Page 1 of 1

Attacker IPs

Posted: 2018/07/12 22:05:58
by yeknafar
Hello

Thanks for your attention.
I am using a cload to prevent DDOs attacks on my site and it is supposed just I see the IP of my cload on my server but when I check it with

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I see many strange IPs and when I Google them I find they are attacker IPs.


- I am using centos web panel (CWP).

Now I wonder:
- Why they come to my site directly and do not go through the cload to prevent them? (I do not think they have my IP, I have used 2 different cloads)

- I ban them manually, can it becomes an auto action?
- Are they doing Slowris attack on my site? (Because I receive for example 335 load average and database error sometime or even 3 times a day with low bandwith)

- Is it a good job to ban the most famous attacker IPs ? If yes how can I get the list?


Thanks

Re: Attacker IPs

Posted: 2018/07/13 06:20:19
by TrevorH
- I am using centos web panel (CWP).
Off topic here, please see viewtopic.php?f=12&t=66365

Re: Attacker IPs

Posted: 2018/07/13 11:33:53
by lightman47
For the most part "they" are bots that bang-away at IPs. They don't have yours until they get to it and your machine responds - then they have it.

I use fail2ban as I must use passwords, with retrys set really low. It's a little bit to set up but works nicely.