Max CPU/RAM and ClamAV disabled

Hello, i have a question, everyday when i wake up, my htop says max cpu and ram, i have 2gb of ram.
Also in hestia ClamAV is disabled… When i reboot the server everything get back to normal.

What can it be? a virus?

What exactly is consuming you ram and or cpu?

Will reply to the thread with more info, when the problem occurs again

1 Like

Just to share a bit more information: Usualy you’ve got a process consuming the ram and cpu - looks like something is hanging there over time. So you need to identify that process and find out, why it starts to eat your ressources. If you can find the relevant process (which also should be visible in htop) and fix the issue, your problem would be solved.

Updated my server to a better capacity, thanks!

1 Like

You might have been hit by an aggressive bot (or more), that were scanning your site(s). Have a look at the web server logs and if this is the case you might want to block some bots with something like this in your .htaccess file(s):

SetEnvIfNoCase User-Agent .*rogerbot.* bad_bot
SetEnvIfNoCase User-Agent .*exabot.* bad_bot
SetEnvIfNoCase User-Agent .*mj12bot.* bad_bot
SetEnvIfNoCase User-Agent .*dotbot.* bad_bot
SetEnvIfNoCase User-Agent .*gigabot.* bad_bot
SetEnvIfNoCase User-Agent .*ahrefsbot.* bad_bot
SetEnvIfNoCase User-Agent .*sitebot.* bad_bot
<Limit GET POST HEAD>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>

You can add or remove bots as needed.

3 Likes

Thanks! helpful information

This is an excellent example of where mod_security rules can help. In WHM/cPanel I use it to block bad bots, rather than using .htaccess
(@Felix examples are classic rogue bots :+1: )
There are many other blocks/protections that mod_security is useful for too. :wink:

1 Like

Hey @AlwaysSkint thanks for your reply, can you show me some examples of the other blocks? Always interested on hardening tips :slight_smile:

I’ve been badgering mods to give us a mod_security interface and ruleset, similar to other control panels; even the free ‘old’ OWASP ruleset is a great starting point.
Mod_sec can help block SQL injection, Wordpress hacks and general ‘naughtiness’. I consider it an essential part of a hosted setup. It’s much more versatile than only relying on .htaccess rules, IME.

@xysites Just one example of many ‘hits’:

[Thu Jun 11 07:25:26.114204 2020] [:error] [pid 4212:tid 140451436803840] [client 51.77.135.89:43030] [client 51.77.135.89] ModSecurity: Warning. Pattern match “^[\\d.:]+$” at REQUEST_HEADERS:Host. [file “/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “793”] [id “920350”] [rev “2”] [msg “Host header is a numeric IP address”] [data “xxx.xxx.xxx.xxx”] [severity “WARNING”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST”] [tag “WASCTC/WASC-21”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [hostname “xxx.xxx.xxx.xxx”] [uri “/cgi-bin/mainfunction.cgi”] [unique_id “XuFPxnZqNmQM71x9zjqhwAAAAMo”]

A hack attempt from an OVH EU location to an Oz VPS.

1 Like

Hey, that’s really nice, didn’t knew about this, would mod_security work good along with clamav?

@xysites
clamav & mod_security are independent and can co-exist happily. One deals with the uploading and embedding of virus via files, the other overall protection of your web server vulnerabilities.
If your clients hardly upload files to your server, then clamav has a large footprint for very little use. mod_sec continuously acts as a barrier to people attempting to hack your websites/databases.
Crap! I sound like an advert. :expressionless:

2 Likes

Nice! will do a research on how to install and configure.
Thanks! This is very very helpful for me.

The same here after an installation:

sudo bash hst-install.sh --apache no --nginx yes --phpfpm yes --multiphp no --vsftpd no --proftpd yes --named yes --mysql yes --postgresql no --exim yes --dovecot yes --clamav no --spamassassin no --iptables yes --fail2ban yes --quota yes --api yes --force no --interactive yes --port 8083 --lang en

Any advices for NGINX?

You could install Haveged

1 Like

Oh it’s ok for now, just checked it. I did a notice that this sutuation lasts 15 to 30 minutes immediately after installation.

Don’t worry about that ssl-params process it is executed when dovecot starts for the first time and takes about 5-20min to finish.

1 Like

Look like this is a multi-topic thread. :wink:

Infact, all is answered now, let’s stop the notification storm :slight_smile:.

2 Likes