What to do when the port is ddosed?

K

kxx2014-05-20 23:32:57

linux

kxx, 2014-05-20 23:32:57

There is a server on Slackware 14 (regularly updated) running Apache, ntpd and ssh. Accordingly, only ports 80, 123 and 22 are open to the outside. Today I accidentally discovered this picture:

I closed port 123 with the help of iptables. AIDE showed no changes in the file system. Actually, what to do next, because there is continuous traffic on the closed port 123?

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

I

Igor Vorotnev, 2014-05-21
@kxx

Install Fail2Ban, it will blacklist the IP address, and it will come in handy for the future. Although the block at the iptables level is in principle sufficient. True, I would not close the port in it, but specifically forbid everything to this IP. Others will be able to use it, but the spammer will bite this one.

O

Oleg Batalov, 2015-03-10
@badmilkman

Judging by the IP, this is cloudflare.com, most likely they have your IP registered as an NTP server (a common inattention), and all their clients are trying to synchronize time with you.
Try to contact them and explain the problem in detail, only they can fix it.
If it doesn't help, or if you run into inadequate people, you can run a real NTP server on this port and give the date and time from the last century.

V

Vlad Zhivotnev, 2014-05-21
@inkvizitor68sl

If it interferes, ask the hoster to block this traffic.
There is no other option - traffic will still come to this piece of iron. You can cut it off from the OS, but physically you will still receive it.

P

Puma Thailand, 2014-05-21
@opium

Let him go

K

kxx, 2014-05-21
@kxx

Today the IP changed to 198.41.181.91 and 198.41.183.94. The channel is clogged by almost 30%. I will install Fail2Ban.