New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CPanel Direct IP getting ddosed
sharedport
Member
in Help
I have two Cpanel servers setup for our shared hosting and a whole slue of clients. Some have dedicated IPs and some have shared IPs, however, Today the main IP for the cpanel server got hit and disrupted everyones services.
I am currently with Combahton and I have tried things like enabling permanent mitigation, etc.
Is there a way to configure cpanel so my clients don't get disrupted? Any way to change the main cpanel1 IP address?
Comments
Nullroute the IP, at least then clients services should become accessible. Nothing to stop the attackers going for your other IPs though...
If you have DDoS protection that isnt working, contact your datacenters support team to see if any changes can be made to block the attack traffic.
Changing the IP will likely shift the attack to the new IP. Just enable your permanent mitigation or terminate the client who is attracting the attacks.
Well, if its application layer, ask them, he said they have system for that in place.
Application layer will mostly not trigger AntiDDOS, since your traffic goes encrypted over TLS.
What's worse when this happens, DNS lookups go out of the primary interface causing apache reverse lookups to slow down (if they're enabled), and exim to fail to send email because it can't lookup recipient DNS.
In before someone posts a complaint thread on LET that his account got terminated for no reason.
It could be a 30 second fix or it could be something you'd need specific protection for. Do you have any logs, assuming it's a L7 attack, from the web server, fpm, etc? What port is getting the traffic?
Its Layer 4. They are hitting the direct IP of the machine, it causes everything to go down.
Unless they're actually filling up your (already DDoS protected) pipes, have you considered routing/sending all the traffic to something as simple as a dedicated NGINX instance returning a 444 for all direct IP connections + fail2ban for the offending IPs? Or, enable the SYNPROXY target.
@sharedport I assume that affects some of your additional ip-addresses, right? - I kindly suggest getting in touch with our customer care, we have extensive capabilities beside the regular ddos protection.