cPanel Config

Welcome to cPanelConfig the fastest growing cPanel configuration and troubleshooting guide on the internet. Please take the time and register. We would love to have your contribution to this completely free cPanel resource. We are updating this daily so be sure to visit us on a regular basis.

Apache reading = DOS attack ?

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Posted by yolau

If you are seeing many “? ..reading..” when your are clicking on Apache status in WHM and your Apache server is slow, there is a chance that your http server is under a dos attach.

You can check this out by:

  1. Log on your server as root
  2. Type the fallowing command

    3. netstat -plan|grep :80|awk {’print $5′}|cut -d: -f 1|sort|uniq -c|sort -n

    You will see a list of IP’s with the number of connections each once has to your server.

  3. If any IP’s have more then 100 connections then there is a chance that this is your attacker. Go ahead and block this IP using APF if you have it installed or CSF

    4. apf -d IP
    or
    csf -d IP

Hope it helps !

If you have any questions don’t hesitate to leave a comment.

Share this:
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon
  • Netvouz
  • description
  • ThisNext
  • MisterWong
  • Wists
  • De.lirio.us
  • Furl
  • MyShare
  • Smarking
  • Technorati
  • YahooMyWeb

If you enjoyed this post, make sure you subscribe to my RSS feed!

6 Responses to “Apache reading = DOS attack ?”

  1. Tim, on March 15th, 2008 at 7:17 pm Said:

    Do Hardware Firewalls protect against this type of attack? It’s been happening often for me, but every time I get a chance to check the IPs seem to be of customers.

  2. Alon, on July 26th, 2008 at 3:39 pm Said:

    Hi,

    I tried to use the suggested script but I’m getting an error.

    I’m trying to run this script:

    netstat -plan|grep :80|awk {’print $5′}|cut -d: -f 1|sort|uniq -c|sort -n

    However, I’m getting the following error:

    :/root # netstat -plan|grep :80|awk {print $5?} |cut -d: -f 1|sort|uniq -c|sort -n
    awk: cmd. line:2: (END OF FILE)
    awk: cmd. line:2: syntax error

    Any pointers on why is awk complaining ?

    thanks,

    -Sup.

  3. Alon, on July 26th, 2008 at 5:37 pm Said:

    netstat -plan|grep :80| awk {’print $5′} |cut -d: -f 1|sort|uniq -c|sort -n

    I don’t know why, but copy/paste of the script in the example is showing a QuestionMark symbol when pasted into SSH.

    I pasted the correct syntax here again.
    Your script works great. There is some bizzare behavior that I don’t know why it fails on a simple Copy/Paste from this site.

    -Sup.

  4. hbhb, on November 24th, 2008 at 10:02 am Said:

    try netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

  5. Nick, on November 25th, 2008 at 8:45 am Said:

    Thanks for the csf -d command, saves a load of time :)

  6. mahmud, on December 15th, 2008 at 11:09 am Said:

    is there any way to disable keepalive in Apache/2.2.10.
    can i limit max ? ..reading.. connection?

    i found many connection is open for OPTIONS * HTTP/1.0 what is it doing?

Leave a Reply

« Install Rootkit Hunter (1.3) Backup your data on a backup hdd with rsync »