hello,
See if someone can help me:
I have a VPS Plesk (Ubuntu Server), and from the 31 you are getting a DDoS attack from a large number of addresses (mainly from Iran, India, Malaysia, Kazakhstan, ....., although there also addresses such France and Argentina, not whether this information can be useful)
Reviewing the logs, I see that one of the hosted domains is receiving connections with the following information:
[IP_ORIGEN] [datetime] "POST / HTTP / 1.1" 200 13026 "-" "Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
That is, try to inject some kind of content that spans about 13kb (several sizes, the most common is that). The USER-AGENT (Mozilla 4.0 ....) is always the same, but changes the IP, so I assume it's some sort of virus that is identified as an Internet Explorer 6. There are several connections per second, which logically consume the maximum number that I have configured the apache server, and prevent the webs work, if I increase the number of connections can I load the page, but saturate the server's memory and slow work.
Furthermore, also the smtp server is me getting hundreds of connections, in this case the file /var/log/mail.info have lines how are you:
[Date] [nombre_de_mi_servidor] postfix / smtpd [NUMBER]: connect from unknown [IP ADDRESS]
[Date] [nombre_de_mi_servidor] postfix / smtpd [NUMBER]: disconnect from unknown [OTHER IP ADDRESS]
[Date] [nombre_de_mi_servidor] postfix / smtpd [NUMBER]: lost connection after UNKNOWN from unknown [IP ADDRESS]
In one second I can have about 20 lines
Any idea how I can block this considering that a large number of IP addresses, and are not repeated many times (I do not think I can add a rule to based on the number of connections per minute firewall, because there may be 2 in the same minute and that IP does not return until several hours later)?
I tried for several hours to stop the apache server and postfix, but to restart restarts traffic, now I tried to disable the particular domain was receiving requests, but for now the traffic continues. For what it's worth, the page is made with an outdated wordpress (I did not, and do not dare touch it because there are things that do not work well and could leave unused)
Thank you very much to all and any suggestions are welcome