Max CPU/RAM and ClamAV disabled

xysites · June 9, 2020, 5:28pm

Hello, i have a question, everyday when i wake up, my htop says max cpu and ram, i have 2gb of ram.
Also in hestia ClamAV is disabled… When i reboot the server everything get back to normal.

What can it be? a virus?

Raphael · June 9, 2020, 5:39pm

What exactly is consuming you ram and or cpu?

xysites · June 9, 2020, 7:02pm

Will reply to the thread with more info, when the problem occurs again

Raphael · June 10, 2020, 7:22am

Just to share a bit more information: Usualy you’ve got a process consuming the ram and cpu - looks like something is hanging there over time. So you need to identify that process and find out, why it starts to eat your ressources. If you can find the relevant process (which also should be visible in htop) and fix the issue, your problem would be solved.

xysites · June 10, 2020, 11:26am

Updated my server to a better capacity, thanks!

Felix · June 10, 2020, 1:48pm

You might have been hit by an aggressive bot (or more), that were scanning your site(s). Have a look at the web server logs and if this is the case you might want to block some bots with something like this in your .htaccess file(s):

SetEnvIfNoCase User-Agent .*rogerbot.* bad_bot
SetEnvIfNoCase User-Agent .*exabot.* bad_bot
SetEnvIfNoCase User-Agent .*mj12bot.* bad_bot
SetEnvIfNoCase User-Agent .*dotbot.* bad_bot
SetEnvIfNoCase User-Agent .*gigabot.* bad_bot
SetEnvIfNoCase User-Agent .*ahrefsbot.* bad_bot
SetEnvIfNoCase User-Agent .*sitebot.* bad_bot
<Limit GET POST HEAD>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>

You can add or remove bots as needed.

xysites · June 10, 2020, 2:33pm

Thanks! helpful information

AlwaysSkint · June 10, 2020, 2:58pm

This is an excellent example of where mod_security rules can help. In WHM/cPanel I use it to block bad bots, rather than using .htaccess
(@Felix examples are classic rogue bots )
There are many other blocks/protections that mod_security is useful for too.

xysites · June 10, 2020, 3:45pm

Hey @AlwaysSkint thanks for your reply, can you show me some examples of the other blocks? Always interested on hardening tips

AlwaysSkint · June 10, 2020, 10:20pm

I’ve been badgering mods to give us a mod_security interface and ruleset, similar to other control panels; even the free ‘old’ OWASP ruleset is a great starting point.
Mod_sec can help block SQL injection, Wordpress hacks and general ‘naughtiness’. I consider it an essential part of a hosted setup. It’s much more versatile than only relying on .htaccess rules, IME.

@xysites Just one example of many ‘hits’:

[Thu Jun 11 07:25:26.114204 2020] [:error] [pid 4212:tid 140451436803840] [client 51.77.135.89:43030] [client 51.77.135.89] ModSecurity: Warning. Pattern match “^[1]+$” at REQUEST_HEADERS:Host. [file “/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “793”] [id “920350”] [rev “2”] [msg “Host header is a numeric IP address”] [data “xxx.xxx.xxx.xxx”] [severity “WARNING”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST”] [tag “WASCTC/WASC-21”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [hostname “xxx.xxx.xxx.xxx”] [uri “/cgi-bin/mainfunction.cgi”] [unique_id “XuFPxnZqNmQM71x9zjqhwAAAAMo”]

A hack attempt from an OVH EU location to an Oz VPS.

\\d.: ↩︎

xysites · June 11, 2020, 10:19am

Hey, that’s really nice, didn’t knew about this, would mod_security work good along with clamav?

AlwaysSkint · June 11, 2020, 10:49am

@xysites
clamav & mod_security are independent and can co-exist happily. One deals with the uploading and embedding of virus via files, the other overall protection of your web server vulnerabilities.
If your clients hardly upload files to your server, then clamav has a large footprint for very little use. mod_sec continuously acts as a barrier to people attempting to hack your websites/databases.
Crap! I sound like an advert.

xysites · June 11, 2020, 11:06am

Nice! will do a research on how to install and configure.
Thanks! This is very very helpful for me.

danonanon · June 11, 2020, 11:16am

The same here after an installation:

sudo bash hst-install.sh --apache no --nginx yes --phpfpm yes --multiphp no --vsftpd no --proftpd yes --named yes --mysql yes --postgresql no --exim yes --dovecot yes --clamav no --spamassassin no --iptables yes --fail2ban yes --quota yes --api yes --force no --interactive yes --port 8083 --lang en

Any advices for NGINX?

eris · June 11, 2020, 11:21am

You could install Haveged

danonanon · June 11, 2020, 11:24am

Oh it’s ok for now, just checked it. I did a notice that this sutuation lasts 15 to 30 minutes immediately after installation.

Lupu · June 11, 2020, 11:26am

Don’t worry about that ssl-params process it is executed when dovecot starts for the first time and takes about 5-20min to finish.

AlwaysSkint · June 11, 2020, 11:36am

Look like this is a multi-topic thread.

Raphael · June 11, 2020, 11:47am

Infact, all is answered now, let’s stop the notification storm .