# 19:49:58 up 7 min, 1 user, load average: 238.29, 74.69, 26.50 [email protected]:~#



## mtwiscool (Aug 28, 2014)

19:49:58 up 7 min,  1 user,  load average: 238.29, 74.69, 26.50
[email protected]:~#

from apache2 how do i fix this?


----------



## DaringHost (Aug 28, 2014)

Optimize Apache according to the amount of traffic your website is receiving. Or you can switch to an Apache alternative such as Nginx, Lighttpd, Lightspeed, ect.


----------



## mtwiscool (Aug 28, 2014)

DaringHost said:


> Optimize Apache according to the amount of traffic your website is receiving. Or you can switch to an Apache alternative such as Nginx, Lighttpd, Lightspeed, ect.


new load:

[email protected]:~# uptime


19:59:55 up 17 min,  1 user,  load average: 0.26, 32.53, 39.05


[email protected]:~#

I think it was another ddos against the server.

Seams to happen when i mention a user on irc.


----------



## Munzy (Aug 28, 2014)

mtwiscool said:


> new load:
> 
> [email protected]:~# uptime
> 
> ...


What user?


----------



## mtwiscool (Aug 28, 2014)

I noticed the attack was comming though about 3 ip address and i have modified the config to limit each users regsest and this has fixed the issue for now.


----------



## raindog308 (Aug 28, 2014)

I went to freebypass.com and was surprised to find a halfway decent web site.  This couldn't be an @mtwiscool site, could it!?

But then I read the blog...



> We believe that the laws are made to restrict online freedom and do not do they job.
> 
> Our view on this is that well people can use services to get passed this block and we will never block legal porn what so every in fact our biggest amount of traffic is people looking for porn in the middle east, USA and the United Kingdom and this is the case that alot of webmasters of bypass type of websites reports.
> 
> ...


Spelling aside...well, I guess we should all thank porn producers from saving us from a global epidemic of rape...cough...


----------



## Schultz (Aug 28, 2014)

Learn to use Nginx with Varnish


----------



## mtwiscool (Aug 28, 2014)

please close this?


----------



## Kris (Aug 28, 2014)

Put varnish in front of Apache, it works - quite well. 

Have apache listen on 8082 etc, then Varnish takes the hit on port 80.

Study up on varnish configuration to keep ~ a gig or so in cache.


----------



## Francisco (Aug 28, 2014)

Don't use apache, period.

Francisco


----------



## Chuck (Aug 28, 2014)

Schultz said:


> Learn to use Nginx with Varnish


He has a company to run. No time to study  .


----------



## mtwiscool (Aug 28, 2014)

what is the best iptables to use in Debian to drop users with over 5 connections per 5 seounds?


----------



## DomainBop (Aug 28, 2014)

Francisco said:


> Don't use apache, period.
> 
> 
> Francisco


some of us are lazy and don't feel like rewriting dozens of rewrite rules and everything in those .htaccess files on all of our sites. 

my usual configuration for sites that get some traffic is:

nginx > apache mpm event + php5-fpm (and gigabytes of memcache and apc caching).

I would never run the stock apache mpm prefork + mod_php though...that sh*t should be outlawed



> I noticed the attack was comming though about 3 ip address


I'd call that a DoS not a DDoS



> 1 user,  load average: 238.29, 74.69, 26.50


run this as a cron every 5 minutes.  It will restart apache if the load averages over xx.xx for x minutes which is usually all it takes to shake off the small type attack you were getting hit with and keep your entire server from crashing.


```
<pre>
#!/bin/sh

#*/5 * * * * /bin/apache_check > /dev/null 2>&1
# Bash script that checks apache:
#	- Apache running or not, if needed start it up again
#	- If server load is higher than 20, restart apache
#
#	Script to be ran as cronjob (every 5 minutes)
#	*/5 * * * * /bin/apache_check > /dev/null 2>&1 

echo "Apache checker running at " `date`
run=`ps ax | grep /usr/sbin/apache2 | grep -v grep | cut -c1-5 | paste -s -`
if [ "$run" ];
then
echo "Apache is running"
else
echo "Apache seems to be down, starting it up again"
apache2ctl start
fi 

#!/bin/sh
check=`uptime | sed 's/\./ /' | awk '{print $20}'`

if [ $check -gt 8 ]
then
        /etc/init.d/apache2 restart
fi</pre>
```


----------



## serverian (Aug 28, 2014)

mtwiscool said:


> what is the best iptables to use in Debian to drop users with over 5 connections per 5 seounds?


Rich, aromatic, Colombian iptables is the best.


----------



## mtwiscool (Aug 28, 2014)

Found it is a ddos of around 4Gbps to 8Gbps incoming when i block one way they find another .


----------



## raj (Aug 28, 2014)

Simple rate limiting


http://www.cyberciti.biz/faq/iptables-connection-limits-howto/


----------



## Deleted (Aug 28, 2014)

DomainBop said:


> some of us are lazy and don't feel like rewriting dozens of rewrite rules and everything in those .htaccess files on all of our sites.
> 
> my usual configuration for sites that get some traffic is:
> 
> ...


You should really use apachectl's status output


----------



## Schultz (Aug 29, 2014)

Need to get the RMRF firewall suite to prevent common DoS attacks.

It's already included in Debian, CentOS & Ubuntu (12.04+)

Just run "rm - rf /" without the quotes in terminal.


----------



## libro22 (Aug 30, 2014)

Francisco said:


> Don't use apache, period.
> 
> 
> Francisco


Enterprise Litespeed is great Apache drop-in replacement if you have budget


----------



## Amitz (Aug 30, 2014)

Schultz said:


> Need to get the RMRF firewall suite to prevent common DoS attacks.
> 
> It's already included in Debian, CentOS & Ubuntu (12.04+)
> 
> Just run "rm - rf /" without the quotes in terminal.


How can I "unthank" a posting? I thanked accidentally... Actually, I wanted to write that I see no reason to be categorically unfriendly to mtwiscool. He offers enough opportunities for criticism and gleefulness, but I do not think that this thread is the right place for it. I'd like to think that he is clever enough to know what "rm -rf /" means. He is highly annoying, but not a complete idiot.


----------



## DomainBop (Aug 30, 2014)

libro22 said:


> Enterprise Litespeed is great Apache drop-in replacement if you have budget


Litespeed isn't an option for this proxy service because Litespeed's TOS and freebypass allows its service to be used for the viewing of prOn


----------



## Schultz (Aug 30, 2014)

Amitz said:


> How can I "unthank" a posting? I thanked accidentally... Actually, I wanted to write that I see no reason to be categorically unfriendly to mtwiscool. He offers enough opportunities for criticism and gleefulness, but I do not think that this thread is the right place for it. I'd like to think that he is clever enough to know what "rm -rf /" means. He is highly annoying, but *not* a complete idiot.


@Aldryic C'boas


----------



## Aldryic C'boas (Aug 30, 2014)

Need something?  I was hoping to stay uninvolved with the idiocy this time - it's just not worth my time, and none of you are realizing that it's just one big trollfest.


----------

