Quote:Yes, I do host my website in my VPS, but I'm pretty sure it's not a DDoS but a SQL Exploit or Injection
Weak VPS + Bad Plugin = Slow Site
Have you tweaked your my.conf file? Do you use the debug page of MyBB on all major pages?
You should put your CSS into cache. Looks like they load from css.php which might mean you don't have your cache directory (/root/cache/themes/) as writable.
Quote:::1 - - [14/Dec/2018:05:35:11 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.25 (Debian) OpenSSL/1.0.2l (internal dummy connection)"
Try to also block any connections that are not GET/POST/HEAD. Above call is an OPTIONS.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
Do you run Cloudflare? This can help you with security features.
Realistically a capable sys admin should be able to view logs of HTTP and the server to figure out what's going on. I doubt it's a DDOS attack. Those are generally speaking more obvious to see in logs. My guess is that you don't have enough resources designated to MySQL. How much ram is on the VPS? I hope at least 8Gb. Cores don't really matter as much as the RAM.
(2018-12-17, 03:03 AM)snakeoilos Wrote: [ -> ]You're only getting a few requests a second. So yup, as you said, not a DDOS. Based on these longs, there's nothing you can filter in fail2ban so that idea is out 
.
Is that POST legit? Maybe can try and dump that POST data and see what it's doing?
Here's what I'd do if I'm in your shoes:
1. In the ACP, go to Settings ->General Settings. Turn on "Friendly Redirection Pages" if it's OFF. This adds a new delay page everytime a user perform a search or post a new thread.
2. In ACP Settings-> Search System. Tweak the settings to suit the size of your board (# of posts)
3. Try and rule out a mis-configuration. Disable all plugins and use the default theme and see if still get the same problems.
4. Update your OS to include the latest patches
5. Go through this security (https://docs.mybb.com/1.8/administration...rotection/) again.
I really really hate mod_security myself. But maybe it can help track/identify bad POST or get data. Perhaps you can try and enable mod_security briefly and see what's going on.
Once again, thanks a lot snakeoilos. I'll do points 1 and 5, already did 2 and 4. I really wouldnt change my theme for now, because everyone is used to it and it will be weird af haha, but if I have no choice, I'll do it later. I'll also search mod_security documentation to see if it can give me some hints.
(2018-12-17, 03:53 PM)labrocca Wrote: [ -> ]Quote:Yes, I do host my website in my VPS, but I'm pretty sure it's not a DDoS but a SQL Exploit or Injection
Weak VPS + Bad Plugin = Slow Site
Have you tweaked your my.conf file? Do you use the debug page of MyBB on all major pages?
You should put your CSS into cache. Looks like they load from css.php which might mean you don't have your cache directory (/root/cache/themes/) as writable.
Quote:::1 - - [14/Dec/2018:05:35:11 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.25 (Debian) OpenSSL/1.0.2l (internal dummy connection)"
Try to also block any connections that are not GET/POST/HEAD. Above call is an OPTIONS.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
Do you run Cloudflare? This can help you with security features.
Realistically a capable sys admin should be able to view logs of HTTP and the server to figure out what's going on. I doubt it's a DDOS attack. Those are generally speaking more obvious to see in logs. My guess is that you don't have enough resources designated to MySQL. How much ram is on the VPS? I hope at least 8Gb. Cores don't really matter as much as the RAM.
It's not a weak VPS. It has 16GB RAM and 8 4.2ghz cores, and a really good bandwitch. It is provided by OVH and has a integrated anti-DDoS system that works really well.
No, I didn't tweak any config file for now. I'll take a look over /root/cache/themes permissions to see if that could be happen, but I don't think that's the source of that savage CPU consumption.
Thanks a lot for the tip of blocking connection types, I'll do. I run Cloudflare, yes, but anyone is able to get my public IP anyways because of my gameservers. It helps me a lot to block some connections to my website tho.
About your last point, as I said, it's impossible that MySQL consumes 8 4.2ghz cores. And it happens when that hacker wannabe attacks, I know because I know who the attacker is, just a kiddo that wants to take down my gameservers but he's not able to do it yet. My RAM wasn't affected at all by MySQL when I was receiving the attacks.
OP's VPS has 16 GB RAM and 8 cores I believe. Not entirely sure how reliable those values are really TBH, for all we know the host is over-extended and is trashing
..
But then he said restarting Apache2 and MariaDB and everything is back to normal.
(2018-12-17, 11:51 PM)snakeoilos Wrote: [ -> ]OP's VPS has 16 GB RAM and 8 cores I believe.
8 cores means nothing. 8 dedicated cores, or are they shared? RAM isn't really going to help you unless you're not reaching a CPU bottleneck when an attack occurs.
My last reply is waiting for an admin to be approved, for some reason.
I'm sure it's not because VPS specs.
16GB RAM and 8 cores at 4.2GHz.
That's enough resources. Someone needs a site admin account to review debug info and then possibly root server access.
One small thing to note: when you use cpulimit, 100% means all of ONE core; did you really mean to limit MariaDB to 20% of ONE core, or 20% of ALL cores? Based on your site size, 20% of one core might not be enough during peak times.
(2018-12-20, 06:56 PM)laie_techie Wrote: [ -> ]One small thing to note: when you use cpulimit, 100% means all of ONE core; did you really mean to limit MariaDB to 20% of ONE core, or 20% of ALL cores? Based on your site size, 20% of one core might not be enough during peak times.
20% of all cores was what I was intended to do, cpulimit does it for a single core?
(2018-12-26, 11:12 PM)zAnonimo Wrote: [ -> ] (2018-12-20, 06:56 PM)laie_techie Wrote: [ -> ]One small thing to note: when you use cpulimit, 100% means all of ONE core; did you really mean to limit MariaDB to 20% of ONE core, or 20% of ALL cores? Based on your site size, 20% of one core might not be enough during peak times.
20% of all cores was what I was intended to do, cpulimit does it for a single core?
cpulimit can work for multiple cores, but the limits you specify have to reflect this. If you have 8 cores and want to limit to 20% of all cores, you need to tell cpulimit 160 (20% * 8 cores).
cpulimit -e mariadb -l 160