Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server?
Answer
On Linux
-
Connect to the server via SSH.
-
Determine the source IP addresses and numbers of the connections:
# ss -tan state established | grep ":80\|:443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr
-
Find the domains which are currently under attack:
# for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n "$log "; tail -n10000 "$log" | grep -c 203.0.113.2; done | sort -n -k2
-
Check the number of connections in SYN_RECV state (possible syn-flood):
# ss -tan state syn-recv | wc -l
-
If there are several IP addresses in Plesk, determine the target IP address under attack:
# netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1
It is possible that there are not many established connections to the web server, however, there might be a lot of requests that were successfully served by nginx and transferred to Apache and at this point, Apache is under attack. To track these requests do the following:
-
Navigate to
/var/www/vhosts/system
:# cd /var/www/vhosts/system
-
Generate a file
requests
to fetch the number of requests that were made in the last hour using the command below.Note: As an example, 24/Jan/2022:20 will be used. Here ":20" is 8 p.m.
# for i in *;do echo -n "$i "; grep '24/Jan/2022:20' $i/logs/access_ssl_log | awk '{print $1}' | wc -l;done > ~/requests
-
Check the generated file:
# cat ~/requests | sort -k 2 -r -n | head
example.com 24549
example.net 18545
test.com 3
-
Connect to the server via SSH.
-
Create an environment for investigation:
# mkdir /root/inv
# cd /var/www/vhosts/system
# for i in *; do mkdir /root/inv/$i; done -
Populate the environment with log files for the last few days:
# for i in *; do find $i -mtime -3 -type f -exec cp -a {} /root/inv/$i \;; done
-
Unzip processed log-files:
# cd /root/inv
# for i in /root/inv/*/*; do [[ ${i:(-3)} == ".gz" ]] && gunzip $i ; done -
Remove statistics and configuration files:
# rm /root/inv/*/*.conf /root/inv/*/*.png /root/inv/*/*webalizer* /root/inv/*/*webstat */*html
-
Get entries from the day of attack to form a report:
Note: As an example, 30/Oct/2017 will be used.
# for i in *; do [[ -d $i ]] && grep -rh "\[30/Oct/2017" ./$i > $i.accessed; done
-
Sort the entries by size:
# ls -laS | less
Note: A size of a log file will be displayed. The higher the size of a log-file, the higher is the chance of it being targeted.
-
Find the most used IP addresses:
# cut -f 1 -d ' ' *.accessed | sort -n | uniq -c | sort -nr | less
Note: This command displays how many attempts to access a website each IP address performed in a time-frame specified on step 6.
-
Find the domains which were targeted by these IP addresses:
# grep -rc 203.0.113.2 /root/inv/*/* | sort -n -k2 -t:
On Windows Server
-
Connect to the server via RDP.
-
Start a command prompt and run the following commands to check the count of connections on ports 80 and 443:
C:\> netstat -ano | find /c "80"
C:\> netstat -ano | find /c "443"
Note: If there is a large number of connections (hundreds or thousands) to the same port, the server is likely under a DDoS attack
Additional Information
Malicious activity of a source IP address can be checked on AbuseIPDB.
To secure websites against DDoS attacks, see this KB article.
Comments
1 comment
none of these help articles are plug and play- its always some step that will not work with a normal vanilla plesk on ubuntu install. in this case it is adding a repo.
Command 'netstat' not found, but can be installed with:
apt install net-tools
root@nice-ride:~#
root@nice-ride:~# apt install net-tools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package net-tools
Please sign in to leave a comment.