Hi guys, I run a small web business with a private server that is getting hit every day at the moment with timescales ranging from a couple of hours on the first occasion to five minutes yesterday and unsure about today because the server has been removed from the network port so the DC can recover. I have checked for DNS resursion and fixed any issues I found, looked for other obvious security issues, installed and configured UFW, mod evasive and dos deflate in an attempt to mitigate any problems.

SSH is on a non standard port and root user is disabled, essentially I am doing everything my end that I can think of to remove the threat but now I am tearing my hair out - my client sites being down is not good at all and I am hoping one of you can offer some guidance on what, how and perhaps even why these attacks are happening and how to get away from them.

All the sites on the server are Joomla as far as I know, with the xception of one that I am currently upgrading they are all on the latest version and I don't believe that should attract attacks anyway.

Fail2ban is employed also on the server for brute force security

The server is on Ubuntu 12.04, all packages up to date and Virtualmin as the interface, again all up to date. It would seem that on each attack they datacentre is struggling with it and it is affecting their other clients which is the reason why I currently cannot get in to check if how and where they are coming from. Could you suggest which logs I need to be going through or anything in particular to look at to locate either the source of the attack if it is aimed at a particular website or how to view the source on the traffic please - any help here is massively appreciated as I need to get this all under control ASAP otherwise I may be asked to take the server from the datacentre which is problematic.

When I noticed the first slowdown I checked:

netstat -an|grep ESTABLISHED|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|awk '{ printf("%s\t%s\t",$2,$1); for (i = 0; i < $1; i++) {printf("*")}; print ""}'

and there were not masses of connections showing. I checked the IP address for my ESM during the attack and that was operating normally until the DC was swamped so it is obviously going to the main server IP.