Sites Getting Attacked - Procedure

__Procedure to track sites being attacked__

Check Total Number of Connections on Port 80:

· netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c

Check Which IP has established the most connections:

· netstat -plan | grep :80 | awk '{print $5}' | cut -d: -f1 |sort |uniq –c

After identifying the IP, check which site is receiving most traffic from that IP:

· lynx http:localhost/whm-server-status

You can use all shortcuts as in vim editor.

This will list all the acitive sites and top resource usage with Process ID’s. You can search for the IP, found in the previous step, to trace the connections, the website and the pages being accessed.

If a flood is detected,

· PORTFLOOD = "80;tcp;40;10" option can be uncommented in /etc/csf/csf.conf

· CONNLIMIT = "80;5,80;5" option can be uncommented in /etc/csf/csf.conf

· Mod_security rules can be enabled if it’s a targeted attack, meaning targeted towards wordpress or Joomla.