====== server maintenance ======
===== logging activity =====
apache error log
tail /var/log/apache2/error.log
mysql error log
tail /var/log/mysql/error.log
user authentications, including possible attacks
tail /var/log/auth.log
look up where an IP address is coming from
geoiplookup THE.IP.ADD.RE.SS
===== IP filtering =====
check existing iptables filters
iptables -L
use iptables to filter IP addresses
iptables -A INPUT -s THE.IP.ADD.RE.SS -j DROP
===== mysql =====
remove comments from a wordpress site
mysql>USE database;
mysql>DELETE FROM wp_comments WHERE comment_approved = '0';
mysql running out of memory in minutes
http://brunzino.github.io/blog/2016/05/21/solution-how-to-debug-intermittent-error-establishing-database-connection/
https://www.linode.com/docs/websites/apache-tips-and-tricks/tuning-your-apache-server
added the following lines
#trying to fix mysql memory leak, which is possibly linked to an attack ?
order allow,deny
deny from all
to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to block possible **xmlrpc** attack.
In /etc/apache2/access.log grep for this
POST /xmlrpc.php HTTP/1.1
installed **lynx** and added the following lines:
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from localhost
to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to enable lynx analytics report, which clearly showed many **xmlrpc** requests in seconds.
run lynx http://localhost/server-status
to see statistics
Solved the memory issue by blocking the ip that was sending xmlrpc requests (iptables drop) after geoiplocating it in lithuania
consider also this:
http://www.blogtips.org/block-wordpress-brute-force-attacks-via-xmlrpc-php/
also, dataclub.biz domain appears in other brute-force attacks