New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
What are you running and have you checked your logs? Debian has them usually in /var/log/nginx/access.log or in a place you stated in your vhost file.
varnish/nginx/php-fpm/mysql/memcached I turned off nginx access log. let me turn it on and lets see whats in the log
portion of access log http://pastebin.com/yBjzYsbc
somebody is scanning your site with acunetix security scanner.
lol is there anyway to stop it? btw I have plenty of ram but php-fpm only uses cpu
IPTables, block the Acunetix range if you don't want it on your network.
uhmmm little of problem here, nginx log gives me 127.0.0.1 ip...
Using an opcode cache like APC or xCache is a great way to lower PHP cpu usage.
I do have zend opcache running since i use php 5.5
You can also set
fastcgi_intercept_errors on
and configure an nginxerror_page 404
so that every one of those 404's isn't served by a fat Wordpress process.As well as quick cache for word press.
Somehow the spike is stopped now, I guess somebody was scanning my website Is there anyway to block scanner with nginx? I tried to deny user_agent in nginx but it does not help
it Sounds like you have varnish that is the reason why your nginx logs are showing 127.0.0.1, because varnish is not giving the proxyed ip to nginx for what ever reason you may have to configure it if this was raw nginx you would see there ip and be able to block them.
http://nginx.org/en/docs/http/ngx_http_realip_module.html
change pm = dynamic to pm = static and it won't create so many progresses, but it does not help to stop scanning...
I set realip module for cloudflare, now I only see cloudflare ips, in cloudflare panel I see 7,458 threats yesterday but cloudflare didn't do anything to stop the scanning even though cloudflare sees scanning as threats. I start to don't like cloudflare already
Try doing this: https://support.cloudflare.com/hc/en-us/articles/200170706-Does-CloudFlare-have-an-IP-module-for-Nginx-
this is nginx ngx_http_realip_module which i said i set it up which I see only cloudflare's ips instead of 127.0.0.1
Then probably nginx is not receiving the "CF-Connecting-IP" header from Varnish, I can't really help more as I never used Varnish.
Just to verify, the module is baked into your version of NGINX?
you tried playing around with the config? like try changing
pm = dynamic
to
pm = ondemand
What kind of traffic are we talking about OP? At high stress traffic Apache will outperform Nginx on PHP/dynamic content. What are the specs of your box?
not much traffic, cloudflare/varnish/nginx/mysql setup with ~ 2k wordpress traffic daily. 2gb ram with 4 vcpu openvz. i always have 1gb ram free, but when somebody do scanning my website php-fpm uses lots of cpu even though many free ram. I manged to make varnish show real incoming ip from cloudflare and blacklist that IP. but.. you know I can't always check stats to block scanner ip on time.
I do have iptables but since I must full allow cloudflare ip ranges, I don't have much control http traffic from cloudflare
Sorry to revive this old thread, one of my servers have been hit recently too (lots of meaningless queries sent to Wordpress) and the CPU usage went to like 14 or 15.
What I did was to block the IP at the Cloudflare level and CPU usage came down almost immediately:
https://support.cloudflare.com/hc/en-us/articles/200171326-Where-can-I-find-the-IP-addresses-I-ve-blocked-
Good luck.
@zhuanyi how did you check the queries sent?
In the access log, I have configured the format in Nginx to show the incoming page and it was directly pointing to search?query=some random garbage....
Not very hard. Use fail2ban1.
I might be wrong but f2b consumes even more memory and CPU?
Try change 'pm = dynamic' to 'pm = ondemand' and then restart php-fpm.
Turning on 'Under attack' mode in Cloudflare will also help avoiding kiddies scanning/pingsbacks etc. It does require legit traffic to wait a couple of seconds in order to visit the website. Pretty sure most people are familiar with it since alot of sites have it on by default.