[Hidden-tech] Linux Security Troubleshooting

Tad Puckett tadpuck at gmail.com
Fri Jun 27 15:11:34 EDT 2014
Previous message: [Hidden-tech] Linux Security Troubleshooting
Next message: [Hidden-tech] Linux Security Troubleshooting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Going off what I know about the server. It's an older Ubuntu OS. VM is
hosting the one website. Website is Joomla (Daniel can verify this as I
forget if it's Joomla or Drupal). 2GB does seem to be fine. At the time I
looked at the server mem usage was hitting 400MB(ish) out of the 2GB.
Problem is I haven't worked with Linux in 3+ years so I am a bit out of my
element.
Rackspace support mentioned using IP tables to filter out traffic, seems
like a Firewall device or service would be a better option, but I don't
know if they even offer a service or not. The website, i would think, needs
active filtering/web traffic monitoring/AV support in some form or other. I
know they do a lot of hands-on SPAM filtering/email removal, I'm assuming
there is something more automated to handle this they could be using.


On Fri, Jun 27, 2014 at 2:52 PM, Robert Heller <heller at deepsoft.com> wrote:

> At Fri, 27 Jun 2014 12:12:34 -0400 Tad Puckett <tadpuck at gmail.com> wrote:
>
> >
> >
> > Just to clarify exactly what is going on with the mem usage. The server
> is
> > allocated for 2GB of physical mem and 4GB swap (virtual mem for Windows
> > users). The other hosts are all on the same RAID of HDDs. The server is
> > spiking on mem usage and then tapping into the swap. The I/O usage of
> > accessing that swap mem is obviously affecting the other servers being
> > hosted on the RAID. They have no direct access to the server, so they are
> > under the assumption that there is something malicious running on the
> > server. I hope that helps somewhat.
>
> I presume that this is a virtual machine? How many websites is this VM
> serving
> (just this one, not the other VMs)? What kind of website(s)? (static HTML,
> WordPress, Joomla, Drupal, some other CMS, custom CGI, JSP, or something
> else).
>
> 2GB of memory for a VM providing webservices (including database support
> for
> WordPress, Joomla, or Drupal), should be *plenty*. If it is running out,
> then
> something is wrong indeed. Not necessarily something 'malicious' running on
> the server. Something like excessive traffic causing an excessive amount of
> database accesses. (And the 'excessive traffic' could be a broken spider
> bot
> or someone running a DDoS attach or bots probing for security holes.) OR it
> could be something 'stupid' like a lack of caching -- most CMS systems
> either
> natively or via a plugin have database caching options, that can be used to
> reduce server load (either CPU cycles or memory usage) fetching information
> from the database.
>
> It is also *possible* that you have simply 'outgrown' the 2GB level of
> memory
> and may need to 'bite the bullet' and get a higher class of server or if
> you
> have multiple websites on this server move some off onto another server.
>
>
> >
> >
> > On Thu, Jun 26, 2014 at 2:54 PM, Robert Heller <heller at deepsoft.com>
> wrote:
> >
> > >    ** Be sure to fill out the survey/skills inventory in the member's
> area.
> > >    ** If you did, we all thank you.
> > >
> > >
> > >
> > > There is (at least) one 'legit' spider bot that has known problems: it
> over
> > > spiders some sites (seems to go after Joomla for no partitularly good
> > > reason).
> > > This can cause various problems both for the Joomla site itself and the
> > > webserver in general.
> > >
> > > And yes, programs like fail2ban can be very useful in dealing with
> these
> > > issues.  And it is not always the case that there is an actual
> > > vulnerability.
> > > Sometimes the bots are just probing for the vulnerability and sometimes
> > > they
> > > will keep probing over and over again and sometimes excessively
> > > agressively.
> > > And this can become an effective DDoS.  And yes, the 'legit' spider
> bot can
> > > effectivly become a DDoS, probably not intentionally: "Never attribute
> to
> > > malice that which is adequately explained by stupidity."
> > >
> > >
> > >
> > > At Thu, 26 Jun 2014 10:57:25 -0400 Charlie Heath <
> townwebsites at gmail.com>
> > > wrote:
> > >
> > > >
> > > > MIME-Version: 1.0
> > > >
> > > >    ** Be sure to fill out the survey/skills inventory in the member's
> > > area.
> > > >    ** If you did, we all thank you.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Usually significant and ongoing attacks mean either that your server
> is
> > > > high profile in some way, or that it has some vulnerability which
> bots
> > > > detect and as long as the vulnerability is not addressed, you'll get
> > > added
> > > > to more and more bot lists.   If it is the latter and assuming you've
> > > > installed basic server hardening, it is likely that the prevention
> > > solution
> > > > is to secure the website in order to discourage the bots interest in
> your
> > > > website.  That might take a few months but just getting some IP
> blocking
> > > > capabilities both on your server (linux) and your website
> administration
> > > > (Joomla, if like your incommn website, or whatever other platform
> this
> > > > website uses) should be enough to satisfy Rackspace and improve your
> > > > website's performance until the bots lose interest, unless it is a
> high
> > > > profile site that will require more serious resources to resolve.
> > > >
> > > > If you're still in need after the 4th, and it is a Joomla or Drupal
> > > site, I
> > > > can take a look-
> > > >
> > > > Charlie Heath
> > > > Town Websites
> > > >
> > > >
> > > > On Wed, Jun 25, 2014 at 3:18 PM, Daniel Lieberman <
> daniell at incommn.com>
> > > > wrote:
> > > >
> > > > >    ** Be sure to fill out the survey/skills inventory in the
> member's
> > > area.
> > > > >    ** If you did, we all thank you.
> > > > >
> > > > >
> > > > >
> > > > > We’re having a problem with excessive memory use on a cloud server
> at
> > > > > Rackspace which hosts a website of ours. The tech support people at
> > > > > Rackspace suggest that there’s some kind of attack going on, and we
> > > need
> > > > > someone to help us identify and cure the problem(s).
> > > > >
> > > > > Anyone with Linux expertise out there interested in taking this on?
> > > > >
> > > > > Sincerely yours,
> > > > >
> > > > > Daniel Lieberman
> > > > > InCommN, LLC
> > > > > 413 489 1818
> > > > > http://incommn.com
> > > > >
> > > > > _______________________________________________
> > > > > Hidden-discuss mailing list - home page:
> http://www.hidden-tech.net
> > > > > Hidden-discuss at lists.hidden-tech.net
> > > > >
> > > > > You are receiving this because you are on the Hidden-Tech
> Discussion
> > > list.
> > > > > If you would like to change your list preferences, Go to the
> Members
> > > > > page on the Hidden Tech Web site.
> > > > > http://www.hidden-tech.net/members
> > > > >
> > > > MIME-Version: 1.0
> > > >
> > > > _______________________________________________
> > > > Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> > > > Hidden-discuss at lists.hidden-tech.net
> > > >
> > > > You are receiving this because you are on the Hidden-Tech Discussion
> > > list.
> > > > If you would like to change your list preferences, Go to the Members
> > > > page on the Hidden Tech Web site.
> > > > http://www.hidden-tech.net/members
> > > >
> > > >
> > >
> > > --
> > > Robert Heller             -- 978-544-6933 / heller at deepsoft.com
> > > Deepwoods Software        -- http://www.deepsoft.com/
> > > ()  ascii ribbon campaign -- against html e-mail
> > > /\  www.asciiribbon.org   -- against proprietary attachments
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> > > Hidden-discuss at lists.hidden-tech.net
> > >
> > > You are receiving this because you are on the Hidden-Tech Discussion
> list.
> > > If you would like to change your list preferences, Go to the Members
> > > page on the Hidden Tech Web site.
> > > http://www.hidden-tech.net/members
> > >
> >
> >
>
> --
> Robert Heller             -- 978-544-6933 / heller at deepsoft.com
> Deepwoods Software        -- http://www.deepsoft.com/
> ()  ascii ribbon campaign -- against html e-mail
> /\  www.asciiribbon.org   -- against proprietary attachments
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20140627/25ec14fe/attachment.html
Previous message: [Hidden-tech] Linux Security Troubleshooting
Next message: [Hidden-tech] Linux Security Troubleshooting
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Hidden-discuss mailing list