptables v1.8.4 (legacy): host/network `z.y.z.w' not found Try `iptables -h' or 'iptables --help' for more information.
0
Reply
Gerrit avatar
cn flag
Gerrit
z.y.z.w is just an example of an ip-address that you could whitelist. For example the ip-address that you use to do your own sessions.
0
Reply
Piyush Mittal avatar
in flag
Piyush Mittal
Okay, But I have to make my website open for the public. So, In that case, how other people going to access the website.
0
Reply
Piyush Mittal avatar
in flag
Piyush Mittal
And I also noticed a very different thing, if I add a domain name on my website IP and then try to access it then it's working fine but I try with my ipv4 directly then it's almost not accessible.
0
Reply
Gerrit avatar
cn flag
Gerrit
This is just a rate block, it doesn't make the site unreachable. And the rates given are very high. If you need that high rates, then the server is too light anyway.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.