Posts Tagged ‘website’

Users receive a “The page cannot be displayed” error message, and “Connections_refused” entries are logged in the Httperr.log file on a server that is running Windows Server 2003, Exchange 2003, and IIS 6.0

No Comments »

To work around this issue, add the EnableAggressiveMemoryUsage registry entry to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

Then, set the EnableAggressiveMemoryUsage registry entry to 1.

To do this, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnableAggressiveMemoryUsage, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. On the File menu, click Exit to exit Registry Editor.
  8. Restart the HTTP service. To do this, follow these steps:
    1. Click Start, click Run, type cmd in the Open box, and then click OK.
    2. At the command prompt, type net stop http /y, and then press ENTER.
    3. At the command prompt, type iisreset /restart, and then press ENTER.

Users receive a “The page cannot be displayed” error message, and “Connections_refused” entries are logged in the Httperr.log file on a server that is running Windows Server 2003, Exchange 2003, and IIS 6.0

No Comments »
To work around this issue, add the EnableAggressiveMemoryUsage registry entry to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

Then, set the EnableAggressiveMemoryUsage registry entry to 1.

To do this, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnableAggressiveMemoryUsage, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. On the File menu, click Exit to exit Registry Editor.
  8. Restart the HTTP service. To do this, follow these steps:
    1. Click Start, click Run, type cmd in the Open box, and then click OK.
    2. At the command prompt, type net stop http /y, and then press ENTER.
    3. At the command prompt, type iisreset /restart, and then press ENTER.

 


Monitor Web Site Files With Auditd

No Comments »

 

The Linux Auditing System and auditd are a great way to monitor who and when changes are made to the files in your website. To install and configure follow these steps:

1. Install auditd and related utilities:

yum install audit

2. Make sure auditd is running:

/sbin/chkconfig --list auditd 
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

3. Edit /etc/audit/auditd.conf and change:

action_mail_acct = [your email address]

This sets any action emails to go to your preferred address.
4. Edit /etc/audit/audit.rules and add a line like this to the bottom:

-w [path_to_website] -p wa -k [key]

So if you website is located at:
/var/www/vhosts/mysite.com/httpdocs
Then a command like:

-w /var/www/vhosts/mysite.com/httpdocs -p wa -k mysite

would setup auditing of write and attribute change requests. Events matching this rule would be tagged with the “mysite” key.

/sbin/service auditd restart

Audit logs go to:

/var/log/audit/audit.log

 


Preventing Layer 7 DDoS Attacks on a Service

No Comments »

 

You might heard about Application‐level DDoS (Distributed Denial of Service) attacks on websites such as Twitter, Facebook and Wikileaks. Usually those kind of attacks involves a large number for HTTP/HTTPS requests to specific part of the website that could potentially eat up all the resource of  the server resulting unresponsive behavior from the web server.

There are already some tools available to shut down any website and make it unreachable for legitimate users.

Looking at the technique used to perform this attack, the tool sends about 10 Long HTTP/HTTPS requests per second until it reaches bandwidth or connection limits of the hosts or networking equipment to make it offline.

Now the question is how we can stop this attack? What are the preventive measures against the Layer7 DDoS?

First of all, we start limiting the traffic using hashlimit on iptables. This module can be used to allow just a certain number of packets per minute:

 

iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

where "–hashlimit-burst 20" is the burst limit, you can adjust as per your requirement.

Also using Apache you can add a module mod_reqtimeout. This directive can set various timeouts for receiving the request headers and the request body from the client.

Hope this helps…