User Tools

Site Tools


server_maintenance

This is an old revision of the document!


server maintenance

logging activity

apache error log

tail /var/log/apache2/error.log

mysql error log

tail /var/log/mysql/error.log

user authentications, including possible attacks

tail /var/log/auth.log

look up where an IP address is coming from

geoiplookup THE.IP.ADD.RE.SS

IP filtering

check existing iptables filters

iptables -L

use iptables to filter IP addresses

iptables -A INPUT -s THE.IP.ADD.RE.SS -j DROP

mysql

remove comments from a wordpress site

mysql>USE database;
mysql>DELETE FROM wp_comments WHERE comment_approved = '0';

mysql running out of memory in minutes http://brunzino.github.io/blog/2016/05/21/solution-how-to-debug-intermittent-error-establishing-database-connection/ https://www.linode.com/docs/websites/apache-tips-and-tricks/tuning-your-apache-server

added the following lines

  #trying to fix mysql memory leak, which is possibly linked to an attack ?
   <files xmlrpc.php>
          order allow,deny
          deny from all
    </files>

to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to block possible xmlrpc attack. In /etc/apache2/access.log grep for this

POST /xmlrpc.php HTTP/1.1

installed lynx and added the following lines:

<Location /server-status>
  SetHandler server-status
  Order Deny,Allow
  Deny from all
  Allow from localhost
</Location>

to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to enable lynx analytics report, which clearly showed many xmlrpc requests in seconds. Solved the memory issue by blocking the ip that was sending xmlrpc requests (iptables drop) after geoiplocating it in lithuania

consider also this: http://www.blogtips.org/block-wordpress-brute-force-attacks-via-xmlrpc-php/

also, dataclub.biz domain appears in other brute-force attacks

server_maintenance.1464871545.txt.gz · Last modified: 2016/06/02 12:45 by zoza