VPS keeps going offline

[Johnn]

It's managed VPS but it looks like they are not doing their jobs.
Without admin tools you have to use ssh to get in and browse to see if something has been uploaded to your site - checking by the date.
command
ls -l
also check for permission using the previous command (need to take a linux class)
and run a command to see what is running
ps -ef

good luck

 

[south]

Maybe I should take one of my older PCs and set up a LAMP server (maybe run an in-home intranet to try it out?)

Definitely the best way to learn, yes.

 

[draggar]

It's managed VPS but it looks like they are not doing their jobs.
Without admin tools you have to use ssh to get in and browse to see if something has been uploaded to your site - checking by the date.
command
ls -l
also check for permission using the previous command (need to take a linux class)
and run a command to see what is running
ps -ef

good luck

Ugh, I get nervous with things like that, I don't even like playing with the settings.

Definitely the best way to learn, yes.

Suggestions? I will assume Ububtu for Linux (I already have that on a laptop and use it)- but what about the others?

 

[south]

Ubuntu is based on Debian, CentOS is based on RHEL. There are quite a few differences. For a newbie, especially if you intend to run a server, probably better to start with CentOS to learn.

 

[Johnn]

Ugh, I get nervous with things like that, I don't even like playing with the settings.



Suggestions? I will assume Ububtu for Linux (I already have that on a laptop and use it)- but what about the others?

The commands show you the listing. You are not making any changes.

 

[draggar]

Ubuntu is based on Debian, CentOS is based on RHEL. There are quite a few differences. For a newbie, especially if you intend to run a server, probably better to start with CentOS to learn.

CentOS.org?

Looking at the stats it's been steady and normal since I rebooted at 5am. Honestly, I do not think it is too much traffic to my sites, AdSense and Analytics don't show any huge increase in traffic over the past week.

Downloading CentOS ISO files now.

 

[draggar]

TY all for the suggestions and TY South for the in-depth help.

I ended up going though my statistics and noticed one IP address had about 15,000 hits to my site ever since this started so I blocked that IP address. South also noticed a redundant program was running - I killed it and it freed up about 200MB of memory (now running stable at about 29% resources used).

Just had a large scale brute force attack across the board on all sites - despite login lockdown being set to 3 failed attempts in 10 days resulting in a 100 day lockout, they still got over 10,000 attempts in less than 10 minutes per site (rotating IP address). Memory usage peaked at about 41%. (Edit: attack / script kiddie is still running).

WP really needs to help w/ this - like allowing us to rename the WP-ADMIN directory.

Edit: Just passed 20,000 attempts in the past 30 minutes. The person must have a lab, at least dozens of IP addresses (possibly over 100), multiple computers (different OS, browsers, etc.) - going though the dictionary now.

 

[katherine]

Perhaps you have a WP plugin that blocks the IP address, but the bots can still make HTTP requests against the server (blindly), and keep draining server resources, and bandwidth for nothing.

What you need is a good IDS that will block the IP addresses at firewall level, so the bots cannot even establish a connection to your server.
iptables is your friend.

 

[draggar]

This person / script kiddie has at least 200 IP addresses at their disposal - I get an email every time there is a failed login attempt and I went though 200 of them for one site - all different IPs (and I had already deleted hundreds earlier).

LoginLockdown does it's job - it just can't really prevent this since it is coming from different IP addresses but when they've gone though their IP list 3 times then it's a 100 day lockout.

As for the IP address with thousands of hits in a few days - that was blocked at the server level and the server has been stable ever since.

The silver lining of an attack like this is that it reminds me to log into the sites - and then I update everything.

 

[RW012]

Do you have a lot of sites using wordpress on there? Don't know if you've heard about this Brute Force Attack or not, but here's some info:
http://support.hostgator.com/articl.../wordpress/wordpress-login-brute-force-attack

 

[draggar]

I figured as much - I get these all the time but haven't seen one this big in a very long time. I'm not too worried, though, the largest annoyance is that it slows down my sites.

 

[south]

Just for fun, I do this in the apache config file on a couple of my servers that have no wordpress sites installed.

Do *NOT* do this if you have wordpress, or need access to any of the specified directories.

Redirect /phpmyadmin http://localhost/phpmyadmin
Redirect /myadmin http://localhost/myadmin
Redirect /forum http://localhost/forum
Redirect /administrator http://localhost/administrator
Redirect /admin http://localhost/admin
Redirect /blog/wp-admin/ http://localhost/blog/wp-admin/
Redirect /wordpress/wp-admin/ http://localhost/wordpress/wp-admin/
Redirect /wp-admin/ http://localhost/wp-admin/

Also I have a directive in my robots.txt disallowing access to the above, so good bots / search engines won't be bothered.

Who knows, maybe one of the kiddies is stupid enough to fall for it..

 

[amplify]

Just for fun, I do this in the apache config file on a couple of my servers that have no wordpress sites installed.

Do *NOT* do this if you have wordpress, or need access to any of the specified directories.

Redirect /phpmyadmin http://localhost/phpmyadmin
Redirect /myadmin http://localhost/myadmin
Redirect /forum http://localhost/forum
Redirect /administrator http://localhost/administrator
Redirect /admin http://localhost/admin
Redirect /blog/wp-admin/ http://localhost/blog/wp-admin/
Redirect /wordpress/wp-admin/ http://localhost/wordpress/wp-admin/
Redirect /wp-admin/ http://localhost/wp-admin/

Also I have a directive in my robots.txt disallowing access to the above, so good bots / search engines won't be bothered.

Who knows, maybe one of the kiddies is stupid enough to fall for it..

Why redirect to localhost when you can redirect to whitehouse.gov, then it's an attack on a government agency.

...Though your websites will show as the referrer, their IP will show as well... so I don't know who's to blame?

 

[thehostdir]

I had same attack issues with my previous host and recently wordpress site were getting hacked on my VPS , I have hosting with webhost UK I contacted them regarding the hack problem as they provide free management service. There support tech make some security updates on my VPS and also change some wordpress directory path ... that solved my problem its been 3 to 4 months since then non of my wordpress site is hacker.

 

[amplify]

I'm running an older version of vB4 (should update, but hate fixing the theme when I do) and went under attack yesterday that shut it down for 24 hours. The 'sessions' table grew to an outstanding 300000 entries in a matter of an hour and had 150000 email warnings that came in. Turnicated the table and was all good.

Lesson, keep all your software up to date. WP, Joomla, vB, etc. to prevent this kind of attack on your sites running any platform.

 

[draggar]

They migrated all their servers to new equipment and even though I'm done - some of my sites are acting weird, but not weird in a way I can log a ticket.

One issue, which I did log a ticket on, was that no emails were coming though for 4 of the 5 nameservers (coincidentally the 4 I changed the IP addresses for). I logged a ticket but then searched the issue - I turned off "Sender Verification" in Exim and emails are going though (but only new emails - none that were sent since the migration). Support says this is a sufficient fix but I don't know about that - thoughts?

Edit:

One issue: it takes a long time (if at all) to load up the admin login when I type domain.com/wp-admin but it loads up quickly if I type in domain.com/wp-admin/index.php

 

[Mark Talbot]

I'm running an older version of vB4 (should update, but hate fixing the theme when I do) ...

You really should be using the mod, TMS. Makes easy work of upgrading vB versions and altering templates.

They migrated all their servers to new equipment and even though I'm done - some of my sites are acting weird, but not weird in a way I can log a ticket....

If the server was migrated, I would review all your htaccess files. Some weird symptoms can happen when they get screwed up, but I wont say that will be all of the issues. Also would review all your dns settings for each domain account.

 

[Mark Talbot]

Not much you can do with VPS.
Ask Tech Support to tell you what is going on.

a. - Not true, I have an unmanaged VPS and have full control short of one or two things.
b. - Tech support should be there, managed or not. They might add a slight piss-off fee if you are unmanaged for certain support needs.