so two days ago something happened (no updates, no changes of configuration) and my droplet started non responding. Ever since the CPU is at 100% (unless I
systemctl stop httpd) and more specifically the php-fpm process. More specifically is one user, for which the error.log il filled up with strings of this sort:
[fcgid:warn] [pid 20704] [client xxx.xxx.xxx.xxx:xxxxx] mod_fcgid: can't apply process slot for /home/xxx/fcgi-bin/php7.1.fcgi, referer: https://www.youtube.com/results?search_query=jKOJ5Bs
(Sometimes is google, bing, yahoo, …). So I though it was a DDOS attack and I thus made a new rule on my fail2ban like so:
[http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/varnish/varnishncsa.log maxretry = 100 findtime = 30 backend = polling journalmatch = banaction = iptables-multiport action = %(action_)s
polling because on default varnish runs on systemd).
The configuration seems to work, and in fact if I run
fail2ban-client status http-get-dos I do get some bans (currently 6).
However the CPU is still 100%… Any other ideas? Something else to look at I may be missing?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.