Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 2
DDoS attack prevention
 
Nautica
Sr. Member
 
Avatar
Total Posts:  140
Joined:  2008-01-03
 

I recently changed my oscommerce fork to Magento on a shared server. Since 12 october my host deactivated my site because of a DDoS attack. Rather late because in the logs i could see that this must have begun before 4th of october this year.
I was allmost finished and the site is online but needed some tweaks here and there. Since online no orders have been placed and in my former oscomerce shop i only received 5 orders so my website is still unknown and not promoted yet. The domain name is in my ownership from begin 2008
Just after my switch to Magento and just before i wanted to move the site to a VPS server it experienced a DDoS attack that is running at least from before 4th of october and is still going on.
In this attack the zombie PC’s from all over the world keep asking for the NON EXISTING file http://www/domainname.nl./images/abc.php?src=123 about 70000 times in 24 hours so roughly thats more then one time/second
I dont know why this happens so long. I heard it can happen for a day but this is allmost two weeks.

I want to change from shared to a VPS server and want to know what I can do best.
The VPS runs on the latest CentOs with DirectAdmin and i have root access.
I was thinking about mod_evasive or something but do not know what it actually does in these circumstances so any comment is welcome.

Does anyone know how to deal with this? I want to switch to my VPS but in these circumstances i just wait to ride out the storm before moving.
I know my server space was hacked because of a security hole in Filezilla that leaked my FTP pass. They uploaded some files to use the email to Spam. My host company warned me and said they deleted the files that where uploaded to CGI_bin.

At this point I am puzzled. Is it the switch to Magento that caused it ?? Or is Magento that good that competitors do this grin

From others i hear that the 404 file that Magento generates is to large in these conditions. Each request is answered with a 404

I was already thinking of blocking all IP’s and only accept the ip’s in my country but that is not a beautifull solution.

Anyone that can give me tips to fight this is welcome

 
Magento Community Magento Community
Magento Community
Magento Community
 
hydra
Guru
 
Avatar
Total Posts:  378
Joined:  2008-08-26
Amsterdam
 

Hi,
Are the requests for the domainname.tld or are they requesting on IP?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Nautica
Sr. Member
 
Avatar
Total Posts:  140
Joined:  2008-01-03
 
hydra - 16 October 2009 03:31 AM

Hi,
Are the requests for the domainname.tld or are they requesting on IP?

Domainname

 
Magento Community Magento Community
Magento Community
Magento Community
 
hydra
Guru
 
Avatar
Total Posts:  378
Joined:  2008-08-26
Amsterdam
 

Hi,
bummer. :(

Well you could at least create the file they are requesting.
Also try to find out what kind of zombie they are. i mean maybe you could create a control file which would instruct them to stop the requests.
Do you have the hacked site and the requested file on a backup?
Maybe i would be wise to let some kind of internet police task force know that you are under attack and give them the hacked files.

Zou voor de rest niet zo snel weten wat je moet doen, sorry.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Nautica
Sr. Member
 
Avatar
Total Posts:  140
Joined:  2008-01-03
 

Yes I a fulll backup but the requested file does not exist. I allready thought of creating an empty php file named abc.php or just deny all requests to the file in htaccess.

 
Magento Community Magento Community
Magento Community
Magento Community
 
JLHC
Mentor
 
Avatar
Total Posts:  1287
Joined:  2008-05-09
Tampa, FL
 
Nautica - 15 October 2009 01:48 PM

At this point I am puzzled. Is it the switch to Magento that caused it ?? Or is Magento that good that competitors do this grin

Well it is definitely not caused by the switch to Magento as there are no reasons for these issues to happen just because you switched to Magento.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Kammalou
Sr. Member
 
Avatar
Total Posts:  285
Joined:  2009-01-20
Denmark
 

Why don’t you just drop all traffic from the requesting IP Address using IPTABLES.

- Then is all over.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Yeah, if it’s a sustained attack from the same zombie PCs, block those IPs. But you probably can’t do that on a shared host.

What you can also do is create a simple htaccess file and redirect requests for that image to a big PDF file or image on a server that can handle it, like Google or Yahoo. That reduces the load on your server to next to nothing.

I also moved from osCommerce to Magento and from a Dedicated Server specced some 4 years ago to a more up to date dedicated server. I always got these vulnerability probers looking for buggy scripts like old phpMyAdmin etc. but that caused no problem on osCommerce. On Magento though, as any file requested, even when it doesn’t exist, invokes a full Mage run, my server gets bogged down quickly. I tried mod_evasive but that’s next to useless. It only evades attacks to the same file whereas these probers would probe for > 100 different files in half as many seconds.

I tried to get it blocked at the firewall but the host wasn’t too cooperative. Said they couldn’t detect it even though I personally think it should be easy to block unnatural URI requests (i.e. multiple files within a second).

So I ended up making my own PHP script that executes an iptables block but this hasn’t worked flawlessly either.

All in all, it’s a shame Magento tries to run even for file requests that have nothing to do with Magento. It should know and not bother, to save resources.

 
Magento Community Magento Community
Magento Community
Magento Community
 
gfxguru
Sr. Member
 
Total Posts:  186
Joined:  2008-11-20
 
Euklid - 20 October 2009 05:09 AM

Why don’t you just drop all traffic from the requesting IP Address using IPTABLES.

- Then is all over.

and do this for all manually? Wow now that would be a task, especially if you have a hacker that using a compromised dynamic ip range from some isp or bouncing around from some proxy. Now what I’d truly love to do is have an app detect scan types or probes to specific ports over mulitple ip’s or such and just block ip for a specific time frame. Now that would truly save some time and money. I’ve spent more time looking an traffic patterns and transmission that I’ve become a guru in basic intrusion detection 101. I’d love to know where I could get the tools to assist me without paying an arm and a leg too if anyone has any ideas… I sure could sleep better at night knowing that particular monsters are not lurking around on our servers.

I still haven’t figured out why magento’s servers would be trying to communicate over port 53. Haven’t looked into it further because it seemed harmless but why this port? I don’t know of any reason why magento would need dns. I noticed it during an install, actually right after an install. Anyone else seen this? Just wondering if anyone could clarify this.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Kammalou
Sr. Member
 
Avatar
Total Posts:  285
Joined:  2009-01-20
Denmark
 
gfxguru - 25 October 2009 05:17 AM

Euklid - 20 October 2009 05:09 AM
Why don’t you just drop all traffic from the requesting IP Address using IPTABLES.

- Then is all over.

and do this for all manually? Wow now that would be a task, especially if you have a hacker that using a compromised dynamic ip range from some isp or bouncing around from some proxy. Now what I’d truly love to do is have an app detect scan types or probes to specific ports over mulitple ip’s or such and just block ip for a specific time frame. Now that would truly save some time and money. I’ve spent more time looking an traffic patterns and transmission that I’ve become a guru in basic intrusion detection 101. I’d love to know where I could get the tools to assist me without paying an arm and a leg too if anyone has any ideas… I sure could sleep better at night knowing that particular monsters are not lurking around on our servers.

I still haven’t figured out why magento’s servers would be trying to communicate over port 53. Haven’t looked into it further because it seemed harmless but why this port? I don’t know of any reason why magento would need dns. I noticed it during an install, actually right after an install. Anyone else seen this? Just wondering if anyone could clarify this.

There is a lot of applications that is able to handle this automatically for you.

Fail2Ban, and building your own filters & Jails regex’ed. handles this for me perfectly.
You can chose to use either TCP Wrappers for exclusion. Or IPTables. - I prefer the latter.

More info on Fail2Ban can be found here: http://www.fail2ban.org/wiki/index.php/Main_Page

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Thanks for the fail2ban tip. But it only seems to act on auth fails, is that right?

I’d LOVE to find something that can take a list of filenames, and ban all IP address that scan for those file names. RegExp’ed ideally. Do you know anything to that effect?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Kammalou
Sr. Member
 
Avatar
Total Posts:  285
Joined:  2009-01-20
Denmark
 
J.T. - 26 October 2009 07:55 AM

Thanks for the fail2ban tip. But it only seems to act on auth fails, is that right?

I’d LOVE to find something that can take a list of filenames, and ban all IP address that scan for those file names. RegExp’ed ideally. Do you know anything to that effect?

You can customize Fail2Ban Jails & Filters. Creating your own. for what ever regular expression you want it to match.
I’ve been VERY happy for those i’ve build/created. And are using now.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

I see the regex can be edited in the conf file:

failregex = : (?:(?:Authentication failure|Failed [-/w+]+) for(?: [iI](?:llegal|nvaliduser)?|[Ii](?:llegal|nvaliduser|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?PS*)

Come to think of it, that’s not very useful for Magento purposes as a probe on a Mage URL will not result in any error_log entry. If your shop is on www.shopdomain.com and a script kiddie is probing for a dodgy phpMyAdmin install on www.shopdomain.com/mysql/ then instead of a 404 in your error_log, Magento is taking over and displaying the 404 page rendered by itself. So there wouldn’t be anything for fail2ban to act upon.

We’d need a Magento module that allows you to enter all the usual vulnerability probing URLs and/or RegExp rule and Magento then logs an error in the error_log file which fail2ban will then act on. Magento needs to be the middleware as it’s trying to parse those non-existent URLs.

I tried to use exec() to run an iptables command directly but this ran in to terrible permission problems (which is kind of obvious).

Anyone got any better ideas?

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Simpler than a Module would be to use “Add New Urlrewrite” in Magento’s default system and redirect the user to a special non-run-Mage script. That php file simply does:

error_log("Naughty vulnerability prober with ip " $ip " needs to be banned if he tries again"3"/path/where/fail2ban/should/look.log");

Let fail2ban search for that type of string and they’re gone.

The script would have to sit outside of the Mage root otherwise Magento tries to parse the URL.

I’ll try and implement this to test if it works well enough.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Kammalou
Sr. Member
 
Avatar
Total Posts:  285
Joined:  2009-01-20
Denmark
 
J.T. - 26 October 2009 08:38 AM

Simpler than a Module would be to use “Add New Urlrewrite” in Magento’s default system and redirect the user to a special non-run-Mage script. That php file simply does:

error_log("Naughty vulnerability prober with ip " $ip " needs to be banned if he tries again"3"/path/where/fail2ban/should/look.log");

Let fail2ban search for that type of string and they’re gone.

The script would have to sit outside of the Mage root otherwise Magento tries to parse the URL.

I’ll try and implement this to test if it works well enough.

Looking forward to see what you come up with!

Great work!

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Would be nice if Magento allowed a CSV import of rewrites!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 2