My Homepage is highly instable, I need to reboot the server manually 2 times a day, it has run monthly without any issues, the last reboot was 2 weeks ago, but things get worse.

I have frequently mos_sessions corrupted, mysql die sometimes, my plesk panel is no more available and so on...
While I am still looking in logs file what it could be (ports scan? root kit? denial of service), here is what I plan to do in the next days (I will be in holidays).
The load is huge 100.000 users per months compare to january (4000 users per months) but it should not bring an opteron 1GB down... (Server MR2 from Strato.de)

  1. MySQL is already using an optimized my.ini for the SEO openSEF.org engine
    # The following options will be passed to all MySQL clients
    [client]
    port        = 3306
    socket      = /var/lib/mysql/mysql.sock

    # The MySQL server
    [mysqld]
    port        = 3306
    socket     = /var/lib/mysql/mysql.sock
    skip-locking
    skip-innodb
    max_connections = 500
    key_buffer = 150M
    max_allowed_packet = 16M
    table_cache = 1500
    sort_buffer_size = 512K
    net_buffer_length = 8K
    read_buffer_size = 256K
    read_rnd_buffer_size = 512K
    myisam_sort_buffer_size = 64M
    join_buffer_size = 1M
    read_buffer_size = 1M
    sort_buffer_size = 1M
    thread_cache_size = 128
    wait_timeout = 14400
    connect_timeout = 10
    max_connect_errors = 10
    query_cache_limit = 1M
    query_cache_size = 32M
    query_cache_type = 1
    thread_concurrency=4

    server-id   = 1

    # The safe_mysqld script
    [mysqld_safe]
    open_files_limit = 8192
    err-log=/var/lib/mysql/mysqld.log


    [mysqldump]
    quick
    max_allowed_packet = 16M

    [mysqlimport]
    local = 1

    [mysql]
    no-auto-rehash
    # Remove the next comment character if you are not familiar with SQL
    safe-updates

    [isamchk]
    key_buffer = 20M
    sort_buffer_size = 20M
    read_buffer = 2M
    write_buffer = 2M

    [myisamchk]
    key_buffer = 64M
    sort_buffer = 64M
    read_buffer = 16M
    write_buffer = 16M

    [mysqlhotcopy]
    interactive-timeout

  2. I switch the SEO OpenSEF.org engine OFF  5 minutes ago (I was having 9500 DB based rewriting rules), the site is now lightning fast...
  3. I am looking in logs files, hacker are not all so smarter and I should see something there... (or at least now anyone can run a botnet and use penetration software without knowing how it works)
  4. I may deactivate some subdomains to better determine if it is a software bug or an attack on one of my subdomains: my Wiki, Forums, Demo, Demo2, Shop
  5. Server hardening 1: I will update the server with Yast (Package manager of SuSE) and set auto update
  6. Server hardening 2: I will launch one more time chkrootkit
    chkrootkit is a tool to locally check for signs of a rootkit ("Root Kits" is the art of hiding files/directories/processes after a server/desktop break-in....)
    and
    rkhunter: Open-source GPL rootkit scanner for Unix-like systems. Scans for rootkits, trojans, backdoors and local exploits.
  7. Server hardening 3: either install SELinux (Security-enhanced Linux)
    Security-enhanced Linux is a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed simply to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security.
    and/or
    AppArmor gives you network application security via mandatory access control for programs, protecting against the exploitation of software flaws and compromised systems. AppArmor includes everything you need to provide effective containment for programs (including those that run as root) to thwart attempted exploits and even zero-day attacks.
    But both will be rather difficult to install because the server is using SuSE 9.3 and this may also interfere with Plesk....
  8. Server hardening 4:I will add mod_security
    ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.
    and eventually document it in an article.
  9. Server hardening 5:I will monitor the number of login ssh attempts to avoid sshd logins using simple username-password combinationsor dictionary based attacks.
    from http://www.linuxquestions.org/questions/showthread.php?t=340366
    Several reports indicate that the malicious code is a scanner designed to identify systems with weak username/passwords. Once a weak system is identified, its IP address is appended to a list for manually exploitation later on. However, the possibility of a unknown exploit has not been ruled-out.

    All Linux users are recommended to implement a sensible username and password policy in order to avoid being compromised by this tool. An example of a sensible policy would be at least the use of non-dictionary, alpha-numeric+punctuation characters. Restricting sshd access to only those systems necessary will further reduce the possiblity of compromise. Access restriction can be done using iptables or tcp_wrappers (hosts.allow/deny)

    Further information about this tool and failed sshd logins can be found here:
    http://lists.netsys.com/pipermail/fu...ly/024612.html
    http://dev.gentoo.org/~krispykringle/sshnotes.txt
    http://isc.sans.org/diary.php?date=2004-08-04

Holidays are not starting as nice as expected ;-(
 
comments powered by Disqus

You might like also

No Thumbnail was found
Joomla! Joomla! Extensions Showcase Joomla! Extension Forums Joomla! Extension Tickets Joomla! unnoficial mirror Joomla! WIKI Documentation WEB 2.0 Nas-at-home costs storage calculations Display structure of website based on their HTML tags Browse my sites using tags Browse my sites using mind map trees My CSS Sprite Generator online Scrum Planning Poker Timer Fun My name will land on Planet Mars! My name will orbit around Planet Pluto "Send Your Name to the Moon" Project Face in Space project Message to Bennu …
1547 Days ago
Merry Christmas to all my friends and visitors all around the world!
I would like to wish everyone a Merry Christmas / Joyeux Noel / Frohliche Weihnachten! …
1971 Days ago
No Thumbnail was found
Sometimes it is good to Google for your name, sometimes some funny stuff popup… www.waltercedric.com ranks 69382 out of 256 million domains on the web and has a Google PageRank of "7" . "utf-8 character encoding is being used on www.waltercedric.com and its textual language contains English and it is located in Germany, www.waltercedric.com is being sponsored by advertising networks such as google adsense, with an estimated monthly earnings of $1440 and an estimated worth of $5’809’581 with 852569 visitors …
2906 Days ago
My Bug tracking tool is now open to anonymous users
You do not have to register anymore to view issues and all my projects (all Google bots are now welcomed to crawl the site) But In order to better track issues, I still recommend you to create an account as soon as you want to ask or do something serious. Google will rapidly index the site and hopefully also all comments and workaround I will publish there. Please Do not hesitate to post any new features on every component wish …
3497 Days ago
Social ranking: a new way to estimate the social value of your site
Social ranking is crucial because it can be thought of as a measurement of your influence as far as social networks go. I found a site while Googling that try to measure this social value. it is always good to know where you are, and how you compare to others. &160; &160; &160; &160; BuildStats will provide you with free site information for your or a competitors' site, using multiple resources. The site information will highlight on page and off …
3527 Days ago
My résumé is up to date
I just update my résumé …
3581 Days ago
Showcase Joomla! site is up to date
You can see all my new extensions live running at http://demo2.waltercedric.com NOW …
3626 Days ago
I own cedric.walter on facebook
&160; I just reserve the name cedric.walter on facebook so starting from now, my profile can be reach at http://www.facebook.com/cedric.walter …
3627 Days ago
Pluton, Moon and firefox online
Don’t try to search any relationship with the 3 above words, I just found these files on my hard disk during a cleaning session and thought it may be good to put them online    http://pluton.waltercedric.com http://moon.waltercedric.com http://firefox.waltercedric.com …
3628 Days ago
Forums update to …… PHBB3
I decide to migrate to PHBB and went away from SMF! Don’t understand it wrongly, SMF was great for me in the last 3 years: stable, easy to use and not much targeted by hackers ;-) &160; &160; I leave SMF mainly as: There is no bridge available in Joomla! (bridge is discontinued and considered unsafe) I would like to unify login across all my sub domains in the near future. The idea is to let you log yourself only …
3702 Days ago