Some memory help needed...

[Erizo]

Hi...

At some time around 4 PM our VPS has been having huge memory uses, well, to be more specific, it uses all our avaible normal RAM

I have been restarting, shutting down, searching, but it still happens... Could it be some accounts causing it?
Do you have an advice on how to know?

Sorry... but i'm getting a headache for this :cry2:

EDIT: It seems that is a DoS atack... i think i found the target account and suspended it while we think of what we can do... I think we need hardening, but our budget it's pretty tight now

 

[Tracker]

Look over the logs and get the ip that was doing the dos and block it

DDoS always makes the memory usage go through the roof

 

[ikick]

I posted this in another thread. It might help you.


ok, assuming you are running CentOS (not sure if it works on others) do the following:

Once you login to ssh,
Copy and paste this in there:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

That will check all the IP addresses that are connecting to the server. It should look something like this:

      1  209.51.138.42
      1  66.249.70.123
      2  71.182.167.106
      4  208.66.74.72
      5  75.81.46.182
      6  208.36.123.58
    207  71.17.182.110
    301  213.219.88.194

The number on the left is all the connections. Now anything over 50+ is considered an attack.

Now to block the attackers IP:
To ban (or "null") the IP address, type this command:

route add 213.219.88.194 gw 127.0.0.1 lo

So basically, replace the IP which is bold'ed with the IP that all the connections are coming from:

route add 213.219.88.194 gw 127.0.0.1 lo

aka:

route add DoSers IP gw 127.0.0.1 lo

Then you start dancing because you just stopped the DoS attack

 

[Erizo]

ikick, what happens when the only big thing i see is 193 and they are all from my server IP? xD

 

[Amaresh]

See if installing http://deflate.medialayer.com/ helps.

 

[ikick]

ouch lol.

It COULD mean that they are attacking another site/server/ip.

Do you have MSN? we could chat about it more?

dylan.jones@aussiehosting.org, Add me

 

[Erizo]

Thanks for everything, but it seems that it stopped... whatever it was I'll post here if something else still happens, because yesterday when i thought it was over it started again, lol...

Again, thanks for the help

 

[Armed]

Eesh, set-up a firewall and some IP Tables so it wont happen again. =)

 

[Erizo]

I had a firewall, but not just as configured as expected Setting up completely firewall, apf and other security measures

 

[.Andy]

Hi...

At some time around 4 PM our VPS has been having huge memory uses, well, to be more specific, it uses all our avaible normal RAM

I have been restarting, shutting down, searching, but it still happens... Could it be some accounts causing it?
Do you have an advice on how to know?

Sorry... but i'm getting a headache for this :cry2:

EDIT: It seems that is a DoS atack... i think i found the target account and suspended it while we think of what we can do... I think we need hardening, but our budget it's pretty tight now

Pm Ralph Grabacontroler on this forum. Hes done server work for me be fore very very cheap 90% less then others.