August 21, 2011 Posted by KP
If your server was down due to insufficient swap space, usually needed by large amount of MySQL connections, it’s a sign of DoS attacks. My servers started to get attacks earlier this year, and they were getting increasingly frequent. Here are some simple practices I have employed, they have been proved to be effective for my server in the last few months.
1. Lower maximum mysql connections to make sure that the server will be up on attacks. The default value of max_connections is 150 which might be too high for servers that host database-heavy websites. Take my server (2GB ram) as an example, it hosts active vbulletin forums and couldn’t handle 150 connections, even light attacks can bring the server down easily. The server survived attacks after I lowered max_connections to 120, but it was very slow since it used lots of swap space. After I changed it to 100, the server responded fast while being attacked.
100 connections should be enough for 20~30K daily visits. The maximum connections mysql has used can be checked with:
# mysqladmin -u root -p extended-status | grep Max_used_connections
| Max_used_connections | 57 |
mysql> show status where variable_name like ‘max_used_connections’;
| Variable_name | Value |
| Max_used_connections | 57 |
2. When mysql reaches its connection limit, the whole server will be affected, this can be avoided with user-level connection throttle. mysql.user table has a field max_connections, the default value is 0 which should be changed according to each mysql user’s usage. Many attacks targeted a mediawiki application on my server, actually this wiki has less than 100 visits, I don’t care about it at all, after I changed its max_user_connections to 5, many attacks no longer affect the server.
3. Apache can handle a lot more connections than mysql, but it can reach its limit. I used to set a very high value, but it’s not helpful to detect and fight attacks. I used the following settings on my 4GB-ram server. KeepAliveTimeout can be lower, I used 2 seconds for a while which also worked well. Since my server has enough memory, I used a higher value for better performance (possibly).
4. Limit Apache connections per IP. Most attacks on my server were from only several IPs, Apache mod limitipconn can limit each IP’s connections, it can be found in ports www/mod_limitipconn (for Apache 1.3.x) and www/mod_limitipconn2 (for Apache 2). I wasn’t able to see the effect with my limited tests even I set MaxConnPerIP to 3, Apache is too robust.
LoadModule limitipconn_module libexec/apache22/mod_limitipconn.so
5. Block malicious IPs with firewall. It’s hard to believe but, a certain IP (should be from a compromised server) participated in almost every attack. Here is a very good pf tutorial, follow it strictly and you will be safe.
The above protections should be enough for random attacks.
No related posts.
Filed Under: FreeBSD General