Going off what I know about the server. It's an older Ubuntu OS. VM is hosting the one website. Website is Joomla (Daniel can verify this as I forget if it's Joomla or Drupal). 2GB does seem to be fine. At the time I looked at the server mem usage was hitting 400MB(ish) out of the 2GB. Problem is I haven't worked with Linux in 3+ years so I am a bit out of my element. Rackspace support mentioned using IP tables to filter out traffic, seems like a Firewall device or service would be a better option, but I don't know if they even offer a service or not. The website, i would think, needs active filtering/web traffic monitoring/AV support in some form or other. I know they do a lot of hands-on SPAM filtering/email removal, I'm assuming there is something more automated to handle this they could be using. On Fri, Jun 27, 2014 at 2:52 PM, Robert Heller <heller at deepsoft.com> wrote: > At Fri, 27 Jun 2014 12:12:34 -0400 Tad Puckett <tadpuck at gmail.com> wrote: > > > > > > > Just to clarify exactly what is going on with the mem usage. The server > is > > allocated for 2GB of physical mem and 4GB swap (virtual mem for Windows > > users). The other hosts are all on the same RAID of HDDs. The server is > > spiking on mem usage and then tapping into the swap. The I/O usage of > > accessing that swap mem is obviously affecting the other servers being > > hosted on the RAID. They have no direct access to the server, so they are > > under the assumption that there is something malicious running on the > > server. I hope that helps somewhat. > > I presume that this is a virtual machine? How many websites is this VM > serving > (just this one, not the other VMs)? What kind of website(s)? (static HTML, > WordPress, Joomla, Drupal, some other CMS, custom CGI, JSP, or something > else). > > 2GB of memory for a VM providing webservices (including database support > for > WordPress, Joomla, or Drupal), should be *plenty*. If it is running out, > then > something is wrong indeed. Not necessarily something 'malicious' running on > the server. Something like excessive traffic causing an excessive amount of > database accesses. (And the 'excessive traffic' could be a broken spider > bot > or someone running a DDoS attach or bots probing for security holes.) OR it > could be something 'stupid' like a lack of caching -- most CMS systems > either > natively or via a plugin have database caching options, that can be used to > reduce server load (either CPU cycles or memory usage) fetching information > from the database. > > It is also *possible* that you have simply 'outgrown' the 2GB level of > memory > and may need to 'bite the bullet' and get a higher class of server or if > you > have multiple websites on this server move some off onto another server. > > > > > > > > On Thu, Jun 26, 2014 at 2:54 PM, Robert Heller <heller at deepsoft.com> > wrote: > > > > > ** Be sure to fill out the survey/skills inventory in the member's > area. > > > ** If you did, we all thank you. > > > > > > > > > > > > There is (at least) one 'legit' spider bot that has known problems: it > over > > > spiders some sites (seems to go after Joomla for no partitularly good > > > reason). > > > This can cause various problems both for the Joomla site itself and the > > > webserver in general. > > > > > > And yes, programs like fail2ban can be very useful in dealing with > these > > > issues. And it is not always the case that there is an actual > > > vulnerability. > > > Sometimes the bots are just probing for the vulnerability and sometimes > > > they > > > will keep probing over and over again and sometimes excessively > > > agressively. > > > And this can become an effective DDoS. And yes, the 'legit' spider > bot can > > > effectivly become a DDoS, probably not intentionally: "Never attribute > to > > > malice that which is adequately explained by stupidity." > > > > > > > > > > > > At Thu, 26 Jun 2014 10:57:25 -0400 Charlie Heath < > townwebsites at gmail.com> > > > wrote: > > > > > > > > > > > MIME-Version: 1.0 > > > > > > > > ** Be sure to fill out the survey/skills inventory in the member's > > > area. > > > > ** If you did, we all thank you. > > > > > > > > > > > > > > > > > > > > > > > > Usually significant and ongoing attacks mean either that your server > is > > > > high profile in some way, or that it has some vulnerability which > bots > > > > detect and as long as the vulnerability is not addressed, you'll get > > > added > > > > to more and more bot lists. If it is the latter and assuming you've > > > > installed basic server hardening, it is likely that the prevention > > > solution > > > > is to secure the website in order to discourage the bots interest in > your > > > > website. That might take a few months but just getting some IP > blocking > > > > capabilities both on your server (linux) and your website > administration > > > > (Joomla, if like your incommn website, or whatever other platform > this > > > > website uses) should be enough to satisfy Rackspace and improve your > > > > website's performance until the bots lose interest, unless it is a > high > > > > profile site that will require more serious resources to resolve. > > > > > > > > If you're still in need after the 4th, and it is a Joomla or Drupal > > > site, I > > > > can take a look- > > > > > > > > Charlie Heath > > > > Town Websites > > > > > > > > > > > > On Wed, Jun 25, 2014 at 3:18 PM, Daniel Lieberman < > daniell at incommn.com> > > > > wrote: > > > > > > > > > ** Be sure to fill out the survey/skills inventory in the > member's > > > area. > > > > > ** If you did, we all thank you. > > > > > > > > > > > > > > > > > > > > We’re having a problem with excessive memory use on a cloud server > at > > > > > Rackspace which hosts a website of ours. The tech support people at > > > > > Rackspace suggest that there’s some kind of attack going on, and we > > > need > > > > > someone to help us identify and cure the problem(s). > > > > > > > > > > Anyone with Linux expertise out there interested in taking this on? > > > > > > > > > > Sincerely yours, > > > > > > > > > > Daniel Lieberman > > > > > InCommN, LLC > > > > > 413 489 1818 > > > > > http://incommn.com > > > > > > > > > > _______________________________________________ > > > > > Hidden-discuss mailing list - home page: > http://www.hidden-tech.net > > > > > Hidden-discuss at lists.hidden-tech.net > > > > > > > > > > You are receiving this because you are on the Hidden-Tech > Discussion > > > list. > > > > > If you would like to change your list preferences, Go to the > Members > > > > > page on the Hidden Tech Web site. > > > > > http://www.hidden-tech.net/members > > > > > > > > > MIME-Version: 1.0 > > > > > > > > _______________________________________________ > > > > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > > > > Hidden-discuss at lists.hidden-tech.net > > > > > > > > You are receiving this because you are on the Hidden-Tech Discussion > > > list. > > > > If you would like to change your list preferences, Go to the Members > > > > page on the Hidden Tech Web site. > > > > http://www.hidden-tech.net/members > > > > > > > > > > > > > > -- > > > Robert Heller -- 978-544-6933 / heller at deepsoft.com > > > Deepwoods Software -- http://www.deepsoft.com/ > > > () ascii ribbon campaign -- against html e-mail > > > /\ www.asciiribbon.org -- against proprietary attachments > > > > > > > > > > > > > > > _______________________________________________ > > > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > > > Hidden-discuss at lists.hidden-tech.net > > > > > > You are receiving this because you are on the Hidden-Tech Discussion > list. > > > If you would like to change your list preferences, Go to the Members > > > page on the Hidden Tech Web site. > > > http://www.hidden-tech.net/members > > > > > > > > > -- > Robert Heller -- 978-544-6933 / heller at deepsoft.com > Deepwoods Software -- http://www.deepsoft.com/ > () ascii ribbon campaign -- against html e-mail > /\ www.asciiribbon.org -- against proprietary attachments > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20140627/25ec14fe/attachment.html