what is happening to my vps?

namhuy

1 week

1 hour

Uhmm didn't know until I log in solus, what is happening to my vps?

namhuy

Jack said: Have you opened a ticket at the provider?

not yet, i wanna know if there is something i can do on my part first

black

What's the problem? Looks like a normal graph to me.

namhuy

why incoming traffic suddenly jump to 1 m/s since may 18. I have this vps for months and the configs are the same for months

black

@namhuy said:
why incoming traffic suddenly jump to 1 m/s since may 18. I have this vps for months and the configs are the same for months

Check trafshow and look at the destination port where heavy traffic is going to. Then do netstat -lnp to see which process is serving them. If it's a web server, check web server logs.

Boxode

DDoS?

darkshire

SoDD?

namhuy

I have been looking at trafshow and netstat, mostly http traffic and sometimes google dns queries, nothing out of ordinary, but according to solus stat I have spike every 20 mins or so

ironhide

Your VPS took a maternity leave...

Gunter

Perhaps it got hacked and an email/webpage scraper is running?

zionvps

install iftop and run it. you will see what is the bandwidth spike

zionvps

also, if you are hosting static files, it could be your site has less traffic, and people come in intervals. when they request a file the graph fires up. i suspect this because 1m is quite low bandwidth being consumed

sz1hosting

comment removed due to insults

deejay31

sz1hosting said: Change your password to a complicated one via ssh

Or turn off passwords completely and use certs

namhuy

sz1hosting said: Change your password to a complicated one via ssh then investigate whats going on look at the running processors - services etc and ask google for info about them.

when does those logs become ssh problem !?

btw, found the problem ( not really though). it's one of the nginx rewrite rule I play with lately. I redirect bad request, bad bots and such to ovh 10g file, somehow nginx download that 10g file too when bad requests happen. I'm going to test one by one now which rule cause the problem x_x

sz1hosting

ok

namhuy

sz1hosting said: Oh a lot of work! ^_^

stop spamming please

sz1hosting

whatever, trying to be nice and friendly....

Falzo

@namhuy said: I redirect bad request, bad bots and such to ovh 10g file...

read this before here on LET, but think thats a bad practice at all.

while understanding the well-intended proposition on doing this, I think this is not an appropriate counter-measure, because it does harm a lot of others, by simply adding wasted traffic to the world.
you are also abusing services of OVH, which maybe influences their customers in any way.
and, at last, you're like abusing your own provider by having problems on configuring it not boomeraning. ;-)

no offense meant, but would suggest on finding another way dealing with bad requests (fail2ban etc.)

namhuy

no offense but i think it's more fun to give those w/ bad intent a little bit of bad taste. Any how

if ($http_user_agent = "") seems to caused the problem, I was trying to prevent empty user agent. I guess wordpress some how use empty user agent for some weirdo reason?

awson

access_by_lua "
  local ua = ngx.req.get_headers()['User-Agent']
  if ua == '' or ua == nil then
    return ngx.exit(ngx.HTTP_FORBIDDEN)
  end";

namhuy

@awson do i need to install any extra package on centos?

awson

@namhuy said:
awson do i need to install any extra package on centos?

The LUA module is in nginx-extras