23 Jul
2014
23 Jul
'14
10:29 p.m.
** Ian <ian(a)lovingboth.com> [2014-07-18 09:32]:
** end quote [Ian]
Yes, I think it is a DDOS, or rather several. I've had issues a few times over
the past couple of months; oddly since I upgraded to 12.04 or thereabouts.
Initially I thought it was increased load from the newer version of Ubuntu, but
wasn't entirely convinced. Then I found that stopping and restarting Apache
cleared the load and made note to investigate the logs. This time round
stopping and restarting Apache has made no difference as when I restart the
load increases within a few minutes. Clearly a higher spec VM would help, but
it seems silly throwing resources at it rather than sorting it properly.
Looking at the logs I've been getting multiple access for the xmlrpc.php file
from multiple sources. Using .htaccess to deny access to the file made no
difference, not sure why, I should have investigated, but instead I reached for
fail2ban. Obviously coming from multiple IPs this didn't work (but I tried
anyway). In the end I managed to install the WP plugin and things settled,
although I have noted a few occaisions when the load has increased
significantly (errors from a plugin I have that updates WP content from RSS
feeds alerts me to this).
I'll have to take a look at the logs, but other things took priority when it
settled (classic firefighting!). With a talk on Saturday and a Raspberry Jam on
Sunday (both work related - it's a hard life when a Raspberry Jam is work) I've
been flat out all weekend too.
--
Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001
=============================================================================
Registered in England | Company No: 4905028 | Registered Office: Ralls House,
Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP
Paul Tansom said:
Wow, that long ago, I missed the change. I've installed a few times since then,
but clearly have got so used to doing it I've not really taken a close look at
changes in setup for a while!
Yes, that's the plugin I'm trying to
install. I've clearly been lax, but I
thought pingbacks were disabled by default,
They got enabled in July 2012 in one of the not really documented
changes for the then forthcoming version 3.5 released later that year, sigh. At the moment
I'm blocking xmlrpc.php from
the .htaccess, but each time I enable Apache again the load goes from around
0.09 through to 30, 40 or 50 within a minute or so. It is very difficult to
test and diagnose if you can't get any response from the server because of the
load :( I'm just putting something together with fail2ban, then with any luck I
can put the plugin in place and experiment.
If I look at the log files, the most any site here has had this month is
97 accesses.
I wonder if someone is doing a DDOS on you - the ability to do that via
pingbacks is the subject of a WP bug report that goes back about five years.
I'd expect using fail2ban to ban anyone who is trying to access that
file frequently should help.