How to block public IP address using mod_qos if CPU reaches certain amount

[Rawand Aso]

Hello everyone,

Using mod_qos is there anyway block public IP address accessing apache server, if CPU reaches certain percentage. I need to keep private IP addresses continue using the service.

Also, I am receiving Brute Force Attack from range of IP addresses, NOT a single ip addresses. This is intentional attack from someone using over 150 different range of IP addresses. All connections remains ESTABLISHED for a long time, which leads the CPU and RAM to overload. That is the reason I wanted to block public IP access. Apart from that, is there way to prevent ESTABLISHED connection to remain for longer than necessary. Also if you have any other solution please let me know.

Below, is a sample or portin of attacks I am facing:

tcp6       0      0 10.0.0.20:80        222.135.231.217:49818   ESTABLISHED 3185/apache2
tcp6       0      0 10.0.0.20:80        42.91.8.123:3334        ESTABLISHED 4012/apache2
tcp6       0      0 10.0.0.20:80        60.24.14.225:28434      ESTABLISHED 3901/apache2
tcp6       0      0 10.0.0.20:80        183.27.51.112:23887     ESTABLISHED 3907/apache2
tcp6       0      0 10.0.0.20:80        39.181.228.12:30682     ESTABLISHED 4014/apache2
tcp6       0      0 10.0.0.20:80        49.68.250.237:34498     ESTABLISHED 4018/apache2
tcp6       0      0 10.0.0.20:80        211.97.167.230:9638     ESTABLISHED 4031/apache2
tcp6       0      0 10.0.0.20:80        39.181.231.31:27610     ESTABLISHED 3794/apache2
tcp6       0      0 10.0.0.20:80        113.121.45.48:36485     ESTABLISHED 4019/apache2
tcp6       0  12763 10.0.0.20:80        49.81.173.31:30344      FIN_WAIT1   -
tcp6       0      0 10.0.0.20:80        117.45.252.35:42431     ESTABLISHED 3797/apache2
tcp6     502      0 10.0.0.20:80        60.1.185.196:17250      ESTABLISHED -
tcp6       0      0 10.0.0.20:80        119.109.27.125:52567    ESTABLISHED 3904/apache2
tcp6       0      0 10.0.0.20:80        117.45.252.51:54135     ESTABLISHED 3671/apache2
tcp6       0      0 10.0.0.20:80        118.251.17.136:45740    ESTABLISHED 3712/apache2
tcp6       0      0 10.0.0.20:80        116.2.79.233:52968      ESTABLISHED 3902/apache2
tcp6       0      0 10.0.0.20:80        101.71.234.177:42921    ESTABLISHED 3900/apache2
tcp6       0      0 10.0.0.20:80        150.255.7.110:34314     ESTABLISHED 4008/apache2
tcp6       0      0 10.0.0.20:80        60.24.14.225:28341      ESTABLISHED 4032/apache2
tcp6       0      0 10.0.0.20:80        183.27.51.120:14994     ESTABLISHED 3777/apache2
tcp6       0      0 10.0.0.20:80        114.225.186.169:44382   ESTABLISHED 3896/apache2
tcp6       0      0 10.0.0.20:80        39.71.40.84:33695       ESTABLISHED 3791/apache2
tcp6       0      0 10.0.0.20:80        117.45.252.51:34338     ESTABLISHED 3775/apache2

Thanks in Advance.

Rawand

[Pascal Buchbinder]

netstat does not show you if a connection is idle or not resp. what happens at your server. Better to use mod_status or enable scoreboard logging by mod_qos using the http://mod-qos.sourceforge.net/#QS_Status directive to understand what your server is doing for those clients. In addition, I highly recommend to analyze your servers access/transfer log, to understand what's going on (before configuring any limitations).

QS_ClientPrefer in combination with QS_SrvMaxConnExcludeIP might be a simple way to limit the number of unknown clients accessing your server. You could also once read http://mod-qos.sourceforge.net/dos.html as it might show you some additional options which you want to take a closer look at.