This article explains how to respond to a suspected attack against your website hosted on a Linux server, assuming you have root (administrator) access to it.
I. Detect Packet Loss
The first step is to test whether your website is reachable. A site that is difficult to access could be a sign of an attack. Use the PING command to measure the availability of your site or server from a remote machine connected to the network.
From a Linux terminal:
[root]# ping -c 20 yoursite.com
(The -c parameter specifies the number of echo requests to send)
From a Windows machine: open the Command Prompt by pressing Windows + R and running CMD.
ping -n 20 yoursite.com
(The -n parameter specifies the number of echo requests to send)
If the statistics show a significant percentage of lost packets, something unusual is likely happening on your server.
II. Check the Number of Processes and Server Load
Once logged in as administrator, check whether your server is overloaded. You have two indicators: the number of running processes, and the server's average load.
The uptime command shows the average load. A healthy result should not exceed 3.00.
[root]# uptime
09:19:18 up 10 days, 12:44, 1 user, load average: 0.10, 0.09, 0.09
The ps command shows the number of processes running at this moment:
[root]# ps -edf | wc -l
If the result is significantly higher than normal, your server may be under attack.
You can narrow it down further by filtering only the processes run by your HTTP server (here Apache):
[root]# ps -edf | grep " /usr/sbin/httpd" | wc -l
III. Identify the Source of the Attack
The netstat command lets you detect the IP addresses responsible for the attack by showing request volume per IP:
[root]# netstat -np | grep 'httpd' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p' | awk '{print $5}' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n
2 141.255.109.124
4 85.110.133.235
100 93.40.214.238
200 95.223.74.237
The first number is the request count. In this example, IP 95.223.74.237 (200 requests) and IP 93.40.214.238 (100 requests) are suspicious.
IV. Ban the Attacking IP Addresses
Once you have identified the offending IPs, ban them using the iptables command.
Ban IP 95.223.74.237:
[root]# /sbin/iptables -I INPUT -s 95.223.74.237 -j DROP
The IP will be banned until the server is restarted. To remove a ban:
[root]# /sbin/iptables -D INPUT -s 95.223.74.237 -j DROP
To list all banned IPs:
[root]# /sbin/iptables -L INPUT -v -n | grep DROP
V. Secure Your Linux Server with RKHunter
RKHunter is a rootkit scanner. A rootkit is a small — usually malicious — program hidden in Linux system commands to conceal its presence. Rootkits typically open a backdoor (Trojan horse) giving an attacker control over your server.
RKHunter scans your system to detect such programs by comparing your system's known executables against an online database. For more information, see the documentation.
Install RKHunter with yum (CentOS):
[root]# sudo yum install rkhunter
Run RKHunter and scan the system:
[root]# sudo rkhunter --check --sk
It is strongly recommended to run RKHunter immediately after setting up your server.
Feel free to bookmark this article and share it — it will come in handy when dealing with an attack on your site.