Review active connections
Active connections may be normal traffic, bots (search engine crawlers) or potentially malicious traffic (brute force attack). It is important to be able to review active connections to your server and determine if they are legitimate or malicious.
Why should I review active connections?
Excessive connections may cause:- site slowness
- errors on pages
- other tasks on server are slow (like mail)
How do I review active connections?
CHECK ACTIVE CONNECTIONS BY IProot@myserver [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 1 1.2.3.4 1 5.6.7.8 4 9.10.11.12 5 20.21.22.23 300 13.14.15.16
The example above shows one IP address with alot more connections than other IPs. This may be a sign of malicious traffic.
CHECK ACTIVE CONNECTIONS BY PORTThis example shows a large amount of connections to port 25 (SMTP). This may be a sign of an issue with mail.
root@myserver [~]# netstat -tuna | awk -F':+| +' 'NR>2{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 1 953 1 993 1 995 3 80 200 25
Once you find the connections, you need to determine what they are trying to access.
SEARCH ACCESS LOGS FOR FREQUENTLY REQUESTED PAGEroot@myserver [~]#cat /usr/local/apache/domlogs/*/* | awk '{print $7}' | sort | uniq -c | sort -n | less 30 /wp-content/uploads/2018/08/guitars.jpg 36 /wp-includes/js/jquery/jquery.js?ver=1.12.4 36 /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 46 /user-account/ 56 /favicon.ico 65 /website-stuff/ 89 /results.json 140 /robots.txt 169 /wp-login.php 270 /wp-admin/admin-ajax.php 441 /xmlrpc.php 448 /
Entries for "/" would be the index page of each site and likely normal traffic. Entries that are 10x higher than other pages (ie. /xmlrpc.php vs guitars.jpg) may indicate suspicious activity.
CHECK APACHE OR PHP-FPM ERROR LOG FOR ERRORSReview the Apache Error log
Review the PHP-FPM error log
Next steps
Once you have the malicious IPs, and what they're trying to access, you can block them server wide (firewall) or per site (.htaccess)- Block malicious IPs in the server's firewall (Windows Firewall, iptables, firewalld).
- Use Plesk or WHM (cphulk) to block malicious IPs.
- Using WordPress? Check out Common WordPress attacks.