Skip to content

How to change BOA anti DoS protection configuration and fix being IP blocked for 30 minutes

Anoesj Sadraee edited this page Dec 17, 2020 · 1 revision

With the way that Barracuda Aegir is setup there are security measures that are in place. Albeit this being good this can also cause some headache, if you access your sites too many times Barracuda Aegir will lock out your IP. There is already an issue related to this in the queue http://github.com/omega8cc/nginx-for-drupal/issuesearch?state=open&q=hang#issue/5.

If you have just created a new server this would be one of the first recommended steps if you are going to be developing on it.

If you are the only visitor, you are probably blocked by your proactive anti-DoS system. It blocks access to port 80 for max 30 minutes for every visitor generating more than 299 of latest 300 requests, which is a sign of hammering your website(s) by someone trying to overload your server.

To disable/modify this security guard, edit /var/xdrago/monitor/check/scan_nginx and find the following section:

if (-e "/root/.hr.monitor.cnf") {
  $default_critnumber = 99;
  $default_lines = 300;
  $default_mode = 1;
}
else {
  $default_critnumber = 299; # Edit this line and the line below to change settings. Change to 300 to disable entirely (TODO: fact-check).
  $default_lines = 300;
  $default_mode = 2;
}

The file will be executed again after a minute or so (TODO: fact-check).

If you're still temporarily blocked, try removing your IP address from files scan_nginx.archive.log and web.log in /var/xdrago/monitor/ and run csf -tr YOURIP. You should be unblocked after this.

This will resolve a good majority of issues especially if done from the very beginning. The down side of this solution is that it turns disables the good stuff of the anti-DoS system. If you would like to keep the protection of the anti-DoS.

You can simply add one line in the /var/xdrago/monitor/check/scan_nginx file to force your IP address counter to be always "1":

After this line:

$li_cnt{$VISITOR}++;

add this:

$li_cnt{$VISITOR} = "1" if ($line =~ /(12.34.56.78)|(98.76.54.32)/);

where "12.34.56.78" and "98.76.54.32" are your white-listed IPs.

Or even shorter, replace that line with:

$li_cnt{$VISITOR}++ if ($line !~ /(12.34.56.78)|(98.76.54.32)/);

If you have completed either of the two steps above and your server is still locking you out every 30 min or so. It is most likely that your server has you blacklisted.

Edit these three files hackcheck hackftp hackmail located in /var/xdrago/monitor/check. While editing the file do a search for your IP address and comment out the line.

Feel free to update or edit anything you may see wrong or would make it easier for the next user.