Hi, I've recently setup a new server for our public libraries. For the last two years, this has been my first "big" job, since it involves networking eleven small to medium size public libraries. There was a hiccup some time ago when the administration hiring me wanted to do it on their own, but it took them less than two weeks to get the server hacked and lose everything. So they decided to hire me back :o) I've rented a little dedicated server at the french provider Ikoula. Really a small thing, a KVM amounting to 1/2 a processor core, 512 MB RAM and 25 GB of disk space. Usually there should be no more than like ten people working simultaneously on the library management software (running atop MySQL). For the last few days, users reported that the install was "terribly slow". I checked, and indeed, the application took quite some time to respond. First thing, I wonder if the configuration I chose is too modest for the setup. Then, I took a peek in /var/log/httpd and the *-access.log files show quite some activity. Some haphazard whois on various IP addresses show me that these are no library users from around here. Like: Bogota?!? Peking?!? And quite some search engines. Since I don't need search engines for our application, I'm going to have to find a way to banish these. The log files are not very handy to decipher, so I googled a bit, and I think today I'm going to check out AWStats, which seems to be the right thing to use in that case. I'm also wondering about activity on other ports, but here also I'm taking stabs in the dark. Probably SSH, but I don't know where eventual failed attempts get logged. I also googled a bit, and I think in this domain, fail2ban will be my next experiment. I have this strange feeling that the next step in the "wise" direction consists in describing my ignorance :o) Any suggestions? Cheers from the sunny south of France, Niki
Since your users are just in one country you could limit access to only that country using either geoip for apache or geoip for iptables. On 04 Nov 2009, at 11:16 AM, Niki Kovacs wrote:> Hi, > > I've recently setup a new server for our public libraries. For the > last > two years, this has been my first "big" job, since it involves > networking eleven small to medium size public libraries. > > There was a hiccup some time ago when the administration hiring me > wanted to do it on their own, but it took them less than two weeks to > get the server hacked and lose everything. So they decided to hire me > back :o) > > I've rented a little dedicated server at the french provider Ikoula. > Really a small thing, a KVM amounting to 1/2 a processor core, 512 MB > RAM and 25 GB of disk space. Usually there should be no more than like > ten people working simultaneously on the library management software > (running atop MySQL). > > For the last few days, users reported that the install was "terribly > slow". I checked, and indeed, the application took quite some time to > respond. > > First thing, I wonder if the configuration I chose is too modest for > the > setup. > > Then, I took a peek in /var/log/httpd and the *-access.log files show > quite some activity. Some haphazard whois on various IP addresses show > me that these are no library users from around here. Like: Bogota?!? > Peking?!? And quite some search engines. Since I don't need search > engines for our application, I'm going to have to find a way to banish > these. > > The log files are not very handy to decipher, so I googled a bit, > and I > think today I'm going to check out AWStats, which seems to be the > right > thing to use in that case. > > I'm also wondering about activity on other ports, but here also I'm > taking stabs in the dark. Probably SSH, but I don't know where > eventual > failed attempts get logged. > > I also googled a bit, and I think in this domain, fail2ban will be my > next experiment. > > I have this strange feeling that the next step in the "wise" direction > consists in describing my ignorance :o) > > Any suggestions? > > Cheers from the sunny south of France, > > Niki > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Niki Kovacs wrote:> Hi, > > I've recently setup a new server for our public libraries. For the last > two years, this has been my first "big" job, since it involves > networking eleven small to medium size public libraries. > > There was a hiccup some time ago when the administration hiring me > wanted to do it on their own, but it took them less than two weeks to > get the server hacked and lose everything. So they decided to hire me > back :o) > > I've rented a little dedicated server at the french provider Ikoula. > Really a small thing, a KVM amounting to 1/2 a processor core, 512 MB > RAM and 25 GB of disk space. Usually there should be no more than like > ten people working simultaneously on the library management software > (running atop MySQL). > > For the last few days, users reported that the install was "terribly > slow". I checked, and indeed, the application took quite some time to > respond. > > First thing, I wonder if the configuration I chose is too modest for the > setup. > > Then, I took a peek in /var/log/httpd and the *-access.log files show > quite some activity. Some haphazard whois on various IP addresses show > me that these are no library users from around here. Like: Bogota?!? > Peking?!? And quite some search engines. Since I don't need search > engines for our application, I'm going to have to find a way to banish > these. > > The log files are not very handy to decipher, so I googled a bit, and I > think today I'm going to check out AWStats, which seems to be the right > thing to use in that case. > > I'm also wondering about activity on other ports, but here also I'm > taking stabs in the dark. Probably SSH, but I don't know where eventual > failed attempts get logged. > > I also googled a bit, and I think in this domain, fail2ban will be my > next experiment. > > I have this strange feeling that the next step in the "wise" direction > consists in describing my ignorance :o) > > Any suggestions? > > Cheers from the sunny south of France, > > Niki >Hi Niki, Why not just use iptables rules to filter the traffic and allow only public (and static) IPs from the libraries ? Or create also VPNs between your VM and the remote networks -- -- Fabian Arrotin idea=`grep -i clue /dev/brain` test -z "$idea" && echo "sorry, init 6 in progress" || sh ./answer.sh
From: Niki Kovacs <contact at kikinovak.net>> Then, I took a peek in /var/log/httpd and the *-access.log files show > quite some activity. Some haphazard whois on various IP addresses show > me that these are no library users from around here. Like: Bogota?!? > Peking?!? And quite some search engines. Since I don't need search > engines for our application, I'm going to have to find a way to banish > these.robots.txt for search engines. Maybe put a .htaccess file to only allow your library users (login/passwd)... JD
Niki Kovacs napsal(a):> Hi, > > I've recently setup a new server for our public libraries. For the last > two years, this has been my first "big" job, since it involves > networking eleven small to medium size public libraries. >Niki, limit access as much as possible. Geoip is your friend. You can also limit access per libraries subnets. The second: You can have low resources in case your web app is Java based. And finally, make sure the site is not hacked e.g. allow_url_fopen... David Hrb??
Niki Kovacs wrote:> Hi, > > I've recently setup a new server for our public libraries. For the last > two years, this has been my first "big" job, since it involves > networking eleven small to medium size public libraries. > > There was a hiccup some time ago when the administration hiring me > wanted to do it on their own, but it took them less than two weeks to > get the server hacked and lose everything. So they decided to hire me > back :o) > > I've rented a little dedicated server at the french provider Ikoula. > Really a small thing, a KVM amounting to 1/2 a processor core, 512 MB > RAM and 25 GB of disk space. Usually there should be no more than like > ten people working simultaneously on the library management software > (running atop MySQL). > > For the last few days, users reported that the install was "terribly > slow". I checked, and indeed, the application took quite some time to > respond. > > First thing, I wonder if the configuration I chose is too modest for the > setup. > > Then, I took a peek in /var/log/httpd and the *-access.log files show > quite some activity. Some haphazard whois on various IP addresses show > me that these are no library users from around here. Like: Bogota?!? > Peking?!? And quite some search engines. Since I don't need search > engines for our application, I'm going to have to find a way to banish > these. > > The log files are not very handy to decipher, so I googled a bit, and I > think today I'm going to check out AWStats, which seems to be the right > thing to use in that case. > > I'm also wondering about activity on other ports, but here also I'm > taking stabs in the dark. Probably SSH, but I don't know where eventual > failed attempts get logged. > > I also googled a bit, and I think in this domain, fail2ban will be my > next experiment. > > I have this strange feeling that the next step in the "wise" direction > consists in describing my ignorance :o) > > Any suggestions? > > Cheers from the sunny south of France, > > Niki > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >Try to do some smart configuration on Apache: 1) You may consider to compress HTML, CSS and JS (http://httpd.apache.org/docs/2.2/mod/mod_deflate.html). This may save you quite some bandwidth. 2) Further, consider adding some expiration attributes (http://httpd.apache.org/docs/2.2/mod/mod_expires.html). Peter -- Dott. Peter Hopfgartner R3 GIS Srl - GmbH Via Johann Kravogl-Str. 2 I-39012 Meran/Merano (BZ) Email: peter.hopfgartner at r3-gis.com Tel. : +39 0473 494949 Fax : +39 0473 069902 www : http://www.r3-gis.com
On Wed, Nov 4, 2009 at 4:16 AM, Niki Kovacs <contact at kikinovak.net> wrote:> Hi, > > I've recently setup a new server for our public libraries. For the last > two years, this has been my first "big" job, since it involves > networking eleven small to medium size public libraries. > > There was a hiccup some time ago when the administration hiring me > wanted to do it on their own, but it took them less than two weeks to > get the server hacked and lose everything. So they decided to hire me > back :o) > > I've rented a little dedicated server at the french provider Ikoula. > Really a small thing, a KVM amounting to 1/2 a processor core, 512 MB > RAM and 25 GB of disk space. Usually there should be no more than like > ten people working simultaneously on the library management software > (running atop MySQL). > > For the last few days, users reported that the install was "terribly > slow". I checked, and indeed, the application took quite some time to > respond. > > First thing, I wonder if the configuration I chose is too modest for the > setup. > > Then, I took a peek in /var/log/httpd and the *-access.log files show > quite some activity. Some haphazard whois on various IP addresses show > me that these are no library users from around here. Like: Bogota?!? > Peking?!? And quite some search engines. Since I don't need search > engines for our application, I'm going to have to find a way to banish > these. > > The log files are not very handy to decipher, so I googled a bit, and I > think today I'm going to check out AWStats, which seems to be the right > thing to use in that case. > > I'm also wondering about activity on other ports, but here also I'm > taking stabs in the dark. Probably SSH, but I don't know where eventual > failed attempts get logged. > > I also googled a bit, and I think in this domain, fail2ban will be my > next experiment. > > I have this strange feeling that the next step in the "wise" direction > consists in describing my ignorance :o) > > Any suggestions? > > Cheers from the sunny south of France, > > NikiIt sounds to me like your server is more attractive to people than the application you have running on it. Your apache may be running as an open proxy, or people might be attempting to use it as one, even if it's not. The apache logs files will show what files people are trying to access. They might not be easy to read, but as a sysadmin you need to get used to that, as that is where the information is. If there are many files that do not exist on your server, they may be trying to scan your server or use it as a proxy. You should also monitor your bandwidth. Your ISP should have a control panel that allows you to see your usage. You should be able to tell right away if it's very high or not. Large traffic could mean someone is using your server to transfer files, or maybe you just have a very popular service. You should look at all the logs in /var/log. /var/log/secure is where SSH login attempts get sent. You should also look at the maillog to see if anyone is using your server to send spam email.
On Wed, Nov 4, 2009 at 9:16 AM, Niki Kovacs <contact at kikinovak.net> wrote:> Hi, > > I've recently setup a new server for our public libraries. For the last > two years, this has been my first "big" job, since it involves > networking eleven small to medium size public libraries. > > There was a hiccup some time ago when the administration hiring me > wanted to do it on their own, but it took them less than two weeks to > get the server hacked and lose everything. So they decided to hire me > back :o) > > I've rented a little dedicated server at the french provider Ikoula. > Really a small thing, a KVM amounting to 1/2 a processor core, 512 MB > RAM and 25 GB of disk space. Usually there should be no more than like > ten people working simultaneously on the library management software > (running atop MySQL). > > For the last few days, users reported that the install was "terribly > slow". I checked, and indeed, the application took quite some time to > respond. > > First thing, I wonder if the configuration I chose is too modest for the > setup. > > Then, I took a peek in /var/log/httpd and the *-access.log files show > quite some activity. Some haphazard whois on various IP addresses show > me that these are no library users from around here. Like: Bogota?!? > Peking?!? And quite some search engines. Since I don't need search > engines for our application, I'm going to have to find a way to banish > these. > > The log files are not very handy to decipher, so I googled a bit, and I > think today I'm going to check out AWStats, which seems to be the right > thing to use in that case. > > I'm also wondering about activity on other ports, but here also I'm > taking stabs in the dark. Probably SSH, but I don't know where eventual > failed attempts get logged. > > I also googled a bit, and I think in this domain, fail2ban will be my > next experiment. > > I have this strange feeling that the next step in the "wise" direction > consists in describing my ignorance :o) > > Any suggestions? > > Cheers from the sunny south of France, > > Niki > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Check out mod_geoip and only allow France to connetc to your server.