Is there a preferred way to set "nice" for sshd?
I need priority given to sshd such that I can login and easily fix stuff when something has gone wrong (eg DoS, badly behaved processes, etc)
I am investigating the vulnerability to Slowloris and I think I understand how and why this sort of attack works.
What I don't understand is why Lighttpd and NginX are not affected (according to the same article as linked above). What do they make so different?
We run a community product. There is an individual (a little PoS kid) in the UK that is harassing our site for the last 6 months. His daily task is to create a new account, post a bunch of illegal / inflammatory content, get a rise out of people, then get deleted within a few hours by an admin. Then repeat.
His IP address changes every time he creates a new account (either using a proxy or some other similar tool). The only commonality is the top level 92.x.x.x. We've tried contacting UK authorities... while they are interested, they have not provided anything actionable. Meanwhile, this harassment continues daily.
Anyone have experience on how to kill this off? I'm pretty much at my wit's end here and hoping someone who has dealt with this before can provide some guidance.
Thx in advance.
Recently a script called "slowloris" has gained attention. The basic concept of what slowloris does is not a new attack but given the recent attention I have seen a small increase in attacks against some of our Apache websites.
At the moment there does not appear to be any 100% defence against this.
The best solution we have determined (so far) is to increase MaxClients.
This of course does nothing more than increase the requirements for the attacker's computer and does not actually protect the server 100%.
One other report indicates that using a reverse proxy (such as Perlbal) in front of the Apache server can help prevent the attack.
Using mod_evasive to limit the number of connections from one host and use mod_security to deny requests that look like they were issued by slowloris seem to be the best defence so far.
Has anyone on ServerFault been experiencing attacks such as this? If so, what measures did you implement to defend/prevent it?
NOTE: This question is for Apache servers as it is my understanding that Windows IIS servers are not affected.
Currently I have been using (D)DoS-Deflate to manage such situations on numerous remote servers, along with Apache JMeter for load testing.
Overall it has been working fairly well, although I'd like to hear some suggestions from gurus who have been working with these sort of circumstances for longer than I have. I'm sure those working in the web hosting business have had their fair share of dealing with these situations. So I'm wondering what the best practices are to approaching these sorts of problems in a corporate environment?