Symptoms
-
Health monitor shows high CPU usage of Apache service in
/var/log/plesk/health-alarm.log
:INFO (6): Server health parameter "Services > Apache CPU usage" changed its status from "green" to "yellow".
-
The maximum CPU is occupied by PHP handlers:
# top -c
PID USER PR NI VIRT RES SHR S %CPU% MEM TIME+ COMMAND
#### user 20 0 326248 61188 9592 R 62.3 0.2 0:13.12 /usr/bin/php-cgi -c /var/www/vhosts/system/example.com/etc/php.ini
[...] -
/var/www/vhosts/system/example.com/logs/access_log
shows that one IP address that is trying to reach server constantly up to 4 times in a second:203.0.113.2 - - [01/Feb/2017:09:47:25 +0100] "GET /feed HTTP/1.0" 301 333 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:25 +0100] "GET /feed/ HTTP/1.0" 200 66990 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:26 +0100] "GET /feed HTTP/1.0" 301 333 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:26 +0100] "GET /feed/ HTTP/1.0" 200 66990 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:27 +0100] "GET /feed HTTP/1.0" 301 333 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:27 +0100] "GET /feed/ HTTP/1.0" 200 66990 "-" "-" -
Error log of PHP handlers at
/var/log/plesk-phpXX-fpm/
and(or)/var/log/php-fpm/
grows fast with similar to below messages:WARNING: [pool example.com] child 22459 exited on signal 11 (SIGSEGV) after 0.297603 seconds from start
NOTICE: [pool example.com] child 22594 started -
Error log of affected websites (can be found in the previous symptom) at
/var/www/vhosts/example.com/logs/error_log
can contain messages like:[proxy:error] [pid 18376:tid 140476751333120] (111)Connection refused: AH02454: FCGI: attempt to connect to Unix domain socket /var/www/vhosts/system/example.com/php-fpm.sock (*) failed
[proxy_fcgi:error] [pid 18376:tid 140476751333120] [client 123.126.113.158:41314] AH01079: failed to make connection to backend: httpd-UDS
Cause
Denial of service (DoS) attack.
Resolution
Currently, there is no available DDOS protection in Plesk by default, so to be able to block IPs it is necessary to block them manually. Ban IP address that is trying to access site with the Firewall. Use the article below to manage Firewall rules:
How to manage ports and firewall rules on Plesk for Linux server
The following commands may be used to make sure firewall was adjusted correctly and DoSing has stopped:
-
Connect to the server via SSH;
-
Sort out all access logs, to include in the document processed and current logs only:
# find /var/www/vhosts/system/ -name access_* ! -name '.gz' ! -name '.webstat' -exec cat {} >> /root/ddos.log ;
-
Sort out records for the exact period only:
# grep -E "02/Oct/2017:0[4-8]" ddos.log >> new_ddos.log
-
Sort IP addresses, that were mentioned in ddos.log with the number of times addressed (this will show the list of IP addresses from the least amount of times to the largest):
# cat new_ddos.log | awk ' {print $1} ' | sort -n | uniq -c | sort -n