RE: [!! SPAM] Re: [webcms-53] High CPU usage on Rochen server thrown an alert
| From: | Nicola F. |
| Sent on: | Wednesday, 18 April 2012, 8:14 am |
Thanks Ian, all the feedback I have had has been really useful and informative. Especially your example about Jcal (it’s not installed on this particular site, but handy to know). Hopefully I won’t need the information in the future, but useful to have just in case!
Regards, Nicola
From: [address removed] [mailto:[address removed]] On Behalf Of Ian
Sent: Wednesday, 18 April[masked]:46 AM
To: [address removed]
Subject: [!! SPAM] Re: [webcms-53] High CPU usage on Rochen server thrown an alert
Hi Nicola
just one thing to comment on about ip addresses is that usually the focus is not on what / who the ip address is, but what that specific ip address is doing - so that the dodgy activity can be identified and circumvented.
ie if there is a vulnerability of some sort in your site, the main thing to figure out is what that vulnerability is and stop that. Blocking specific IP's is really only a (very) temporary measure that can stop the pain at the time; but doesn't solve the vulnerability. If some exploiter / hacker has found something in your site that is useful to them, it usually takes them very little effort to use a different ip.
On some investigations of high usage I have found eg a googlebot or other search engine ip has been a major user; and that has been useful info, in that they're not likely to be a hacker / exploiter :-) (one would hope not). In these cases it has been them indexing a calendar eg jcal, forever into the past and future - adding useless data to their search database (fixed by adding entries to robots.txt so that they don't index the site quite so thoroughly :-)
Using sh404sef with .htaccess on sites also allows greater control via robots.txt too (ie limiting what you want indexed in eg jcal other events cal). sh404sef also has an antiflooding mechanism (which can also be a pain!) that blocks specific ips that are overzealous about getting content from your site - use with care as the last thing you want is to block genuine visits on a popular site; but the logic is sound that if a specific ip address hits your site too many times in a specified time period, that it may indeed be something initiated by dodgy brothers inc.
I'd also suggest using the standard .htaccess file for Joomla (ie rename htaccess.txt to .htaccess on most servers) as that has some standard rewrites that can slow down exploitative behaviour (someone else may correct me on this, but I think even if you do not turn on 'sef' in Joomla, that this .htaccess rewrites some known bad behaviour)
as always - happy to be corrected by others who have had other experience, but hoping that my comments may be helpful / create a dialogue.
Cheers
Ian
--
Ian Phillips | |
Phone: | [masked] |
Fax: | [masked] |
Mobile: | [masked] |
--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Ian ([address removed]) from Brisbane Joomla Users Group.
To learn more about Ian, visit his/her member profile
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages
Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]
People in this
group are also in:
-
Brisbane Social Enterprise
1,705 Social entrepreneurs
-
All Things Testing Brisbane
1,055 Testers
-
WordPress Brisbane
3,550 Members
-
UX Brisbane
2,931 UXers
-
Brisbane .NET User Group
2,526 .NET Developers
-
ReactBris
2,221 Members