24 Jul
2014
24 Jul
'14
9:17 p.m.
Hi Folks
(I hope Andy doesn’t mind me posting about a VPS with a provider over the road from him.
He knows that the eventual intention is to bring all of my business over! I am tempted to
“solve” this problem by migrating the offending WordPress site to my BitFolk box, but I
suspect the problem would just follow with it.)
I have a server where Apache is falling over more often than I’d like. I’ve not previously
been big on server monitoring, so I don’t have huge amounts of data that could point to
the problem. (I’m changing that with as much time as I have available.)
I’ll try to keep the story brief:
This is happening on an Ubuntu 12.04 box. It runs Varnish and Apache with many virtual
hosts, and also MySQL and Nagios. One virtual host is a WordPress site, another is a
Drupal 7 site that has not had much publicity made about it, but could attract “enemies”
when it does [1]. Not much customisation was done to the usual install, but some TCP
tweaking was done (mostly by the hosting company) because the VPS was setup to expect
massive traffic.
For the most part, I configure Drupal sites and then take on the hosting. I was asked to
take on the hosting of a WordPress site. Not wanting to run my sites and the WP site with
the same user, I setup a second Apache instance for the WordPress site, with Varnish
forwarding to the appropriate Apache instance.
Some time later, the second Apache instance started segfaulting far too often, and this
could be seen in the error logs. It couldn’t go any longer than about an hour before it
fell over. It started happening around about the time, but not exactly when, I installed
an extra PHP module at the users request [2]. The site was down until Apache was
restarted, and as a temporary measure, I wrote a very crude cron job to automatically
restart Apache as needed.
Dealing with the core dump and gdb seemed too much effort, so I decided to try mpm_itk [3]
instead (which is actually a better fit with my longer term plans). This worked swimmingly
for about a week. However, over the past 3 nights, all of my sites have fallen over at
about 2am, with nothing being served until I woke up and restarted Apache. Some
distinguishing features are:
* This happens at roughly the same time each day.
* All other services on the server are responsive, it’s just Apache that is bound up.
* CPU loads are next to nothing.
* Nothing shows up in the Apache logs during the downtime.
* Nagios reports many more processes than usual are in the system.
I am getting a bit too far from my comfort zone now, but it seems to smell of slowloris to
me.
I’ve since enabled server-status, and if the issue comes up again, I should look at it
before I restart Apache. Watching it now, some distinguishing features are:
* wp-login.php is getting hit quite a bit on the WordPress vhost from different IPs.
* KeepAlive doesn’t seem to be working as I understand it — why should there be Varnish
connections that seem to be open and waiting for 100’s or 1000’s of seconds? (I”m looking
at the SS column.)
* I was running my Drupal cron jobs too often — embarrassingly so -- via cron and wget,
and cron runs for the same vhost seemed to be overlapping [4]. I’ve slowed this down.
Any thoughts? What would you do differently?
(OK, so the story wasn’t brief — apologies!)
Thanks
Ben [5]
[1] [2] My suspicion is that these are red herrings.
[3] Is this a daft thing to do?
[4] I’ll sort out separately why this might have happened, but I’ll move to managing this
via Drush rather than wget.
[5] I am a site builder first, and an admin second, so please excuse the things I’ve done
that are clearly sub-optimal.
25 Jul
25 Jul
12:10 a.m.
Ben Chad said:
For the most part, I configure Drupal sites and then
take on the hosting. I was asked to take on the hosting of a WordPress site. Not wanting
to run my sites and the WP site with the same user, I setup a second Apache instance for
the WordPress site, with Varnish forwarding to the appropriate Apache instance.
I may be misunderstanding something, but why not run WP with the same
Apache? (Apart from the way it would currently bring down everything else!)
* Nothing shows up in the Apache logs during the
downtime.
Do you think it's crashing because of the load before anything gets
written to the access logs?
I’ve since enabled server-status, and if the issue
comes up again, I should look at it before I restart Apache. Watching it now, some
distinguishing features are:
* wp-login.php is getting hit quite a bit on the WordPress vhost from different IPs.
See the wiki article on WordPress and use a fail2ban jail that looks for
any access to wp-login.php and bans the IP address for more than a
handful of accesses in a few minutes. If it's only legitimately accessed
from known whitelisted addresses, you can set it to ban on a single access.
It will probably be triggered at least as much as the ssh jail, much
more when the next distributed bruteforce attempt happens.
Any thoughts? What would you do differently?
Have a cron job that checks if the second Apache is running and, if not,
starts it again.
Stay up until 2am and have a look at what's happening :)
Ian
6:53 a.m.
[I tried sending this at roughly 3am this morning, and forgot yet again that replying to
this list by default replies to the sender.]
My subconscious woke me up just a minute or two after I got a Pingdom alert about site
down. I wish my mind would just let me sleep properly!
This has now happened at 2:29 on the 22nd, 2:19 on the 24th and 2:44 on the 25th.
Coincidence? I think not. My feeling is that an application is being attacked. The only
thing that could come from within is an errant Drupal cron job, but as of a few hours ago,
they run at the start of the hour (staggered), and so would not have bought it down
towards the end of the hour.
Now that I’m awake right when this has happened, I can’t login to the server via SSH. I
would normally raise an emergency ticket with the hosting company [1], but given the
history, I’m almost interested to see if it is back up for me in a few hours.
On 25 Jul 2014, at 01:10, Ian <ian(a)lovingboth.com> wrote:
(Just to be sure, I’m now running a single Apache with mom_itk. I didn’t say it in the
past, but I’d also tried nginx/php-fpm, and I had to keep restarting the php-fpm handler
in that case, too!)
I may be misunderstanding something, but why not run
WP with the same
Apache? (Apart from the way it would currently bring down everything else!)
I didn’t really want to take this hosting on, but it was a personal favour for a very
loyal client that I do D7 for. They rebuilt their WP site after their previous one was
hacked.
I just don’t trust WP, and it seemed right to be wary of exposing my D7 vhosts to a WP
vhost that was a known target.
Do you think it's crashing because of the load
before anything gets
written to the access logs?
No, it’s not crashing. When I have been able to login in the past, the system is full of
Apache processes doing nothing, with nothing in the logs. This is what made me think
slowloris. It seems to me there are loads of connections never being allowed to finish.
See the wiki article on WordPress and use a fail2ban
jail that looks for
any access to wp-login.php and bans the IP address for more than a
handful of accesses in a few minutes. If it's only legitimately accessed
from known whitelisted addresses, you can set it to ban on a single access.
I think that is the next step, yes.
Any thoughts?
What would you do differently?
Have a cron job that checks if the second Apache is running and, if not,
starts it again. Stay up until 2am and have a look at what's
happening :)
:)
Time to go back to sleep before the little person wakes me up, again!
B
[1] They have fairly aggressive firewall settings, so I can’t be sure if the machine is
genuinely uncontactable, or if they have triggered a temporary ban. And I can’t see the
Nagios emails until the machine is reachable.
7:05 a.m.
On 25 Jul 2014, at 07:53, Ben Chad <ben(a)benchbyte.co.uk> wrote:
Now that I’m awake right when this has happened, I
can’t login to the server via SSH. I would normally raise an emergency ticket with the
hosting company [1], but given the history, I’m almost interested to see if it is back up
for me in a few hours.
I had to raise an emergency ticket because this time the entire server was unreachable.
Nagios only reports DNS as being down, which isn’t right.
I’ll have to look at the logs and see what sense I can make out of them, but for now there
are domestic jobs to do!
B
28 Jul
28 Jul
6:39 a.m.
On 25 Jul 2014, at 07:53, Ben Chad <ben(a)benchbyte.co.uk> wrote:
On 25 Jul 2014, at 01:10, Ian
<ian(a)lovingboth.com> wrote:
What a fantastic piece of software! It’s extremely simple to setup, yet very effective.
It’s solved my woes :)
I went for the whitelist/aggressive ban approach, and it’s working a charm. (I did need to
write my own filter to ban folk who tried to access files from invalid IP addresses.)
I’d been hoping to try it for a while, but had just never gotten around to it. If you’re
thinking the same, it doesn’t take very long at all.
On the other hand, I was surprised to see that by default WordPress likes the idea of
running cron on every page access. This would have been contributing to my bother. I think
that was a bad design decision, and I’ve got that sorted out as well.
B
See the wiki article on WordPress and use a
fail2ban jail that looks for
any access to wp-login.php and bans the IP address for more than a
handful of accesses in a few minutes. If it's only legitimately accessed
from known whitelisted addresses, you can set it to ban on a single access.
I think that is the next step, yes.
3799
days inactive
3803
days old
4 comments
2 participants
participants (2)
-
Ben Chad -
Ian