Who's good with PHP, Apache, etc?

This is urgent. Need help with my server. If anybody has experience please PM me.

Wish I could help, but that's way out of my realm of experience.

I told you to stop being a cheapass. You need more ram.

I told you to stop being a cheapass. You need more ram.

 

 

He needs a real computer; he still uses a Mac.

I told you to stop being a cheapass. You need more ram.

Has nothing to do with that...and I did up it to 8gb RAM...it gets eaten instantly.

 

Basically two IPs are each making over 700 connections EACH and bogging the shit out of my sever. I've been on the phone with the hosting provider for about 6 hours now and we still cannot come to a solution.

 

I used iptables to ban the two IPs for both incoming and outgoing connections and it dropped them to about ~55 connections each, but the issue is on going. Going to restart apache now to see if it kills all of the connections. I'm getting really fcuking irritated

I sent a PM with some suggestions to try.

 

• Adding the IPs to the /etc/hosts.deny file
• cPanel IP Deny Manager
• Blocking through .htaccess file
• Blocking through the routing table using /sbin/route

 

 

If you don't use an .htaccess file for your site, then setting up the blocking in the Apache http.conf file (and restarting Apache) will reduce the overhead.

 

You may also help mitigate the damage and make your server more efficient for your real users by tuning some of the Apache parameters like KeepAliveTimeout, ServerLimit, MaxClients, etc.

 

Is it bogging down the server because it is running out of memory, or is it using too much CPU?

It's bogging it down by running out of memory. Sprite's telling me this is what is known as a SYN Flood (dos attack). Still making zero progress and both are holding about ~115 connections right now.

I presume it is running out of memory because there are so many connections, each of which causes the server to spawn an Apache process, and all these Apache children are using up all the memory. If that is the case, you should adjust the maxclients/maxservers in your httpd.conf to a lower number, so that you still have some memory left after the max servers is hit. You should also reduce the KeepAliveTimeout (sometimes the default is like 15 seconds, and 1 second will probably work better.)

 

Once the max servers is hit the server will drop all new requests, which isn't great for your users, but at least the server can still respond to the requests that get through and you can work on a responsive server. Otherwise, once you go beyond the physical memory and you start thrashing the hard drive, it is pretty unresponsive to everyone, all kinds of processes can start crashing, and it is very hard to work on the server via SSH to try to fix things.

 

However, 115 connections isn't much at all for an 8GB box, so perhaps something else is using up the memory. Have you checked to see where all the memory is being used and what processes are are using up the CPU?

 

Also, if it is a SYN Flood attack, I would think reducing the Apache TimeOut value would help. By default the TimeOut directive is set to 300, which is really high (5 minutes), so try reducing it significantly to see if it helps.

 

 

It's bogging it down by running out of memory. Sprite's telling me this is what is known as a SYN Flood (dos attack). Still making zero progress and both are holding about ~115 connections right now.

 

If it is a Syn Flood attack, try entering these on the shell command line:

 

sysctl -w net.ipv4.tcp_max_syn_backlog=2048

sysctl -w net.ipv4.tcp_syncookies=1

sysctl -w tcp_synack_retries=2

 

 

If it is a Syn Flood attack, try entering these on the shell command line:

 

sysctl -w net.ipv4.tcp_max_syn_backlog=2048

sysctl -w net.ipv4.tcp_syncookies=1

sysctl -w tcp_synack_retries=2

error: "tcp_synack_retries" is an unknown key

 

Oops

 

sysctl -w net.ipv4.tcp_synack_retries=2

 

 

error

 

: "tcp_synack_retries" is an unknown key

 

I'm not sure what rules you've done in iptables to try to block this. I found these rules for iptables online that should help with some DOS attacks. I didn't check this thoroughly to make sure it is right (and I don't have any lists of processes, connections, etc. to tell what kind of attack you are facing), but it is worth a try.

 

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

 

After entering those remember to restart iptables:

 

service iptables save

service iptables restart

Isn't Capn_Chaos some kind of computer guy?

 

Try him, he might know!

Isn't Capn_Chaos some kind of computer guy?

 

Try him, he might know!

 

 

Not Apache though otherwise would sadly love to help. I also ran it past two programmers and they could not help. Sorry GB.

GB did you try the stuff Opiate said? Should help.

Sorry, this is as much as I can help:

 

If you're doing that many connections get a sepperate server to handle the SQL/MySQL data

 

Back in the day I had a similar problem and it got resolved by doing just that

Did you solve the problem? If not PM me with details of the connections, processes, etc. (i.e. 'netstat' and 'top' data) and I can probably help more.

Been a while since I messed with Linux (started with Slackware, then Gentoo) - I found FreeBSD and haven't looked back.

 

We have a site that's doing ~600,000 pageviews/day.

Been a while since I messed with Linux (started with Slackware, then Gentoo) - I found FreeBSD and haven't looked back.

 

We have a site that's doing ~600,000 pageviews/day.

Nice, I'm doing about ~400,000 pages/day across this server on Linux + Apache. Installing and playing around with a dev environment now with Linux + Nginx + PHP...supposedly it is a LOT faster with much less load.

 

The issue was not a DOS attack, but it's still being ironed out so once everything is 100% I'll report back. Thanks for the input everyone

If you're still having problems GBGallardo and Opiate, let me know, I know some good server guys here and they should be able to help.