0

One of the servers has been under attack for four weeks. First the attack was weak, but now it is aggressive after I started fighting him.

It consumes CPU resources to keep starting the Apache server with the httpd -k start command.

Using the firewall, it was possible to ban it for a while, but now more than 50 unique IPs and their RANGE are under ban. Attacks frequently come from new IP addresses. Among them are many unique and well-known IP addresses of companies such as Microsoft, Amazon and others...

How to ban all "nobody" users who initiate the httpd -k start command with the help of Fail2ban, ModSecurity, or perhaps the firewall?

Greg Askew
  • 39,132
Marcell Nemeth
  • 11
  • 2

1 Answers1

2

How is it possible to ban all "nobody" users who initiate the "httpd -k start" command

Uhhh.

What you see is perfectly normal. And most likely not a DDOS attack.

You have enabled a web server, Apache httpd and your web site gets vistors. Some of those will be real, although often on new and (very) small web sites, the majority of your your site vistors will be automated probes and similar automated abuse attempts, the normal internet background noise and mostly harmless unless you don't regularly patch and update. Such visits are normal and expected and rarely the level that they are considered a DDoS attack or even mild abuse.

With common default settings Apache httpd more or less launches a new process for each web request and each new visitor (the pre_fork mpm is usually selected by default). Those processes automatically die off again after they've served their puprose. Those Apache server processes must run under a system user and again nobody is common although other distributions may use httpd or something else.

The literal answer to your question "How is it possible to ban all "nobody" users who initiate the "httpd -k start" command?" is to block all web traffic in your firewall or simply disable your web server completely.

HBruijn
  • 84,206
  • 24
  • 145
  • 224