While working with different issues, I have seen that many clients complaining about ddos attack on their server. So, I am posting here some useful commands to check and prevent ddos attack.
First of all when you see that your site's or server speed is very slow even though there is not much load on your server, you can guess it might be ddos. Then run 'top' command and see which processes is more, if those are httpd then fire following command which will show how many active connections your server is currently processing. netstat -n | grep :80 | wc -l netstat -n | grep :80 | grep SYN |wc -l
The first command will show the number of active connections that are open to your server. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems.If the second command is over 100 you are having trouble with a syn attack.
in the last couple of days we really have problem accessing web service, while ftp, ssh, work fine. While we getting connection time out, the load on the server is really load around .2 and get numerous e-mail from Cpanel that httpd is failling and try to restart.
How can i do to check and verify that there a DDOS attack?
What step can i do to possibly minimize DDOS attack?
I would like to know how to check load via ssh and check files causing load?
I want the ssh codes for 2 different set of control panels, one with cpanel+whm and other with kloxo+hypervm
and I would also know how to check the files causing the load, such as some files could have been interrupted while processing, so they could be causing load some times, so I want to stop such processes if any are running on the vps on my friends accounts
Tue Mar 20 16:00:02 SGT 2007 on blue.mydomain.com Server Load: 16:00:02 up 21 days, 14:02, 0 users, load average: 2.73, 2.20, 2.08 Warning: Malicious Nobody Process Found ========================================= Options: kill bad proc=1 logging lvl=1
Cipher list . Due to weaknesses in the SSLv2 cipher you should disable SSLv2 in WHM > Apache Configuration > Global Configuration > SSLCipherSuite > Add -SSLv2 to SSLCipherSuite and/or remove +SSLv2. Do not forget to Save AND then Rebuild Configuration and Restart Apache, otherwise the changes will not take effect in httpd.conf
Can someone explain this in laymen terms? I know this is new in Cpanel. I'm already running Apache 2.2, PHP 5.2.9 with suPHP enabled and mod_security as well (these rules: [url]
Also, what exactly are these CSF checks?
Check csf PT_SKIP_HTTP option This option disables checking of processes running under apache and can limit false-positives but may then miss running exploits
Check csf SAFECHAINUPDATE option This option closes a window of opportunity that opens when dynamic chain updates occur
I have one client who cannot see my server and all domains on it. I;ve checked if his IP is block or not and I didn't see his IP on the apf deny host file. How to you check IP if it can see my server? I just want to make sure before calling the ISP.
I recently added ubl.unsubscore.com to my email server. I only have that one and the SpamHaus (Zen) activated.
I am able to see the SpamHaus listed on DNSStuff and on SpamHaus website that the person trying to email me is not listed.
So I have to think that it is ubl.unsubscore.com list. But what domain name can I enter into the browser to check this list? www.unsubscore.com does not work. A little searching led me to lashback, but the IP is not listed there either.
Few days ago I had a problem with my httpd. I finally nailed it down and came on a conclusion that my MaxClients were set too low so I had to set it to high number and it seems like that the proble of "Network Timeout" had been resolved but now the problem is still continued. Here is what I think is wrong
Cpu(s): 1.5%us, 0.4%sy, 0.0%ni, 96.7%id, 0.3%wa, 0.3%hi, 0.8%si, 0.0%st The 96.7%id always stays above 90% is that bad and how do i fix it?
I have a problem where mysqld is using 95 - 97% CPU usage all the time.
How can I see what user is causing this ? I have installed mytop but when I use it I get
[root@server1 ~]# mytop Cannot connect to MySQL server. Please check the:
* database you specified "test" (default is "test") * username you specified "root" (default is "root") * password you specified "" (default is "") * hostname you specified "localhost" (default is "localhost") * port you specified "3306" (default is 3306) * socket you specified "" (default is "")
The options my be specified on the command-line or in a ~/.mytop config file. See the manual (perldoc mytop) for details.
Here's the exact error from DBI. It might help you debug:
Access denied for user 'root'@'localhost' (using password: NO)
One of my hosted user complained that he can't access his website nor he can ping the website. When I asked him to access my 2nd server (same datacenter), it went fine. I could be thinking that my server is blocking his IP.
How do I check if his IP is blocked?
I am using APF+BFD Iptables firewall (i don't know but i hope this make sense)