I am running a Wordpress site on digital ocean droplet, and the droplet is running CentOS with CWP. Website is new so it has very low amount of genuine traffic, on average it has around 3-5 visitors per day. However, the site is under attack since last couple of weeks.
I receive almost daily an email notification by lfd service, about "Excessive process running under user XYZ". A second email, with title "High 5 minute load average alert" right after that.
Sample Line from First Email: (last notification email has around 143 process count with status not killed)
User:XYZ PID:29096 PPID:26959 Run Time:58(secs) Memory:230140(kb) RSS:10104(kb) exe:/usr/local/bin/php-cgi cmd:/usr/local/bin/php-cgi /home/XYZ/public_html/wp-login.php
Second email contains output from different commands ps.txt, vnstat.txt, netstat.txt, apachestatus.html
In the last notification email, there's an error in all files, except apachestatus.html. The error message is, "Unable to obtain SERVICE_NAME output within 10 seconds - Timed out".
In the apachestatus file, I can see 243 idle threads at wp-login.php from single IP.
My questions are:
- What is the default time to drop idle connections?
- Is there any way to drop idle connections quicker than that? (maybe default time is good, but it is still causing issue in my case so I want to reduce it further)
- How can I limit simultaneous requests from certain IP? (to restrict open connection limit to 10 or maybe 20)
- What is the best way to handle this and protect server from these type of attacks? (any relevant tool or technique)
The below is really just an answer to address your Fail2Ban comment/question - I could not answer with sufficient depth as a comment.
To use fail2ban requires more then just basic options. Here is my "secret sauce"
apache-wplogin.conf:
apache-wpxmlrpc.conf
Additional lines in jail.local for the above:
Note that my Apache is logging in "combined" format from outside VirtualHost directives - I have config lines: