Skip to content

Website & Server Help

Unlimited Webspace Help

Menu
  • Home
  • Apps
  • Website
    • Sending email from a WordPress website hosted on an IONOS server
    • How to increase Upload Max Filesize
    • How to reset a WordPress password
    • 22 Ways To Speed-Up A Plesk Website
  • Server
    • Linux or Plesk Server Error 500
    • Windows Server: File cannot be loaded. The file is not digitally signed.
    • Adding or modifying IP addresses on a Linux server
    • Installing Remote Desktop on Debian 12
    • Installing Remote Desktop on Ubuntu 22.04
    • How To Install a Let’s Encrypt SSL in Apache on Debian/Ubuntu
  • Favs
    • How to Connect to a Server
    • The Ultimate Guide to Setting Up a Proper Plesk Email Server With IONOS
    • The Ultimate IONOS Migration Guide
    • Help! My Plesk Websites Are Down!
    • Running tests for a slow server or dropped packets
    • Checking File System and Hard Drive Health
Menu

How to detect a DoS attack on a Linux server

Posted on January 19, 2023October 11, 2023 by admin

If your website or server is running slowly, you may fear that you are under a DoS or DDoS attack.

  1. Connect to the server. If possible, connect via SSH. In some cases, a server may unavailable via SSH. In this scenario, you want to check with your hosting/server provider to find if they have access to a VNC console, KVM console, or serial console. These tools allow remote access to a server even when it is not responding externally. It would be similar to plugging a monitor into the server.
  2. Find out how many active connections to the server to determine if a DoS/DDoS is occurring:
    ss -s
    ss -s
  3. Find out how many SYN attempts were received to determine if a SYN attack is occurring:
    ss -tan state syn-recv | wc -l
  4. Find the source IPs of the attacks
    DoS/DDoS on website:
    ss -tan state established | grep ":80|:443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr
    DoS/DDoS anywhere:
    lsof -i -n -P | awk '$9 ~ /.->./ {split($9,a,"->"); split(a[2],b,":"); print b[1]}' | sort | uniq -c | sort -nr
    SYN attack:
    ss -tan state syn-recv
  5. Find out which websites are being targeted:
    for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n "$log "; tail -n10000 "$log" | grep -c 123.456.7.89; done | sort -n -k2
  6. Block IP(s) on Ubuntu/Debian:
    sudo ufw deny from 123.456.7.89 to any
    Alternatively, to add the top 5 IPs with the most connections to your firewall deny ruleset:
    ss -tan state established | awk '{if ($4 ~ /[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+/) print $4}' | cut -d':' -f1 | sort -n | uniq -c | sort -nr | xargs -I{} ufw deny from {}
    Block IP(s) on CentOS/Fedora/RHE:
    sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='xxx.xxx.xxx.xxx' drop"

Special Offer

The internet's fastest, cheapest, unlimited bandwidth VPS

VPS
1core | 1GB RAM | 10GB NVMe
Unlimited Bandwidth | 1Gbps
$2/month - risk free