Sudden CPU 100% with php-fpm on Wordpress website

September 15, 2017 1.8k views
Apache CentOS
cellu
By:
cellu

Hi everybody,

so two days ago something happened (no updates, no changes of configuration) and my droplet started non responding. Ever since the CPU is at 100% (unless I systemctl stop httpd) and more specifically the php-fpm process. More specifically is one user, for which the error.log il filled up with strings of this sort:

[fcgid:warn] [pid 20704] [client xxx.xxx.xxx.xxx:xxxxx] mod_fcgid: can't apply process slot for /home/xxx/fcgi-bin/php7.1.fcgi, referer: https://www.youtube.com/results?search_query=jKOJ5Bs

(Sometimes is google, bing, yahoo, ...).
So I though it was a DDOS attack and I thus made a new rule on my fail2ban like so:

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath   = /var/log/varnish/varnishncsa.log
maxretry = 100
findtime = 30
backend = polling
journalmatch = 
banaction = iptables-multiport
action = %(action_)s

(I specify polling because on default varnish runs on systemd).
The configuration seems to work, and in fact if I run fail2ban-client status http-get-dos I do get some bans (currently 6).

However the CPU is still 100%... Any other ideas? Something else to look at I may be missing?

Thanks

1 Answer

I would suggest mod_security. It works on apache, IIS, and nginx, and can do a lot to prevent D/DoS attacks.
Here's a random tutorial http://www.webtrafficexchange.com/how-mitigate-ddos-modsecurity-and-modevasive-centos-6

Have another answer? Share your knowledge.