Reputation: 145
Possible DDOS, where to find? what logs?
Some months ago the server was under a DDOS attack. (my sys admin found out) At this moment the sys admin is not available, and the server went down several times.
How can i find out if I am under attack? What log files?
SSH, APACHE were not available, but i could ping the server. Then I reset the server, and everything functions again. I think they do a short attack and then the server crashes. From what I know from the last attackers, they are just some idiots, no real 'hackers'.
What I found in the syslog, the last log before server went down: WEBSERVERUSER - MAIL (mailed 260 bytes of output but got status 0x0001 )
What logs to check more?
Upvotes: 1
Views: 3725
Answers (1)
Reputation: 14618
What logs to check depends on what OS, what version, what server software is installed and how it's configured.
Basically apache web server (most used) has access logs here:
/var/log/httpd/access_log
and error logs here:
/var/log/httpd/error_log
SSH by default on RHEL logs to
/var/log/secure
or to syslog
/var/log/messages
I used denyhost tool to detect & prevent brute force attacks on SSHD.
There are lots of analyzers available, just google for IDS, but I can not recommend you specific until you give us more details mentioned above.
Upvotes: 4
Related Questions
- How can detect an auto DDoS attack?
- Flooded requests in apache access log from unknown urls
- Apache random IPs in access log trying to execute scripts
- Slow Apache response
- Unknown requests made to apache
- Wordpress attack flood
- 10 request/minute for brute force attack and ddos?
- Is my site being attacked? Suhosin simulation, very strange activity in IP Log
- Possible attack attempt on webserver, how to decode the requests to find out?
- server problems - strange apache requests