User Tools

Site Tools


server_maintenance

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
server_maintenance [2015/06/29 20:48]
zoza
server_maintenance [2016/06/19 12:13] (current)
zoza [mysql]
Line 1: Line 1:
 ====== server maintenance ====== ====== server maintenance ======
  
-  * logging activity+===== logging activity ​=====
  
 apache error log apache error log
Line 15: Line 15:
 <​code>​geoiplookup THE.IP.ADD.RE.SS</​code>​ <​code>​geoiplookup THE.IP.ADD.RE.SS</​code>​
  
-  * IP filtering+===== IP filtering ​===== 
  
 check existing iptables filters check existing iptables filters
Line 22: Line 23:
 <​code>​iptables -A INPUT -s THE.IP.ADD.RE.SS -j DROP</​code>​ <​code>​iptables -A INPUT -s THE.IP.ADD.RE.SS -j DROP</​code>​
  
-  * mysql+=====  ​mysql =====
  
 remove comments from a wordpress site remove comments from a wordpress site
Line 28: Line 29:
 mysql>​DELETE FROM wp_comments WHERE comment_approved = '​0';​ mysql>​DELETE FROM wp_comments WHERE comment_approved = '​0';​
 </​code>​ </​code>​
 +
 +mysql running out of memory in minutes
 +http://​brunzino.github.io/​blog/​2016/​05/​21/​solution-how-to-debug-intermittent-error-establishing-database-connection/​
 +https://​www.linode.com/​docs/​websites/​apache-tips-and-tricks/​tuning-your-apache-server
 +
 +added the following lines 
 +<​code>​
 +  #trying to fix mysql memory leak, which is possibly linked to an attack ?
 +   <​files xmlrpc.php>​
 +          order allow,deny
 +          deny from all
 +    </​files>​
 +</​code>​
 +to all /​etc/​apache2/​sites-available/​domain.com configuration files which host a WordPress, to block possible **xmlrpc** attack. ​
 +In /​etc/​apache2/​access.log grep for this
 +<​code>​
 +POST /xmlrpc.php HTTP/1.1
 +</​code>​
 +installed **lynx** and added the following lines:
 +<​code>​
 +<​Location /​server-status>​
 +  SetHandler server-status
 +  Order Deny,Allow
 +  Deny from all
 +  Allow from localhost
 +</​Location>​
 +</​code>​
 +to all /​etc/​apache2/​sites-available/​domain.com configuration files which host a WordPress, to enable lynx analytics report, which clearly showed many **xmlrpc** requests in seconds. ​
 +
 +run <​code>​lynx http://​localhost/​server-status</​code>​
 +
 +to see statistics
 +
 +Solved the memory issue by blocking the ip that was sending xmlrpc requests (iptables drop) after geoiplocating it in lithuania
 +
 +consider also this:
 +http://​www.blogtips.org/​block-wordpress-brute-force-attacks-via-xmlrpc-php/​
 +
 +also, dataclub.biz domain appears in other brute-force attacks
server_maintenance.1435610890.txt.gz · Last modified: 2015/06/29 20:48 by zoza