DDoS or php-fpm bad script?

Cyb3r

Cyb3r

Well-known member
This is really frustrating, I'm not a pro and my knowledge is very basic in server management, from time to time I get php-fpm overload which causing me to think is it a bad process or is it DDoS, I use NodeQuery to keep an eye on the load and I get email notifications when there's a high load, here is a picture for the server load before and after:
cm6Y4si.png
tiyc3mn.png

It seems more like a DDoS attack because when I made CF Status: "I'm Under Attack" the load heated down and I was able access my site again, my question is how can I make sure it's a DDoS and not a php-fpm bad process?

Also what can I do to mitigate these attacks which I get a lot of them on daily basis?

Here's my server specs:
Code: 
CPU: 4x 3100 MHz (AMD Opteron(tm) Processor 6386 SE)
RAM: 4GB
Running: CentOS release 6.6 (Final) x64 (Centminmod)

Thanks in advance!
 
I see you're running CSF, you can block some attacks by setting that up to be more strict.
Try enabling OWASP rules in Cloudflare too.
 
Also try these settings in php-fpm.conf

Code: 
emergency_restart_threshold 3
emergency_restart_interval 1m
process_control_timeout 5s
 
You can type this code into PuTTy if you have root access to view the connections to your server and see what doesn't seem normal.

Code: 
netstat -an | grep :80 | sort

After viewing this you should be able to tell if you are getting DDoS. I was given this method by my own webhost which actually has advanced mitigation.

If it continues I highly suggest finding a mitigating host or using Sucuri as they have the cheapest advanced mitigation.
 
Solidus said:
I see you're running CSF, you can block some attacks by setting that up to be more strict.
Try enabling OWASP rules in Cloudflare too.
Click to expand...

What's OWASP?

If you mean web application firewall then it comes with pro plan or higher, if you recommend it I will consider upgrading to pro plan.

Solidus said:
Also try these settings in php-fpm.conf

Code: 
emergency_restart_threshold 3
emergency_restart_interval 1m
process_control_timeout 5s
Click to expand...

So this will shutdown the process or the whole php-fpm service?

Sorry for the noobish questions and thank you for the kind guide. :)

TheXboxCloud said:
You can type this code into PuTTy if you have root access to view the connections to your server and see what doesn't seem normal.

Code: 
netstat -an | grep :80 | sort

After viewing this you should be able to tell if you are getting DDoS. I was given this method by my own webhost which actually has advanced mitigation.

If it continues I highly suggest finding a mitigating host or using Sucuri as they have the cheapest advanced mitigation.
Click to expand...

I'm using https so I should change the port to 443 right?
 
Cyb3r said:
What's OWASP?

If you mean web application firewall then it comes with pro plan or higher, if you recommend it I will consider upgrading to pro plan.
Click to expand...

Extra firewall rules which could help you. Don't upgrade just for that though.

Cyb3r said:
So this will shutdown the process or the whole php-fpm service?

Sorry for the noobish questions and thank you for the kind guide. :)
Click to expand...

This means if 3 php-fpm process crash within a minute, then php-fpm will restart automatically. It will keep the cpu load down.
 
Solidus said:
Extra firewall rules which could help you. Don't upgrade just for that though.



This means if 3 php-fpm process crash within a minute, then php-fpm will restart automatically. It will keep the cpu load down.
Click to expand...

Thank you for the info, is there anyway to know if someone is stressing the site through a PHP files or something?
 
I also tried Cloudflare Pro to mitigate this kind of attack, but it's useless.

Now I'm using Sucuri for 2 months now and its very effective.
 
RoldanLT said:
I also tried Cloudflare Pro to mitigate this kind of attack, but it's useless.

Now I'm using Sucuri for 2 months now and its very effective.
Click to expand...

I'm sure it is.

Really, I just found the best host possible. Some hosts offer protection free of charge.

@Cyb3r, I suggest a new host if you can't afford Sucuri. I can point you in the right direction if you need, just pm me. What your looking at here is $1 for the first month and $6.50/month after that for 2 GB RAM. The higher you go it still is very cheap. The reason I use my host of choice is they offer 160 Gigabytes per second protection. An unprecedented amount of protection which makes Sucuri look like softies.

If you think you can find a host similar, the answer is you can. They are everywhere.

But if you are able to afford them I have heard great things about Sucuri. I didn't want to promote another site on the forums which is why I haven't linked you but if you are interested shoot me a pm.
 
Also I just noticed @Cyb3r

In your load example, it shows "lfd" as sleeping. I believe that is a process for the CSF - Config Server Security Firewall. By the example showing it sleeping can't be good. Maybe you should check to see if it's installed in WHM. If you don't see it in plugins then use this link to install it. It's a free firewall for WHM/webmin and is what every webhost should use.

http://www.tecmint.com/install-configserver-security-firewall-csf-in-rhel-centos-fedora/
 
RoldanLT said:
I also tried Cloudflare Pro to mitigate this kind of attack, but it's useless.

Now I'm using Sucuri for 2 months now and its very effective.
Click to expand...

Thank you for pointing that out, but I see they don't offer monthly subscription and unfortunately I can't afford annual costs. (it's not even annually) :(

TheXboxCloud said:
I'm sure it is.

Really, I just found the best host possible. Some hosts offer protection free of charge.

@Cyb3r, I suggest a new host if you can't afford Sucuri. I can point you in the right direction if you need, just pm me. What your looking at here is $1 for the first month and $6.50/month after that for 2 GB RAM. The higher you go it still is very cheap. The reason I use my host of choice is they offer 160 Gigabytes per second protection. An unprecedented amount of protection which makes Sucuri look like softies.

If you think you can find a host similar, the answer is you can. They are everywhere.

But if you are able to afford them I have heard great things about Sucuri. I didn't want to promote another site on the forums which is why I haven't linked you but if you are interested shoot me a pm.
Click to expand...

Currently I'm hosting with OVH, I pay $37/month so idk, what do you think?
 
TheXboxCloud said:
Also I just noticed @Cyb3r

In your load example, it shows "lfd" as sleeping. I believe that is a process for the CSF - Config Server Security Firewall. By the example showing it sleeping can't be good. Maybe you should check to see if it's installed in WHM. If you don't see it in plugins then use this link to install it. It's a free firewall for WHM/webmin and is what every webhost should use.

http://www.tecmint.com/install-configserver-security-firewall-csf-in-rhel-centos-fedora/
Click to expand...

CSF is working well and I already blocked unwanted ports and ssh access only to my IP, I don't use any control panels BTW.
 
Cyb3r said:
Thank you for pointing that out, but I see they don't offer monthly subscription and unfortunately I can't afford annual costs. (it's not even annually) :(



Currently I'm hosting with OVH, I pay $37/month so idk, what you think?
Click to expand...

I highly suggest NuWebHosting.com

You'll be able to see when you browse their site that they offer well below market value. When I had signed up with them I was impressed by the price but after using their support service, I later discovered it was a gold mine. They are not foreign and I believe they are U.S. based. But they are very thorough in their support.

Anyways for what you now have, I believe 4 GB RAM? You can get that on this host for $15/mo with included 160 GPS protection. If you want cpanel/whm it's extra with every host but you would still be below the amount you pay now with the protection included.

I suggest you give them a browse and see how it goes. I host a 12 GB RAM vps with them and payed $238 the first year on a 50% discount deal.
 
Cyb3r said:
Thank you for pointing that out, but I see they don't offer monthly subscription and unfortunately I can't afford annual costs. (it's not even annually) :(



Currently I'm hosting with OVH, I pay $37/month so idk, what do you think?
Click to expand...
Switch to Linode or Ramnode with the same amount you are paying now then put Sucuri in front of your site = Profit ;).
 
I'm also a centminmod user, came from OVH Dedicated server.
And experience heavy layer 7 attacks in the past.
What I'm using now is Linode+Sucuri.
Well Ramnode is really fine also.
 
RoldanLT said:
I'm also a centminmod user, came from OVH Dedicated server.
And experience heavy layer 7 attacks in the past.
What I'm using now is Linode+Sucuri.
Well Ramnode is really fine also.
Click to expand...

I have seen Ramnode, they provide real protection just like NuWebHosting but after viewing Linodes website it didn't mention anything about advanced mitigation. If someone was to host with either one of those companies they wouldn't even need Sucuri even though you would benefit even more.

But heck I say get a 12 GB RAM vps for what your paying now, either way RamNode is an option too. Depends what genre site your hosting here. Some get attacked more than others.

For $9/month if I remember Sucuri does not provide layer 3 and 4 protection, just layer 7. Still worth it for sure. Sometimes it's all you really need.

Anyways good luck to you.
 
TheXboxCloud said:
but after viewing Linodes website it didn't mention anything about advanced mitigation.
Click to expand...
You don't need any mitigation or protection from layer 3,4,7 since you'll be using Sucuri in front of your website.
Just don't let your server IP to be leaked on public.

TheXboxCloud said:
For $9/month if I remember Sucuri does not provide layer 3 and 4 protection, just layer 7. Still worth it for sure. Sometimes it's all you really need.
Click to expand...
Only Layer 7 protection is all you need and that's enough :).
 
TheXboxCloud said:
Also I just noticed @Cyb3r

In your load example, it shows "lfd" as sleeping. I believe that is a process for the CSF - Config Server Security Firewall. By the example showing it sleeping can't be good. Maybe you should check to see if it's installed in WHM. If you don't see it in plugins then use this link to install it. It's a free firewall for WHM/webmin and is what every webhost should use.

http://www.tecmint.com/install-configserver-security-firewall-csf-in-rhel-centos-fedora/
Click to expand...

lfd is supposed to be sleeping.
 
Not sure why everyone is telling you to change hosts. Must want you to PM them for affiliate links or something.

If you are currently with OVH, you already have very good DDoS protection in place. There is no reason to change hosts or use Securi or anything else. Either you are likely not being DDoSed, or whatever it is just isn't at a level where it's triggering the protection at OVH, and you might need to fine tune the protection with them.
 
You must log in or register to reply here.

Similar threads

elsparkodiablo
nginx and php-fpm configuration
Replies
1
Views
3K
D.O.A.
D.O.A.
D
PHP-FPM: are you using it? Why or why not?
Replies
5
Views
3K
Cupara
Cupara
Cupara
  • Question Question
Do I need to configure more options in config.php for Redis?
Replies
0
Views
2K
Cupara
Cupara
Douglas Taylor
PHP-FPM Optimization Request
Replies
5
Views
1K
D.O.A.
D.O.A.
Kevin
Add-on [Wanted] Add-on or PHP script to find all unused smilies
Replies
1
Views
885
Kevin
Kevin
Back
Top Bottom