[Hidden-tech] Linux Security Troubleshooting

Robert Heller heller at deepsoft.com
Fri Jun 27 14:52:27 EDT 2014
Previous message: [Hidden-tech] Linux Security Troubleshooting
Next message: [Hidden-tech] Linux Security Troubleshooting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At Fri, 27 Jun 2014 12:12:34 -0400 Tad Puckett <tadpuck at gmail.com> wrote:

> 
> 
> Just to clarify exactly what is going on with the mem usage. The server is
> allocated for 2GB of physical mem and 4GB swap (virtual mem for Windows
> users). The other hosts are all on the same RAID of HDDs. The server is
> spiking on mem usage and then tapping into the swap. The I/O usage of
> accessing that swap mem is obviously affecting the other servers being
> hosted on the RAID. They have no direct access to the server, so they are
> under the assumption that there is something malicious running on the
> server. I hope that helps somewhat.

I presume that this is a virtual machine? How many websites is this VM serving
(just this one, not the other VMs)? What kind of website(s)? (static HTML,
WordPress, Joomla, Drupal, some other CMS, custom CGI, JSP, or something
else).

2GB of memory for a VM providing webservices (including database support for
WordPress, Joomla, or Drupal), should be *plenty*. If it is running out, then
something is wrong indeed. Not necessarily something 'malicious' running on
the server. Something like excessive traffic causing an excessive amount of
database accesses. (And the 'excessive traffic' could be a broken spider bot
or someone running a DDoS attach or bots probing for security holes.) OR it
could be something 'stupid' like a lack of caching -- most CMS systems either
natively or via a plugin have database caching options, that can be used to
reduce server load (either CPU cycles or memory usage) fetching information
from the database.

It is also *possible* that you have simply 'outgrown' the 2GB level of memory 
and may need to 'bite the bullet' and get a higher class of server or if you 
have multiple websites on this server move some off onto another server.


> 
> 
> On Thu, Jun 26, 2014 at 2:54 PM, Robert Heller <heller at deepsoft.com> wrote:
> 
> >    ** Be sure to fill out the survey/skills inventory in the member's area.
> >    ** If you did, we all thank you.
> >
> >
> >
> > There is (at least) one 'legit' spider bot that has known problems: it over
> > spiders some sites (seems to go after Joomla for no partitularly good
> > reason).
> > This can cause various problems both for the Joomla site itself and the
> > webserver in general.
> >
> > And yes, programs like fail2ban can be very useful in dealing with these
> > issues.  And it is not always the case that there is an actual
> > vulnerability.
> > Sometimes the bots are just probing for the vulnerability and sometimes
> > they
> > will keep probing over and over again and sometimes excessively
> > agressively.
> > And this can become an effective DDoS.  And yes, the 'legit' spider bot can
> > effectivly become a DDoS, probably not intentionally: "Never attribute to
> > malice that which is adequately explained by stupidity."
> >
> >
> >
> > At Thu, 26 Jun 2014 10:57:25 -0400 Charlie Heath <townwebsites at gmail.com>
> > wrote:
> >
> > >
> > > MIME-Version: 1.0
> > >
> > >    ** Be sure to fill out the survey/skills inventory in the member's
> > area.
> > >    ** If you did, we all thank you.
> > >
> > >
> > >
> > >
> > >
> > > Usually significant and ongoing attacks mean either that your server is
> > > high profile in some way, or that it has some vulnerability which bots
> > > detect and as long as the vulnerability is not addressed, you'll get
> > added
> > > to more and more bot lists.   If it is the latter and assuming you've
> > > installed basic server hardening, it is likely that the prevention
> > solution
> > > is to secure the website in order to discourage the bots interest in your
> > > website.  That might take a few months but just getting some IP blocking
> > > capabilities both on your server (linux) and your website administration
> > > (Joomla, if like your incommn website, or whatever other platform this
> > > website uses) should be enough to satisfy Rackspace and improve your
> > > website's performance until the bots lose interest, unless it is a high
> > > profile site that will require more serious resources to resolve.
> > >
> > > If you're still in need after the 4th, and it is a Joomla or Drupal
> > site, I
> > > can take a look-
> > >
> > > Charlie Heath
> > > Town Websites
> > >
> > >
> > > On Wed, Jun 25, 2014 at 3:18 PM, Daniel Lieberman <daniell at incommn.com>
> > > wrote:
> > >
> > > >    ** Be sure to fill out the survey/skills inventory in the member's
> > area.
> > > >    ** If you did, we all thank you.
> > > >
> > > >
> > > >
> > > > Weâ€™re having a problem with excessive memory use on a cloud server at
> > > > Rackspace which hosts a website of ours. The tech support people at
> > > > Rackspace suggest that thereâ€™s some kind of attack going on, and we
> > need
> > > > someone to help us identify and cure the problem(s).
> > > >
> > > > Anyone with Linux expertise out there interested in taking this on?
> > > >
> > > > Sincerely yours,
> > > >
> > > > Daniel Lieberman
> > > > InCommN, LLC
> > > > 413 489 1818
> > > > http://incommn.com
> > > >
> > > > _______________________________________________
> > > > Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> > > > Hidden-discuss at lists.hidden-tech.net
> > > >
> > > > You are receiving this because you are on the Hidden-Tech Discussion
> > list.
> > > > If you would like to change your list preferences, Go to the Members
> > > > page on the Hidden Tech Web site.
> > > > http://www.hidden-tech.net/members
> > > >
> > > MIME-Version: 1.0
> > >
> > > _______________________________________________
> > > Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> > > Hidden-discuss at lists.hidden-tech.net
> > >
> > > You are receiving this because you are on the Hidden-Tech Discussion
> > list.
> > > If you would like to change your list preferences, Go to the Members
> > > page on the Hidden Tech Web site.
> > > http://www.hidden-tech.net/members
> > >
> > >
> >
> > --
> > Robert Heller             -- 978-544-6933 / heller at deepsoft.com
> > Deepwoods Software        -- http://www.deepsoft.com/
> > ()  ascii ribbon campaign -- against html e-mail
> > /\  www.asciiribbon.org   -- against proprietary attachments
> >
> >
> >
> >
> > _______________________________________________
> > Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> > Hidden-discuss at lists.hidden-tech.net
> >
> > You are receiving this because you are on the Hidden-Tech Discussion list.
> > If you would like to change your list preferences, Go to the Members
> > page on the Hidden Tech Web site.
> > http://www.hidden-tech.net/members
> >
> 
>                                             

-- 
Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments
Previous message: [Hidden-tech] Linux Security Troubleshooting
Next message: [Hidden-tech] Linux Security Troubleshooting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Hidden-discuss mailing list