cacivio
By:
cacivio

I never had problems and now I can not access any of my sites, it shows me error 502

July 19, 2017 607 views
DigitalOcean Debian

Hi,

I am emailing in regards to my server. Since 3 days ago it has been down and I can see a 504 Gateway Time-out, I have checked all the connections and their are all working but still getting the 504 error. This is the same as this link https://www.digitalocean.com/community/questions/how-to-solve-this-error-connect-to-unix-var-run-php5-fpm-sock-failed

I have follow all the instructions to solve this problem, even modifying the config fie /etc/php/5.6/fpm/pool.d/

user = www-data
group = www-data
listen = /var/run/php5-fpm.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
; pm.maxchildren = (total RAM - RAM used by other process) / (average amount of RAM used by a PHP process)
pm.max
children = 15
; pm.startservers = minspareservers + (maxspareservers - minspareservers) / 2
pm.start
servers = 5
pm.minspareservers = 5
pm.maxspareservers = 10

chdir = /

but still getting the same error.

Also, in my /var/log/nginx/error.log I can see the log as follow:

2017/07/19 10:39:40 [error] 572#0: *9379 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 185.188.204.25, server: upram.com.ar, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "46.101.214.187"

At this point I don't know what else to try.
I would really appreciate if you can confirm that my server is up and running correctly and/or give me an idea about what it could be.

My user is cacivio@hotmail.com

Regards,

6 Answers

Hi @cacivio

If you run the command top, I'm guessing you're seeing several php-fpm running at 100% (or very high) CPU load?
It could be that PHP just locked up and you need to restart it:

sudo service php5-fpm restart

I did that, and it lasted 5 minutes, I had never had that problem before, and I did not change anything in my configuration, I could write a script that executes that statement every 5 minutes but it does not seem to be a viable solution

  • @cacivio

    Have you updated Nginx and PHP to the newest available version on your version of Debian? From what I can see, it seems like it might be old versions, but I don't know which version of Debian you're using.

    Your WordPress is outdated too - version 4.8 is the newest - and I would guess there are some plugins that could be updated too.

    My guess would be that you're being brute-forced currently, which means someone is trying to gain access to your WordPress installation by sending many requests per second using different username/passwords.
    You can check your Nginx access log to see the activity:

    tail -f /var/log/nginx/access.log
    # Press CTRL+C to exit the tail-command
    

    Do you have any protective measures against login attacks? That would be something like Fail2ban, or WordFence or one of the other WordPress security plugins.

top - 15:13:28 up 3:00, 3 users, load average: 0.20, 0.34, 0.38
Tasks: 109 total, 1 running, 108 sleeping, 0 stopped, 0 zombie
%Cpu(s): 7.5 us, 0.8 sy, 0.0 ni, 87.9 id, 0.0 wa, 0.0 hi, 0.0 si, 3.8 st
KiB Mem: 2058560 total, 854740 used, 1203820 free, 58268 buffers
KiB Swap: 0 total, 0 used, 0 free. 340880 cached Mem

Update everything and it seems that everything is stable. Thank you very much for your comments.
root@debian-2gb-fra1-01:~# uname -a
Linux debian-2gb-fra1-01 4.11.0-2-amd64 #1 SMP Debian 4.11.11-1 (2017-07-17) x86_64 GNU/Linux
root@debian-2gb-fra1-01:~# nginx -v
nginx version: nginx/1.13.3

  • @cacivio
    Good. Remember to keep everything up-to-date. You're still running WordPress 4.7.5 and there might be some plugins/themes that needs updating too.

Apologize I went back to attack before I finished doing my backup are two ip I want to block them in the firewall but I do not find where
log
185.188.204.27 - - [19/Jul/2017:20:09:35 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.27 - - [19/Jul/2017:20:09:36 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.25 - - [19/Jul/2017:20:09:36 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.27 - - [19/Jul/2017:20:09:37 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.25 - - [19/Jul/2017:20:09:37 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.25 - - [19/Jul/2017:20:09:38 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.27 - - [19/Jul/2017:20:09:38 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.27 - - [19/Jul/2017:20:09:39 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.25 - - [19/Jul/2017:20:09:39 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.27 - - [19/Jul/2017:20:09:40 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.25 - - [19/Jul/2017:20:09:40 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

I want to block two ip 185.188.204.25 185.188.204.27

  • @cacivio You need to either use the @ to notify people or click the Reply link. Otherwise people won't see your comments unless we browse by :)

    You can block those IP's in the firewall with the following command:

    sudo iptables -A INPUT -s 185.188.204.25 -j DROP
    sudo iptables -A INPUT -s 185.188.204.27 -j DROP
    

    But even better would be to setup Fail2ban or something similar, since it would automatically block IP's after X failed attempts.
    Even though this tutorial is for Ubuntu, it's almost the same instructions for Debian.
    https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-with-fail2ban-on-ubuntu-14-04

    WordPress is a very robust content-management system (CMS) that is free and open source. Because anyone can comment, create an account, and post on WordPress, many malicious actors have created networks of bots and servers that compromise and spam WordPress sites through brute-force attacks. The tool Fail2ban is useful in preventing unauthorized access to both your Droplet and your WordPress site. It notes suspicious or repeated login failures and proactively bans those IPs by modifying firewall
Have another answer? Share your knowledge.