This shows you the differences between two versions of the page.
Next revision | Previous revision Last revision Both sides next revision | ||
server_maintenance [2015/06/29 20:34] zoza created |
server_maintenance [2016/06/02 12:45] zoza [mysql] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== server maintenance ====== | ====== server maintenance ====== | ||
- | * logging activity | + | ===== logging activity ===== |
apache error log | apache error log | ||
Line 12: | Line 12: | ||
<code>tail /var/log/auth.log</code> | <code>tail /var/log/auth.log</code> | ||
- | * IP filtering | + | look up where an IP address is coming from |
+ | <code>geoiplookup THE.IP.ADD.RE.SS</code> | ||
- | use | + | ===== IP filtering ===== |
- | * mysql | + | |
+ | check existing iptables filters | ||
+ | <code>iptables -L</code> | ||
+ | use iptables to filter IP addresses | ||
+ | <code>iptables -A INPUT -s THE.IP.ADD.RE.SS -j DROP</code> | ||
+ | |||
+ | ===== mysql ===== | ||
remove comments from a wordpress site | remove comments from a wordpress site | ||
Line 23: | Line 30: | ||
</code> | </code> | ||
+ | mysql running out of memory in minutes | ||
+ | http://brunzino.github.io/blog/2016/05/21/solution-how-to-debug-intermittent-error-establishing-database-connection/ | ||
+ | https://www.linode.com/docs/websites/apache-tips-and-tricks/tuning-your-apache-server | ||
+ | |||
+ | added the following lines | ||
+ | <code> | ||
+ | #trying to fix mysql memory leak, which is possibly linked to an attack ? | ||
+ | <files xmlrpc.php> | ||
+ | order allow,deny | ||
+ | deny from all | ||
+ | </files> | ||
+ | </code> | ||
+ | to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to block possible **xmlrpc** attack. | ||
+ | In /etc/apache2/access.log grep for this | ||
+ | <code> | ||
+ | POST /xmlrpc.php HTTP/1.1 | ||
+ | </code> | ||
+ | installed **lynx** and added the following lines: | ||
+ | <code> | ||
+ | <Location /server-status> | ||
+ | SetHandler server-status | ||
+ | Order Deny,Allow | ||
+ | Deny from all | ||
+ | Allow from localhost | ||
+ | </Location> | ||
+ | </code> | ||
+ | to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to enable lynx analytics report, which clearly showed many **xmlrpc** requests in seconds. | ||
+ | Solved the memory issue by blocking the ip that was sending xmlrpc requests (iptables drop) after geoiplocating it in lithuania | ||
+ | |||
+ | consider also this: | ||
+ | http://www.blogtips.org/block-wordpress-brute-force-attacks-via-xmlrpc-php/ | ||
+ | |||
+ | also, dataclub.biz domain appears in other brute-force attacks |