3

I have a VPS with Ubuntu. I host a small website (~10 visitors at the same time). Sometimes the website starts lagging. It lags so bad that my SSH connection starts lagging too. Running top says that 2 instances of apache2 take up 50% CPU each.

I assume this is a DoS attack. I've copy-paste installed a few iptables scripts that made sense, but this has not helped.

I installed libapache2-mod-evasive -- I'm sure it blocks the attacker, but I'm still lagging.

What can I do? Can I at least find the IP of the attacker?

I have strong experience with Linux, but almost zero experience with being a server admin.

Dennis
  • 48,917
  • 12
  • 130
  • 149
Mikhail
  • 1,471
  • 3
  • 15
  • 22
  • Are you serving static files or dynamic content. The lag *could* be due to inefficient database queries when creating dynamic content. – Stacey Richards Sep 15 '11 at 13:53
  • @Stacey, content is PHP+MySQL. I agree that it *could* be from that, but I know for a fact that it's not. Not only do I log slow queries, but my database server is on another VPS. More importantly CPU is used up by `apache2`, not `mysqld` – Mikhail Sep 15 '11 at 15:10
  • Do the queries return large amounts of data that take a long time for PHP to process? Do you log script execution time in addition to query times? – Stacey Richards Sep 15 '11 at 15:14

3 Answers3

3

Check the Apache access log for repeated attempts by a similar IP address, /var/log/httpd/access_log is the usual location.

You may also be interested in an automated solution such as DDoS Deflate or PSAD. I'd also strongly recommend mod_security for Apache itself.

John T
  • 163,373
  • 27
  • 341
  • 348
  • I definitely use `modsec`. Are there user-friendly viewers / statistic analyzers for access_log ? – Mikhail Sep 15 '11 at 13:01
  • @Mikhail there are many, AWStats being one of the bigger ones: http://awstats.sourceforge.net/ – John T Sep 15 '11 at 22:46
0

Have you hardened Apache or your OS?

Are you able to post any logs?

This may help a bit.

http://httpd.apache.org/docs/2.0/misc/security_tips.html

Bernie White
  • 140
  • 4
-1

I can't suggest enough Fail2ban. It is a daemon that runs in the background and monitors all of your log files for suspicious activity and blocks the suspicious activity based on the log file errors. This means you must create the error log files in the first place, for web servers you can usually do this. I've done it for NGINX just recently, but I'm sure there's a similar directive for Apache.

ntk4
  • 99
  • 2