Best method for blocking too many PHP processes due to broken links and 404 errors

John1975

• September 25, 2013 11:21

I just migrated to a new VPS from shared and don't have many of the configs of the old system. I'm having a problem with a couple of IPs downloading images out of a folder. This is a normal thing we allow but two IPs are using the wrong folder ( one level above where they should be) and it's causing 50-100 PHP processes from 404 errors generated. Every time there's a 404 it calls an index.php and these are where all of the PHP processes are coming from. This in turn eats all memory and crashes mysql and spamd and the site goes down. We allow bulk image downloading of about 3500 images and it's never been an issue until on this server so obviously it's a config I don't have in place. I can see them trying it every morning at the same time and if I kill all PHP processes while they run through the bad URLs I can keep the server from crashing using "killall php". As an example they should be downloading from /home//public_html/images/backup/detailed. This is where all of the images are but instead two are trying to get them from /home//public_html/images/detailed and there are no images there. The 404s happen so fast (1-5 per second) it builds up too many PHP processes. They are downloading via script or a download manager. httpd processes are normal. What is the best method for dealing with this? I need to keep users out of this folder when downloading images but the cart requires /home//public_html/images/detailed to function because there are subfolders it uses for product images. How do I limit the PHP processes from eating up memory? I don't want to block the IP entirely because they are good customers. I haven't been able to get their info by IP to contact them and ask them to stop using the bad URLs plus I need to protect the server from this type of issue with anyone else. I am using suPHP with Apache suExec. If I remember right the user of the PHP proceses was nobody indicating they were spawned from Apache. Thanks

• 

  John1975

  • September 25, 2013 17:07

  I had to double check what I said. The PHP processes aren't user nobody. They are my main user as they should be. [COLOR="silver">- - - Updated - - - If I hammer the page with refreshes I get the same effect. Multiple httpd and PHP processes. I guess it could be a combination of both causing the problem. I think it's the speed at which the errors ocurr. When they use the correct path it doesn't seem to be a problem.

  0
• 

  John1975

  • September 25, 2013 17:18

  I'm starting to think that what I'm looking for is a way to limit the number of connections an IP can make in a set amount of time.

  0
• 

  cPanelMichael

  • September 25, 2013 17:24

  [quote="John1975, post: 1469441">I'm starting to think that what I'm looking for is a way to limit the number of connections an IP can make in a set amount of time.
  You may want to consider utilizing a third-party firewall such as CSF, or implementing some custom firewall rules to limit the connections. Thank you.

  0
• 

  John1975

  • September 25, 2013 17:41

  I'm reading about CSF, APF, mod_throttle, and mod_limitipconn. Being that I have had flood attacks on MySQL also do you think CSF would be the best way to go here? Thank you for your reply.

  0
• 

  John1975

  • September 25, 2013 17:56

  Is there no way to do this in the Apache config in WHM? What are the following directives there. I read what is wrote there but I still don't know if it will help this issue or be too encompassing. Server Limit Max Request Workers Max Connections Per Child

  0
• 

  John1975

  • September 25, 2013 18:09

  Would MPM Prefork or Worker help in this case? [COLOR="silver">- - - Updated - - - or Mod Security?

  0

Please sign in to leave a comment.