Server rebooted, sorry about the spottiness there

[matthew1]

The reboot should take care of it.

[matthew1]

More dropouts today after that reboot, again, sorry.

I'm not happy about it and tomorrow it has my full attention. I don't know what the fix is, but that's why research exists.

[FCPEURO]

Your not the only one having this issue. Turbobricks have been cutting in and out for the last week also. You can only do what you can and we understand.

[matthew1]

Thanks Andrew.

Looks like it was a series of automated attempts to gain access to the server. At first that sounds alarming, but it's not. If you connect any computer to the Internet long enough, someone will try to gain control of it.

I have things locked down pretty good so I'm not concerned about a break in. The problem arises because MVS is "small potatoes" and has no headroom to deal with the break in attempts (they consume server resources -- CPU cycles, memory, connections, etc.).

If I had a $5k/year budget for hosting I'd have either more headroom (like distributed load balancing) to deal with crack attempts or I'd have some system to step in to block these cracking attempts.

If it's a large Denial of Service ("DDoS") attack my host will automatically block traffic upstream from my server, but this latest attempt didn't reach that level.

That said, I made some changes to the configuration of how the server spends its resources -- in this case on the MySQL database -- to make it more efficient. That's nothing new; I've been tweaking it at least once a month for over 18 months now. Living and learning .

When you don't have the money to pay the pros, you learn it yourself.

[billofdurham]

When you don't have the money to pay the pros, you learn it yourself.

That could be the site's motto.

I don't understand the computer-speak but I do know that you always pull things together so, if I can't get in, I wait a few minutes and try again.

This is the only forum I have found where the administrator takes the time to explain the problems he encounters.

Bill.

[matthew1]

Bill, it's all jibberish that I type .

[billofdurham]

Great, jibberish is my second language.

Bill.

[kcodyjr]

Matt, my day job is as a senior UNIX server support engineer/admin/architect.

Is it a virtual private host, or shared hosting?

If VPS, are you running PSAD (port scan attack detector)? It watches for telltales and automatically blocks IP level traffic from the offender, if it sees something that doesn't smell right.

[matthew1]

Kcody, it's a 1.5GB VPS (Debian) that I built up myself and had hardened in August by a pro. Since then I've updated the kernel.

I tune Apache and MySQL myself.

I run Logwatch http://linux.about.com/library/cmd/blcmdl8_logwatch.htm and a rootkit checker. My vulnerabilities are phpMyAdmin, SSH and of course MySQL. Should I be saying this out loud?

Logwatch sounds like PSAD but without the reactive component. I'll read about PSAD tonight.

[kcodyjr]

That's respectable specs.

If the kernel's been in-stream all along, then you didn't undo anything the pro did.

No particular problem saying that out loud, but:

* You should lock down SSH to only accepting keypair authentication.

* Is there any need for phpMyAdmin and MySQL to receive connections from anywhere but localhost? If not, iptables should be used to restrict connections to localhost. Even if so, SSH can be leveraged to open a secure redirect. If you'd like some guidance on how that's done, please reach out to me by some less public way.

* Logwatch as I know it just does a daily digest. PSAD does realtime packet inspection, evaluates a danger level, and sends email reports of any actions it's taken.

All in all you've got it in pretty good shape. The rootkit checker is an excellent touch.