Hi,
My VPS crashed four times this mounth, I saw on the monitoring that CPU was 100% and that the traffic increase before it (screenshot).
After restart it I can see that an unknowed IP adress was trying to connect on the CMS a lot of times.
I never had this problem before, but this month it happened 4 times.
Do you have any advices ?
Thank you!
Hi,
The problem happened again these night.
Anybody have the solution ?
Why so many IP are trying to connect on my CMS? (photo)
Regards
The screenshots may suggest an attack, however you would need to further investigate to understand and resolve the issue.
If it is the session table in your screenshot, it appears to show a small number of IPs. It is possible that it could be that you have another service accessing the CMS, causing the high load in your screenshots.
You may want to look at your access logs to see if you can narrow down where the issue is coming from. If you are using a reverse proxy, then those logs would be a good place to start.
I cannot provide any further support on how to secure your web service but I do hope that you are able to locate the problem and resolve it.
Many Thanks.
Thank you for your reply.
All these adresses are not allowed to connect, IP came from abroad.
In log access I’m the only one to be loged
I’ve set up fail2ban on my VPS, but it appear IP are still trying to connect
If you’re running a server on the public internet then people will try and connect to it - all the time.
You need to make sure the server is properly secured and hardened, and that your use strong passwords on your CMS accounts.
Thank you @alex,
Last question : what does it mean if in the active column there is the “check” sign and if the user column is empty? Is the “hacker” logged on the CMS?
Thank you !
If the user column is empty, then that connection is not logged in.
Active simply means that the session has not expired. You get a session as soon as you load the login page.
OK thank you @alex I understand.
What can you advise to protect the login page?
I’ve been attacked again these night … 2 times these week
I forgot to told you that I’m using a redirection adress for easy acces : 51.00.00.00 -> mycms.mywebsite. com
May it have an incidence ?
Regards
Just loading the login page triggers almost no load on the CMS.
If that’s taking your server down, then I would suggest it’s either under specified, or the amount of traffic you’re receiving is way outside what is in the screenshots (which is a few connections only).
In that case you’d need to be using something like Cloudflare (which I’ve not tested) to front the CMS.
I’m not sure what you mean by a redirection service, but the Players make POST requests so won’t be able to work if there’s any kind of HTTP redirect in their path.
They are about 4 pages more of the same adress try to connect at the same time.
I think I ll test cloudfare
Redirection that I’m talking about, is just a domain adress targeted (type A) to the ip adress of my VPS. It doesnt affect the players.
If it’s all from one address, then just block that address from contacting the CMS.
DigitalOcean do a Cloud Firewall so it’s very simple to enable that
It is the same adress for one attack, it change on next so impossible to prevent by blocking.
Do you often heard about DDOS attack on xibo ?
No it’s not common with CMS instances, but it’s very common on the internet generally.
Unfortunately that’s the nature of the internet.
