Re: [webcms-53] High CPU usage on Rochen server thrown an alert
| From: | Ian P. |
| Sent on: | Wednesday, April 18, 2012, 7:45 AM |
Hi Nicola
just one thing to comment on about ip addresses is that usually the focus is not on what / who the ip address is, but what that specific ip address is doing - so that the dodgy activity can be identified and circumvented.
ie if there is a vulnerability of some sort in your site, the main thing to figure out is what that vulnerability is and stop that. Blocking specific IP's is really only a (very) temporary measure that can stop the pain at the time; but doesn't solve the vulnerability. If some exploiter / hacker has found something in your site that is useful to them, it usually takes them very little effort to use a different ip.
On some investigations of high usage I have found eg a googlebot or other search engine ip has been a major user; and that has been useful info, in that they're not likely to be a hacker / exploiter :-) (one would hope not). In these cases it has been them indexing a calendar eg jcal, forever into the past and future - adding useless data to their search database (fixed by adding entries to robots.txt so that they don't index the site quite so thoroughly :-)
Using sh404sef with .htaccess on sites also allows greater control via robots.txt too (ie limiting what you want indexed in eg jcal other events cal). sh404sef also has an antiflooding mechanism (which can also be a pain!) that blocks specific ips that are overzealous about getting content from your site - use with care as the last thing you want is to block genuine visits on a popular site; but the logic is sound that if a specific ip address hits your site too many times in a specified time period, that it may indeed be something initiated by dodgy brothers inc.
I'd also suggest using the standard .htaccess file for Joomla (ie rename htaccess.txt to .htaccess on most servers) as that has some standard rewrites that can slow down exploitative behaviour (someone else may correct me on this, but I think even if you do not turn on 'sef' in Joomla, that this .htaccess rewrites some known bad behaviour)
as always - happy to be corrected by others who have had other experience, but hoping that my comments may be helpful / create a dialogue.
Cheers
Ian
just one thing to comment on about ip addresses is that usually the focus is not on what / who the ip address is, but what that specific ip address is doing - so that the dodgy activity can be identified and circumvented.
ie if there is a vulnerability of some sort in your site, the main thing to figure out is what that vulnerability is and stop that. Blocking specific IP's is really only a (very) temporary measure that can stop the pain at the time; but doesn't solve the vulnerability. If some exploiter / hacker has found something in your site that is useful to them, it usually takes them very little effort to use a different ip.
On some investigations of high usage I have found eg a googlebot or other search engine ip has been a major user; and that has been useful info, in that they're not likely to be a hacker / exploiter :-) (one would hope not). In these cases it has been them indexing a calendar eg jcal, forever into the past and future - adding useless data to their search database (fixed by adding entries to robots.txt so that they don't index the site quite so thoroughly :-)
Using sh404sef with .htaccess on sites also allows greater control via robots.txt too (ie limiting what you want indexed in eg jcal other events cal). sh404sef also has an antiflooding mechanism (which can also be a pain!) that blocks specific ips that are overzealous about getting content from your site - use with care as the last thing you want is to block genuine visits on a popular site; but the logic is sound that if a specific ip address hits your site too many times in a specified time period, that it may indeed be something initiated by dodgy brothers inc.
I'd also suggest using the standard .htaccess file for Joomla (ie rename htaccess.txt to .htaccess on most servers) as that has some standard rewrites that can slow down exploitative behaviour (someone else may correct me on this, but I think even if you do not turn on 'sef' in Joomla, that this .htaccess rewrites some known bad behaviour)
as always - happy to be corrected by others who have had other experience, but hoping that my comments may be helpful / create a dialogue.
Cheers
Ian
--
|
Ian Phillips http://www.auschurch.com.au Australian Church Website Hosting |
|
| Phone: | [masked] |
| Fax: | +61 2 [masked] |
| Mobile: | [masked] |
People in this
group are also in:
-
Brisbane Azure User Group
2,592 Members
-
Brisbane Social Enterprise
1,702 Social entrepreneurs
-
Brisbane No 1 Self-Help Meetup
8,622 FRIENDS
-
GDG Brisbane
1,546 Members
-
WordPress Brisbane
3,534 Members
-
Bitcoin & Blockchain Brisbane
3,144 Bitcoiners