High CPU from queueprocd - process - block_brute_force & /usr/sbin/nft --json list ruleset
Hello,
I am constantly getting high CPU usage from processes that I think are security related.
queueprocd - process - block_brute_force
/usr/sbin/nft --json list ruleset
queueprocd - waiting up to 1s to process a task
cPhulkd - dbprocessor
cPhulkd - processor - http socket
alt="cpanel-attack.png">82265 alt="cpanel-attack-2.png">82269
It is a powerful server with 8 cores at more than 3.5 Ghz, which the use is high.
I have also noticed that I have 274532 records in the one-day blocks.
alt="cpanel-attack-3.png">82273
Is there any way to stop or improve this?
Thanks.
-
Hey there! It would seem your server is under a serious brute force attack is there are nearly 275,000 entries in the log for just the previous 24 hours. With that amount of traffic, you should start looking into external firewall tools outside of your server, such as a dedicated firewall that can help to stop these attacks before they even reach your server. I would recommend speaking with your hosting provider or datacenter to see what options you have available. As long as that amount of traffic is reaching your server, you will continue to experience high load and performance issues. 0 -
Thanks for the reply. I have activated the COUNTRY BLACKLIST of all countries except my own and the unknown "ZZ". I have observed something curious, in FAILED LOGINS I have only 431 records from my country, in BLOCKED USERS none, in BLOCKED IP ADDRESSES, none either, but in ON-DAY BLOCKS I still have a lot. It is also weird because the countries that apear in the ONE-DAY BLOCKS are countries that are blacklisted, but they still continue to be blocked and continue to appear there. It is not supposed that in ONE-DAY BLOCKS the recurring blocks of BLOCKED IP ADDRESSES should appear. It seems strange to me not having them on one side but on the other. Do you know if changing to a solution like immunify 360 would solve or mitigate the problem, or do I necessarily have to look for an external firewall? Thanks! 0 -
I don't believe Imunify would help in this situation. While it has a web application firewall, that's more like an advanced version of ModSecurity and not something that would block this type of attack. No country code blocking system is perfect, as that would require an accurate list of the IP addresses from every country, which just isn't available, and often changes. Because of that, it is not surprising to me that you may still see some connections from blocked countries with the amount of traffic you are receiving. 0
Please sign in to leave a comment.
Comments
3 comments