one virtual server is not responding, need advise

one of our wordpress site is down an hour, I try to match the time, these 2 lines are not something we understand, if we got attack....what should we do next time.

I use Linode 4Gb plan + virtualmin(paid member) + keycdn(paid members)

what else I can do?

196.52.43.57 - - [02/Aug/2017:15:41:59 -0400] "GET / HTTP/1.1" 200 29574 "-" "-" 37.9.113.78 - - [02/Aug/2017:15:42:12 -0400] "GET /manual/de/mod/mod_log_referer.html HTTP/1.1" 404 439 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"

Status: 
Active

Comments

Howdy -- hmm, I'm not familiar with keycdn, but we can certainly look into the problem that you're seeing.

What is the domain name that you're having this problem with?

And what happens when trying to browse to that website, are you receiving an error of some kind?

there isn't anything to do with keycdn, I just want to tell you what service I am using in this site.

we just cannot login and password reset, the site seems to be frozen

there is no error at all, just cannot login as usual and when I try password reset, it said email invalid....

now we can reset, but I did not do anything.

I realized the ip address is not local

www.signwareexpress.com

Hmm, yeah your site does seem to be working now... you're saying that you were able to reset your password?

I wonder if maybe there was a temporary issue with the CDN?

If it happens in the future, another thing to try might be to just run the command "uptime", and ensure that there isn't a high load on your server. If there was a high load, that could cause some problems.

Is everything else working now though?

yes it is, thanks replying

instead of ssl, is http/2 will reduce this kind of attack? cause ip showing it is coming from moscow

I'm not too familiar with using "http/2", though it's difficult to say at the moment what caused the issue you were seeing earlier.

If you're seeing a high amount of traffic from one particular IP address though, you could always try blocking that IP using a firewall, or with the command "route add -host x.x.x.x reject".

Andy, can you help me a little how to check the traffic log? I only go to

virtual machine => logs and reports => webalizer report but I try a few times with option and I am not able to dig out a detail traffic log with ip address

those are the ip come from moscow

178.154.171.53 213.180.203.14 37.9.113.78

It's not uncommon for IP's to come from foreign IP addresses, the key is to determine if there's enough of them that it could have caused a DoS attack.

Unfortunately, that's pretty tough to determine afterwards.

Interpreting the logs is getting a bit outside the scope of our support, though I'll toss out a tidbit I use on my personal servers... I use this command to show a list of what IP's have accessed the website, and how many times that has happened:

cat access_log | awk '{print $1}' | sort | uniq -c | sort -n

There' s a lot of things that doesn't show, such as what time period those requests came through in. Having 1000 requests a minute is a lot worse than 1000 requests over a month. But it's at least a place to start :-)

You need to cd to the logs directory under the domain's home first.