Colm Troy's questions

So my server is getting slammed with thousands of SSH login attempts. Fail2ban is catching and banning them - but my inbox it's worrying me and it filling up inbox with alerts. Here's a sample of what I'm seeing:

May 28 15:26:09 sshd[4908]: input_userauth_request: invalid user test [preauth]
May 28 15:26:09 sshd[4908]: pam_unix(sshd:auth): check pass; user unknown
May 28 15:26:09 sshd[4908]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<<SNIPIP>>
May 28 15:26:11 sshd[4908]: Failed password for invalid user test from <<SNIPIP>> port 41344 ssh2
May 28 15:26:11 sshd[4908]: Received disconnect from <<SNIPIP>> port 41344:11: Bye Bye [preauth]
May 28 15:26:11 sshd[4908]: Disconnected from <<SNIPIP>> port 41344 [preauth]

What's interesting is when I attempt to connect using something like:
ssh test@myserverip -p 41344

my connection attempt eventually times out and I see no entry in auth.log - which is what I would expect to happen given I've locked the machine firewall down via UFW: (sidenote: I'm already running ssh on a non standard port)

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   DENY IN     144.202.55.196
Anywhere                   DENY IN     188.53.140.190
Anywhere                   DENY IN     185.50.197.159
Anywhere                   DENY IN     206.189.197.133
Anywhere                   DENY IN     61.175.121.73
Anywhere                   DENY IN     8.30.124.149
Anywhere                   DENY IN     193.105.134.45
Anywhere                   DENY IN     139.129.14.230
Anywhere                   DENY IN     37.247.96.111
22                         DENY IN     Anywhere
2200/tcp                   ALLOW IN    Anywhere
25/tcp                     ALLOW IN    Anywhere
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere
2246                       ALLOW IN    Anywhere
2812                       ALLOW IN    Anywhere
2247/tcp                   ALLOW IN    Anywhere
19999/tcp                  ALLOW IN    Anywhere
82/tcp                     ALLOW IN    Anywhere
22 (v6)                    DENY IN     Anywhere (v6)
2200/tcp (v6)              ALLOW IN    Anywhere (v6)
25/tcp (v6)                ALLOW IN    Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN    Anywhere (v6)
2246 (v6)                  ALLOW IN    Anywhere (v6)
2812 (v6)                  ALLOW IN    Anywhere (v6)
2247/tcp (v6)              ALLOW IN    Anywhere (v6)
19999/tcp (v6)             ALLOW IN    Anywhere (v6)
82/tcp (v6)                ALLOW IN    Anywhere (v6)

So my main question is, how is it possible that someone is even getting a chance to attempt a login on port 41344 when I can't?

This should be dead simple but I can't figure it out.

I have a web app (Magento) in

/srv/www/magento.com/public_html

The filesystem permissions are standard Magento permissions http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html

The files are owned by www-data:www-data

I've installed ProFTPd and when I create a normal user (e.g. user1) I can login and create/delete files no problem to /home/user1

I tried setting the users home directory:

usermod -m -d /srv/www/magento.com/public_html user1

I also added user1 to the www-data group

usermod -g www-data user1

Yet despite all the above ProFTPd can't switch to that directory

proftpd[20413] myserver: user1 chdir("/srv/www/magento.com/public_html"): Permission denied

I can't switch the file ownership to be owned by user1 as nginx/php5-fpm need them to be under www-data

I'm guessing I'm missing some other basic ubuntu file permissions issue.

Any ideas?

Here's my proftpd.conf file

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6                         on
# If set on you can experience a longer connection delay in many cases.
IdentLookups                    off

ServerName                      "XX.XX.XXX.XX"
ServerType                      standalone
DeferWelcome                    off

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

DisplayLogin                    welcome.msg
DisplayChdir                    .message true
ListOptions                     "-l"

DenyFilter                      \*.*/

# Use this to jail all users in their homes
#DefaultRoot                    ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell               off

# Port 21 is the standard FTP port.
Port                            21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress             1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            proftpd
Group                           nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                           022  022
# Normally, we want files to be overwriteable.

AllowOverwrite                  on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd              off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder                     mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile                   off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

# Include other custom configuration files
Include /etc/proftpd/conf.d/

<IfModule mod_cap.c>
   CapabilitiesEngine on
   CapabilitiesSet +CAP_CHOWN
</IfModule>
<Directory /srv/www/magento.com/public_html>
   UserOwner www-data
   GroupOwner www-data
   Umask 002 003
</Directory>

I'm currently testing a new nginx/php-fpm I have setup on a new VPS with 4GB of RAM:

from my php-fpm process pool config:

pm = static
pm.max_children = 10

I have a simple load.php script which has the following simulate a long running mysql query:

<?php
echo sleep(5);
echo "you see me after 5 seconds";
?>

I then throw some load at this script as follows:

ab -n 1000 -c 100 http://mydomain.com/load.php

When I tail the nginx access logs I see a trickle of requests at a time - rather than the high throughput I was expecting.

How exactly does the data flow from nginx to the php backend and back?

If I have 10 static child processes, will the php backend process 10 requests (at 5 seconds each) before then accepting another 10 requests? Certainly from sitting looking at the logs that would appear to be roughly the case - is this correct?

If this is the case and I'm running a php app that if fairly heavy at the DB end (and consequently at the php process time layer), should I simply be increasing the number of child processes to speed up how long it takes to concurrently handle requests?

I have an internal web server (win08) which I'd like to configure as a backup server for a live web server (also Win08).

I'd like to do full and incremental backups from the local machine where it pulls from the live web server on a daily basis.

I see lots of tools for unix based machines for this. Are there any good tools native and optimised for windows based websites/servers?

I only want a subset of files (approx. 8GB) rather than a full machine image.

really odd one here.

I have a website which runs on IIS fine most of the time. On some occasions though I get a white 404 page with the text:

Not Found HTTP Error 404. The requested resource is not found.

Running fiddler I can see the following http headers:

HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Thu, 10 Nov 2011 21:25:01 GMT Connection: close Content-Length: 315

So a "connection close" error seems to be happening intermittently.

A couple of refreshes later the page loads fine with the following headers:

HTTP/1.1 200 OK Content-Type: text/html Last-Modified: Thu, 10 Nov 2011 15:53:56 GMT Accept-Ranges: bytes ETag: "02d1f3c09fcc1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET mycustomheader: 01 Date: Thu, 10 Nov 2011 21:25:24 GMT Content-Length: 16307

I notice that the 404 header doesn't have custom http header response which I've added as part of my debug steps. In IIS if an error is being served by a specific web should it not have the custom header aswell?

Anyone know why certain http requests would intermittently be closed by IIS?

Thanks,

Ed

ok so I'm really confused about how Apache, PHP and WordPress memory allocation works.

For example in WordPress there is a config variable (define('WP_MEMORY_LIMIT', '64M');) for memory allocation which is typically set to 64M by default.

In addition PHP has a memory allocation in php.ini (memory_limit) which is set really low by default (e.g. 128M)

If I have a server with 2GB of ram how should I allocate memory to WordPress and PHP?

e.g.

Should I set php memory to 2GB? The server is a VPS also running mysql, cpanel etc. so I'm thinking I should probably limit it to 1GB instead. Also, if I limit php memory to 512MB will it ever use more than 512M anyway?

Then, what about WordPress - should I set it to match the php limit?

If I have php set to 1GB of memory and 2 WordPress sites should I set each to 512MB - will WordPress obey the memory limit aswell?

Just trying to get a handle on my memory allocation strategy.

Many thanks!

Ed

I have a VPS with 1GB of RAM running CentOS 5.4

It also has plesk running with a number of wordpress websites running with no issues - most of the time.

Recently, it seems that every so often, apache seems to fall over. If you call www.mysite.com it seems to time out.

I attempt a restart of apache and get the following error.

Stopping httpd:                                            [FAILED]
Starting httpd: (98)Address already in use: make_sock: could not bind to address                                                [::]:80
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

Now I know 100% there is no other service running on port 80 other than apache. But apache doesn't seem to be responding to the stop command. It's almost like it's stuck in limbo!

Eventually I found that I can manually force apache to stop by running

killall -9 httpd

Then a restart command works.

My questions are:

1.) What would cause something like this to happen? The server doesn't get any major traffic to my knowledge. 2.) What can I do on the server to automatically execute the command above if it does happen when I'm not around to do it manually.

Thanks,

Ed

Ok every so often my website which runs on a ubuntu 9.04 vps seems to fall over as apache does not seem to respond.

a simple apache restart solves the issue but obviously it's not a good scenario having to manually restart the server every time this happens.

the site is a wordpress site with minimal traffic (max. 200 visitors a day) i've also got php running as an apache mod with APC caching setup.

i removed some processes which were running on the server like clamav which has reduced memory usage somewhat (server has half a gig of RAM).

users report seeing "out of memory" errors just before apache becomes responsive.

running a top command on the server now shows approx 50% memory usage.

the apache error logs not showing anything interesting either.

but running a top command shows me there are 4 unique instances of apache2 running - each consuming about 15% of memory. The cpu is at 0%

Can anyone explain why there are 4 individual apache processes running and how to manage these correctly?

Thanks all.

Ed

i've have a win 03 server which periodically slows to a crawl and when i hit the task manager i can see 2 instances of agent.exe consuming 49% each of the CPU

how do i get rid of this process or at least stop it from consuming so much of the CPU? actually, what the heck is agent.exe anyway!

Ok really need someone to help me out here

i'm running CentOS on a VPS with Plesk installed

I launched a new website which gets a couple of hundred visits a day (nothing crazy) but have been plagued with performance problems.

The VPS has 768MB of RAM and has been hitting 90% of this pretty quickly.

The site runs on wordpress under fast-cgi and apc is installed and working correctly.

I'm seeing lots of "Premature end of script headers:" and "Software caused connection abort: mod_fcgid: ap_pass_brigade failed in handle_request function" errors in the error logs which I think manifest as 500 errors on the frontend.

I'd love if someone could give me some tips on linux memory management:

1.) I've currently set php memory to use 512MB of memory and increased max execution and input times to 1600 seconds. 2.) APC is set to use 48M memory 3.) I'm not sure what memory allocation fast cgi has

• should I increase apc memory?
• is there a way of controlling what memory fast cgi can access or will it just use the 512 defined in php.ini?
• I've heard there are problems using fast cgi and apc - would this be causing my performance problems?

Any pointers greatly appreciated.

Thanks,

Ed