Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Dec 2011
Unresponsive server. Hacked? Crashed? How do I tell what happened?
I've got an Amazon EC2 linux server. My website stopped responding. I tried to SSH in and also did not get a response. Amazon EC2 Management Console said it was still running fine. I could ping it, but web and ssh were not responding. I rebooted the instance and it came back up working fine.
I'm trying to look through the logs and I'm seeing nothing that helps. Amazon shows a single spike in disk read/write at 7am. My httpd access log showsa stop in file requests at 7am, but domain requests continued. I checked /var/log/secure and /var/log/messages and both don't have anything from 7am until I rebooted 3 hours later. It does show a ton of ssh failed attempts that stopped around 5am.
Is there somewhere else I should look? Is there a change I need to make in logging?
- Join Date
- Apr 2009
- I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
It sounds like you were the victim of a DOS (Denial of Service) attack. Make sure you don't allow root access via ssh, and make sure that your passwords are not easy for a dictionary attack to break. Then, when you login to maintain the system via ssh, you can su to root, providing the appropriate root password, should you need that level of admin access directly. Does Amazon EC2 services have the ability to enable a watchdog timer on the system? If so, then you can use that to automatically reboot the system if it becomes unresponsive again in the future. Not a panacea, but it will let you recover more gracefully from such attacks.Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!
- Join Date
- Nov 2011
try to setup some monitoring tools like nagios, in case high cpu or memory occurs that can alarm u and also setup PAM module if someone fails for login for incorrect password that user should be block for next 15 or 20 mnts like this...
Setup firewall for incase anyone any IP is trying to hit ur server 10 or 8 times in a minute that IP should blocked for next few mnutes or permanent....for this problem if related to apache then use mod_evasive