(Plesk) server or website/shop overloaded due to an attack? – First aid against web server flooding

(Plesk) server or website/shop overloaded due to an attack? – First aid against web server flooding

Your server does not deliver any web pages anymore or only responds with the error code 502? Then it could be an attack on your server or your website/shop. This can be recognized by Plesk errors like“1024 worker_connections are not enough while connecting to upstream” or many requests with the mysterious status code“PRI * HTTP/2.0“.

At the moment, there are more and more attacks – probably from Russia – against seemingly random targets in Germany.

The first immediate measure should be to activate the firewall for all non-essential ports. Also, the SSH and Plesk administration port should be closed or only your (fixed) IP address should be allowed.

Afterwards, you should try to check the sources with the command

netstat 

command. This output can be evaluated even better with the following command:

netstat -ant | egrep '(:80|:443) .*:.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c

This command lists all IPs with a connection to your server and also shows the number of open connections. This makes it relatively easy to detect attackers by the high number of connections.

Additionally, you can query the IP address via a Who-Is service. In the next step you can block the IP address with iptables, “2.2.2.2” is the example attacker IP address in the following command:

iptables -I INPUT -s 2.2.2.2 -j DROP

You should also make sure that Fail2Ban and ModSecurity is enabled – just in case.

Note: After a reboot the rules are deleted again.

You need further support because your server or your store is under attack or for unexplainable reasons is only limited accessible? Then just write me via my contact form.

You want to block a whole IP range with iptables? This is possible with this command:

iptables -I INPUT -m iprange --src-range 24.152.57.0-24.152.57.255 -j DROP

You need a comprehensive blocklist for iptables that includes countries like Russia and other threats?

Then I have a shell script for you to download (here to the untested shell script of the blocklist).

Use it at your own risk! I haven’t tested yet if this large list could be a problem (because it is so big).

The download under Linux and the execution itself is done with

wget https://www.lautenbacher.io/wp-content/uploads/2022/03/blocklist.sh
chmod 775 ./blocklist.sh
./blocklist.sh

If the blocklist helped you write in the comments, I’ll be happy to provide an update.

Increase the number of workers

Of course you can also try to increase the number of workers, first determine the number of CPU cores with

cat /proc/cpuinfo |grep processor

Then open the configuration

nano /etc/nginx/nginx.conf

and set worker_processes to at least half of the CPU cores.

worker_processes 4;

The worker_connections can also be easily increased to 2048.

worker_connections 2048;

The number of maximum connections is then calculated with processes * connections = maximum number of connections.

After that, of course, the service must be restarted with

service nginx restart

Leave a Reply

Your email address will not be published. Required fields are marked *