Comment on How to check who is flooding your Apache, NGinx Webserver – Real time Monitor statistics about IPs doing most URL requests and Stopping DoS attacks with Fail2Ban by admin.
Other useful things in case if you encounter some specific IP that is too actively accessing the server and you want to temporary kill access to it is with tcpkill command. Here is a chunk of question answer I found online.
Q. How to disconnect clients from your network interfaces.
A1. Killing the the connections with TCPKILL:
TCPKILL is part of dsniff a tools suite for linux to sniff network traffic for cleartext insecurities
This package contains several tools to listen to and create network traffic:
arpspoof – Send out unrequested (and possibly forged) arp replies.
dnsspoof – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff – password sniffer for several protocols.
filesnarf – saves selected files sniffed from NFS traffic.
macof – flood the local network with random MAC addresses.
mailsnarf – sniffs mail on the LAN and stores it in mbox format.
msgsnarf – record selected messages from different Instant Messengers.
sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow – SSH traffic analyser
tcpkill – kills specified in-progress TCP connections.
tcpnice – slow down specified TCP connections via “active” traffic shaping.
urlsnarf – output selected URLs sniffed from HTTP traffic in CLF.
webmitm – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy – sends URLs sniffed from a client to your local browser.
What interests us here is TCPKILL first we need to install dsniff, in linux distribution: Debian we do:
apt-get install dsniff
Then we run:
tcpkill host xxx.xxx.xxx.xxx
where xxx… is replaced with the identified offending IP address.
A2. Another method to Kill the offending connections inmediatly is using CUTTER
Cutter will send packets to both ends of a TCP/ip connection to terminate it nicely. It is designed to be used in a Linux router to disconnect unwanted connections.
To install Cutter we issue the following command:
apt-get install cutter
Once installed we run Cutter with the arguments:
cutter
So we replace with our linux box IP address, with the listening port in the server, and with the offending IP
After using TCPKILL or CUTTER The process count should be reduced drastically now and the server’s memory usage lowered to nice numbers. (Our linux server is stabilized now)
Finally we need to Block the offending IP address in our Firewall (IPtables rule).
admin Also Commented
You can also get statistics for old archived logs to see which IP has accessed your server most:
zcat mini_httpd.log.2.gz | tail -f – | awk {'print $1; fflush();'} | logtop
Recent Comments by admin
От архива: Христовата любов побеждава дори смъртта, твърдеше приживе патриарх Неофит
Българският Патриарх Неофит в Москва на 8 Март 2016 г. ЧАСТ 2
Christ is Risen Eastern Orthodox Resurrection Paschal Greeting in Different Languages
Hi Stan,
I guess you cannot read the writtings on the icon as it is in cyrillic.
This is not Saint Mary and Saint Peter but Adam and Eve written in cyrillic on top of the icon.
Actually in orthodoxy it is a requirement for the depicted personalities, especially saints to have
written on the names of the saint and have the Halo. If you look closely at the picture you will notice
the two Adam and Eve are missing a Halo. The only person with a Halo in the icon is Saint John the Baptist.
Best Regards
Georgi
Install and configure rkhunter for improved security on a PCI DSS Linux / BSD servers with no access to Internet
–rwo, –report-warnings-only
This option causes only warning messages to be displayed. This can be useful when rkhunter is run via cron. Other options may
be used to force other items of information to be displayed.
–sk, –skip-keypress
When the –check command option is used, after certain sections of tests, the user will be prompted to press the return key
in order to continue. This option disables that feature, and rkhunter will run until all the tests have completed.
Install and configure rkhunter for improved security on a PCI DSS Linux / BSD servers with no access to Internet
As rkhunter check, can be pretty annoying and ask you to press keypresses multiple times and spit you a lot of unnecessery data a very good useful option arguments are:
–rwo and –sk
# rkhunter -c –rwo –sk
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
