1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DDoS or php-fpm bad script?

Discussion in 'Server Configuration and Hosting' started by Cyb3r, Sep 11, 2015.

  1. Cyb3r

    Cyb3r Well-Known Member

    This is really frustrating, I'm not a pro and my knowledge is very basic in server management, from time to time I get php-fpm overload which causing me to think is it a bad process or is it DDoS, I use NodeQuery to keep an eye on the load and I get email notifications when there's a high load, here is a picture for the server load before and after:

    It seems more like a DDoS attack because when I made CF Status: "I'm Under Attack" the load heated down and I was able access my site again, my question is how can I make sure it's a DDoS and not a php-fpm bad process?

    Also what can I do to mitigate these attacks which I get a lot of them on daily basis?

    Here's my server specs:
    CPU: 4x 3100 MHz (AMD Opteron(tm) Processor 6386 SE)
    RAM: 4GB
    Running: CentOS release 6.6 (Final) x64 (Centminmod)
    Thanks in advance!
  2. Solidus

    Solidus Well-Known Member

    I see you're running CSF, you can block some attacks by setting that up to be more strict.
    Try enabling OWASP rules in Cloudflare too.
  3. Solidus

    Solidus Well-Known Member

    Also try these settings in php-fpm.conf

    emergency_restart_threshold 3
    emergency_restart_interval 1m
    process_control_timeout 5s
  4. Brad Padgett

    Brad Padgett Active Member

    You can type this code into PuTTy if you have root access to view the connections to your server and see what doesn't seem normal.

    netstat -an | grep :80 | sort 
    After viewing this you should be able to tell if you are getting DDoS. I was given this method by my own webhost which actually has advanced mitigation.

    If it continues I highly suggest finding a mitigating host or using Sucuri as they have the cheapest advanced mitigation.
  5. Cyb3r

    Cyb3r Well-Known Member

    What's OWASP?

    If you mean web application firewall then it comes with pro plan or higher, if you recommend it I will consider upgrading to pro plan.

    So this will shutdown the process or the whole php-fpm service?

    Sorry for the noobish questions and thank you for the kind guide. :)

    I'm using https so I should change the port to 443 right?
  6. Solidus

    Solidus Well-Known Member

    Extra firewall rules which could help you. Don't upgrade just for that though.

    This means if 3 php-fpm process crash within a minute, then php-fpm will restart automatically. It will keep the cpu load down.
  7. Cyb3r

    Cyb3r Well-Known Member

    Thank you for the info, is there anyway to know if someone is stressing the site through a PHP files or something?
  8. RoldanLT

    RoldanLT Well-Known Member

    I also tried Cloudflare Pro to mitigate this kind of attack, but it's useless.

    Now I'm using Sucuri for 2 months now and its very effective.
  9. Brad Padgett

    Brad Padgett Active Member

    I'm sure it is.

    Really, I just found the best host possible. Some hosts offer protection free of charge.

    @Cyb3r, I suggest a new host if you can't afford Sucuri. I can point you in the right direction if you need, just pm me. What your looking at here is $1 for the first month and $6.50/month after that for 2 GB RAM. The higher you go it still is very cheap. The reason I use my host of choice is they offer 160 Gigabytes per second protection. An unprecedented amount of protection which makes Sucuri look like softies.

    If you think you can find a host similar, the answer is you can. They are everywhere.

    But if you are able to afford them I have heard great things about Sucuri. I didn't want to promote another site on the forums which is why I haven't linked you but if you are interested shoot me a pm.
  10. Brad Padgett

    Brad Padgett Active Member

    Also I just noticed @Cyb3r

    In your load example, it shows "lfd" as sleeping. I believe that is a process for the CSF - Config Server Security Firewall. By the example showing it sleeping can't be good. Maybe you should check to see if it's installed in WHM. If you don't see it in plugins then use this link to install it. It's a free firewall for WHM/webmin and is what every webhost should use.

  11. Cyb3r

    Cyb3r Well-Known Member

    Thank you for pointing that out, but I see they don't offer monthly subscription and unfortunately I can't afford annual costs. (it's not even annually) :(

    Currently I'm hosting with OVH, I pay $37/month so idk, what do you think?
  12. Cyb3r

    Cyb3r Well-Known Member

    CSF is working well and I already blocked unwanted ports and ssh access only to my IP, I don't use any control panels BTW.
    Brad Padgett likes this.
  13. Brad Padgett

    Brad Padgett Active Member

    I highly suggest NuWebHosting.com

    You'll be able to see when you browse their site that they offer well below market value. When I had signed up with them I was impressed by the price but after using their support service, I later discovered it was a gold mine. They are not foreign and I believe they are U.S. based. But they are very thorough in their support.

    Anyways for what you now have, I believe 4 GB RAM? You can get that on this host for $15/mo with included 160 GPS protection. If you want cpanel/whm it's extra with every host but you would still be below the amount you pay now with the protection included.

    I suggest you give them a browse and see how it goes. I host a 12 GB RAM vps with them and payed $238 the first year on a 50% discount deal.
  14. RoldanLT

    RoldanLT Well-Known Member

    You can't afford $9 USD a month?
  15. RoldanLT

    RoldanLT Well-Known Member

    Switch to Linode or Ramnode with the same amount you are paying now then put Sucuri in front of your site = Profit ;).
  16. RoldanLT

    RoldanLT Well-Known Member

    I'm also a centminmod user, came from OVH Dedicated server.
    And experience heavy layer 7 attacks in the past.
    What I'm using now is Linode+Sucuri.
    Well Ramnode is really fine also.
  17. Brad Padgett

    Brad Padgett Active Member

    I have seen Ramnode, they provide real protection just like NuWebHosting but after viewing Linodes website it didn't mention anything about advanced mitigation. If someone was to host with either one of those companies they wouldn't even need Sucuri even though you would benefit even more.

    But heck I say get a 12 GB RAM vps for what your paying now, either way RamNode is an option too. Depends what genre site your hosting here. Some get attacked more than others.

    For $9/month if I remember Sucuri does not provide layer 3 and 4 protection, just layer 7. Still worth it for sure. Sometimes it's all you really need.

    Anyways good luck to you.
  18. RoldanLT

    RoldanLT Well-Known Member

    You don't need any mitigation or protection from layer 3,4,7 since you'll be using Sucuri in front of your website.
    Just don't let your server IP to be leaked on public.

    Only Layer 7 protection is all you need and that's enough :).
  19. Solidus

    Solidus Well-Known Member

    lfd is supposed to be sleeping.
    Brad Padgett likes this.
  20. WSWD

    WSWD Well-Known Member

    Not sure why everyone is telling you to change hosts. Must want you to PM them for affiliate links or something.

    If you are currently with OVH, you already have very good DDoS protection in place. There is no reason to change hosts or use Securi or anything else. Either you are likely not being DDoSed, or whatever it is just isn't at a level where it's triggering the protection at OVH, and you might need to fine tune the protection with them.

Share This Page