Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
25% Recurring Discount on NVMe VPS
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need advice on my website

jcalebjcaleb Member

Note: I am a newbie admin. Please be kind to me.

I am hosting about 5 domains on a single web server (nginx +php-fpm). All working well for many months. (600 visitors a day combined)

Suddenly, last Friday, NGINX is reporting 504 gateway timeout. I try restarting nginx and php, and my website worked. After a minute or two, 504 again.

I repeated several times restarting, but with the same result.

When I try checked my logs, I discovered the problem. One of my domain is being accessed multiple times a second. And it has been for several hours (8hrs) And it overwhelms php-fpm.

The surprising thing is, this domain is idle. Just a blank wordpress. It is also un-interesting as it is in my native local language.

What could be a possible reason for this?

And because I am a genius admin, I deleted my logs, and can't anylyze much now. I just removed the site from my vps.

Any hint on what I need to put on iptables or nginx to prevent this?

Comments

  • Maybe a Wordpress admin bruteforcer? But if you're being overloaded by that, there's another problem at heart.

  • Probably a bruteforce. Moving it off the VPS and point it elsewhere (like 127.0.0.1) is a good option when you're not using the domain.

  • DDoS, an abusive crawler, your wordpress installation is used to attack others.
    You could implement some rate-limiting for your nginx setup.
    Go to the php-section of your nginx config and implement something like this:

    location ~ .php$ {
    limit_req zone=limit burst=4 nodelay;

    Also, in your main nginx config (nginx.conf) in the http part, add:

    http {
    limit_req_zone $binary_remote_addr zone=limit:50m rate=4r/s;

    This will limit requests to both http and php. If you have multiple site configs you'd have to add the php part to each of them.

  • MunMun Member

    if you could look into your logs for that vhost and give us a sample it would be helpful.

  • I got a similar situation a few weeks ago.

    Bots were keeping hitting xmlrpc.php which is shipped with wordpress. PHP could not handle it and was hanging, and I was getting a message saying that I should increase the number of children in php-fpm logs.

    I finally just set nginx to respond a 403 when trying to access xmlrpc.php and my problems vanished. However I have read that this file was used for the pingback system so this solution may not be suitable for everyone.

    Thanked by 1jcaleb
  • this might not be linked but I had a similar situation with haproxy recently, haproxy was hitting the backend server to check if it was online several times a minute because of the "listen" directive. i think nginx being a reverse proxy & all, it could be doing the same?

  • @Edouard said:
    I got a similar situation a few weeks ago.

    Bots were keeping hitting xmlrpc.php which is shipped with wordpress. PHP could not handle it and was hanging, and I was getting a message saying that I should increase the number of children in php-fpm logs.

    I finally just set nginx to respond a 403 when trying to access xmlrpc.php and my problems vanished. However I have read that this file was used for the pingback system so this solution may not be suitable for everyone.

    XML-RPC Pingback, Your site was participating in a DDoS Attack


    Check here to verify
    http://labs.sucuri.net/?is-my-wordpress-ddosing


    If not whoever was attacking didn't target any sucuri and their proxy service.

    Thanked by 1jcaleb
  • Edouard said: pingback system so this solution may not be suitable for everyone.

    For what I've read and heard, Pingback is not worth it anymore, is that right?

  • nexmark said: XML-RPC Pingback, Your site was participating in a DDoS Attack

    Check here to verify http://labs.sucuri.net/?is-my-wordpress-ddosing
    If not whoever was attacking didn't target any sucuri and their proxy service.

    I checked my domain and it says:

    Warning: Your Website http://xxxxxxxx.com was USED for DDOS.

    Can you share your change in config @Edouard I don't care pingback really.

  • jcaleb said: Can you share your change in config @Edouard I don't care pingback really.

    Try this: http://wptavern.com/how-to-prevent-wordpress-from-participating-in-pingback-denial-of-service-attacks

    Thanked by 1jcaleb
  • thank you @ihatetonny

Sign In or Register to comment.