Submitted by info@orderlastm... on Thu, 08/03/2017 - 11:50
one of our wordpress site is down an hour, I try to match the time, these 2 lines are not something we understand, if we got attack....what should we do next time.
I use Linode 4Gb plan + virtualmin(paid member) + keycdn(paid members)
what else I can do?
196.52.43.57 - - [02/Aug/2017:15:41:59 -0400] "GET / HTTP/1.1" 200 29574 "-" "-" 37.9.113.78 - - [02/Aug/2017:15:42:12 -0400] "GET /manual/de/mod/mod_log_referer.html HTTP/1.1" 404 439 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
Status:
Active
Comments
Submitted by andreychek on Thu, 08/03/2017 - 12:24 Comment #1
Howdy -- hmm, I'm not familiar with keycdn, but we can certainly look into the problem that you're seeing.
What is the domain name that you're having this problem with?
And what happens when trying to browse to that website, are you receiving an error of some kind?
Submitted by info@orderlastm... on Thu, 08/03/2017 - 12:48 Comment #2
there isn't anything to do with keycdn, I just want to tell you what service I am using in this site.
we just cannot login and password reset, the site seems to be frozen
there is no error at all, just cannot login as usual and when I try password reset, it said email invalid....
now we can reset, but I did not do anything.
I realized the ip address is not local
www.signwareexpress.com
Submitted by andreychek on Thu, 08/03/2017 - 13:52 Comment #3
Hmm, yeah your site does seem to be working now... you're saying that you were able to reset your password?
I wonder if maybe there was a temporary issue with the CDN?
If it happens in the future, another thing to try might be to just run the command "uptime", and ensure that there isn't a high load on your server. If there was a high load, that could cause some problems.
Is everything else working now though?
Submitted by info@orderlastm... on Thu, 08/03/2017 - 14:39 Comment #4
yes it is, thanks replying
instead of ssl, is http/2 will reduce this kind of attack? cause ip showing it is coming from moscow
Submitted by andreychek on Thu, 08/03/2017 - 15:42 Comment #5
I'm not too familiar with using "http/2", though it's difficult to say at the moment what caused the issue you were seeing earlier.
If you're seeing a high amount of traffic from one particular IP address though, you could always try blocking that IP using a firewall, or with the command "route add -host x.x.x.x reject".
Submitted by info@orderlastm... on Thu, 08/03/2017 - 19:00 Comment #6
Andy, can you help me a little how to check the traffic log? I only go to
virtual machine => logs and reports => webalizer report but I try a few times with option and I am not able to dig out a detail traffic log with ip address
those are the ip come from moscow
178.154.171.53 213.180.203.14 37.9.113.78
Submitted by andreychek on Thu, 08/03/2017 - 23:49 Comment #7
It's not uncommon for IP's to come from foreign IP addresses, the key is to determine if there's enough of them that it could have caused a DoS attack.
Unfortunately, that's pretty tough to determine afterwards.
Interpreting the logs is getting a bit outside the scope of our support, though I'll toss out a tidbit I use on my personal servers... I use this command to show a list of what IP's have accessed the website, and how many times that has happened:
cat access_log | awk '{print $1}' | sort | uniq -c | sort -n
There' s a lot of things that doesn't show, such as what time period those requests came through in. Having 1000 requests a minute is a lot worse than 1000 requests over a month. But it's at least a place to start :-)
Submitted by JamieCameron on Sun, 09/10/2017 - 09:47 Comment #9
You need to
cd
to thelogs
directory under the domain's home first.