I recently noticed my VPS is slow. The blog takes a long time to show me any content. When I log in vis SSH, I usually don't see what I type in immediately. The command is echoed a few minutes later.
I started my investigation. I ran 'top'. CPU doesn't run crazily. Memory isn't loaded heavily. There's no suspicious process. Everything looks good. But the connection is still slow! I asked the VPS provider. Hey, why is my VPS slow to respond when CPU and memory aren't overloaded? The support team took a look and responded to me with one IP address 191.96.249.54 that established many connections to my VPS. I then searched the IP address online and found this StackOverflow question (http://serverfault.com/questions/778831/how-to-block-an-attack-on-wordpress-using-ufw-on-ubuntu-server). It's an attack! Somebody suggested to use ipsest to add a blacklist. Probably that's the way to go, because when I looked at Apache log, there's also connection from 191.96.249.53. They're from the same organization.
I found the solution. I installed ipset to find out that it didn't run. I got this error:
ipset v6.11: Cannot open session to kernel.
Some articles online say it needs kernel patching. But I don't control kernel on my VPS. So I contacted my VPS provider again. We couldn't just upgrade the kernel. But they suggested me an alternative solution: CSF (http://www.configserver.com/cp/csf.html).
CSF can do what ipset does. I just need to use the blacklist. Besides, it can monitor user log in and inform you when somebody tries to log in in a short time to figure out the password. There are other protections too. All are documented in the readme file. The configuration file contains explanation for all options. It is a lot of information to digest and you have to make your own choice. I'll just put down some basic points:
- Set TESTING to 1 first. The value 1 will have CSF stop itself 5 minutes after it's started. So when you accidentally lock yourself out, you still can gain access to your VPS after at most 5 minutes. Remember to set it back to 0 when you've tested your configuration file.
- TCP_IN and UDP_IN are the ports that incoming connections are allowed to connect to. At least, put your SSH port number in TCP_IN so that you still can access to your VPS.
- On my system, CSF can't find /usr/bin/host. It's in its log file. Remember to check the log file for any errors and fix them.
- csf.deny contains a list of IPs from where the incoming connection are dropped. It supports CIDR notation (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation). I put the suspicious IP addresses in this file.
After CSF starts to run. There is no connection from the suspicious IPs any more from Apache log file. The connection to my VPS is fast again.