VPS on CentOS extremly slow webserver

Also your host may do it for you for a nominal fee (depending on the type of VPS service you signed up for)

hmm I tried, but its telling me no package available… weird

[root@srv1 ~]# rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm
Retrieving http://mirror.webtatic.com/yum/el6/latest.rpm
Preparing… ########################################### [100%]
package webtatic-release-6-4.noarch is already installed
[root@srv1 ~]# yum install php55w php55w-opcache
Loaded plugins: fastestmirror, presto, replace, security
Loading mirror speeds from cached hostfile

  • base: centos.mirror.triple-it.nl
  • extras: centos.mirror.triple-it.nl
  • updates: centos.mirror.triple-it.nl
  • webtatic: nl.repo.webtatic.com
    Setting up Install Process
    No package php55w available.
    No package php55w-opcache available.

the website is back to being very slow, so I guess it wasnt the xml file but deleting those was just coincidence.
I did however find the reason ( I think)

In my direct admin I had 42 messages (started this server sunday) telling me there was a brute force attack:
A brute force attack has been detected in one of your service logs.

User root has 2978 failed login attempts: proftpd1=4&sshd5=2974

Check ‘Admin Level -> Brute Force Monitor’ for more information

with a shitload of logs like this one:

13897348210015 61.147.107.99 root 1 sshd5 Jan 14 22:26:44 srv1 sshd[5979]: Failed password for root from 61.147.107.99 port 4894 ssh2
13897348210014 61.147.107.99 root 1 sshd5 Jan 14 22:26:42 srv1 sshd[5979]: Failed password for root from 61.147.107.99 port 4894 ssh2
13897348210013 61.147.107.99 root 1 sshd5 Jan 14 22:26:40 srv1 sshd[5979]: Failed password for root from 61.147.107.99 port 4894 ssh2
13897348210012 61.147.107.99 root 1 sshd5 Jan 14 22:26:37 srv1 sshd[5979]: Failed password for root from 61.147.107.99 port 4894 ssh2
13897348210011 61.147.107.99 root 1 sshd5 Jan 14 22:26:35 srv1 sshd[5979]: Failed password for root from 61.147.107.99 port 4894 ssh2
13897348210010 61.147.107.99 root 1 sshd5 Jan 14 22:26:29 srv1 sshd[5977]: Failed password for root from 61.147.107.99 port 4423 ssh2

any way I can stop this ?

Yes, and I’m not the best resource for that, but iptables and blocking the IP would be my first thought.
Also, make sure you have a VERY strong password and if you are comfortable with Putty/Shell, use a public/private key with a passphrase

Calling the Hosting Team (to the rescue!): @ScallioXTX ; @EastCoast ; @Force_Flow ;

yea but they change IP every 10 seconds or so, so thats hard to block. I could block All exept for my wn If i knew how to haha

btw root login is disabled.

I installed APF but when I enable APF my website and direct admin etc cannot be reached. ( I followed a pretty straight forward tutorial on how to set it up)
Could you guys take a look at my config file and tell me whats wrong with it ?

#!/bin/bash
#
# APF 9.7 [apf@r-fx.org]
# Copyright (C) 2002-2011, R-fx Networks <proj@r-fx.org>
# Copyright (C) 2011, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL
#
# NOTE: This file should be edited with word/line wrapping off,
#       if your using pico/nano please start it with the -w switch
#       (e.g: pico -w filename)
# NOTE: All options in this file are integer values unless otherwise
#       indicated. This means value of 0 = disabled and 1 = enabled.

##
# [Main]
##
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.
DEVEL_MODE="1"

# The installation path of APF; this can be changed but it is not recommended.
INSTALL_PATH="/etc/apf"

# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interfaces. Only one interface is accepted for each value.
IFACE_IN="eth1"
IFACE_OUT="eth1"

# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules, format is white space or comma separated list.
IFACE_TRUSTED="eth0"

# This option will allow for all status events to be displayed in real time on
# the console as you use the firewall. Typically, APF used to operate silent
# with all logging piped to $LOG_APF. The use of this option will not disable
# the standard log file displayed by apf --status but rather compliment it.
SET_VERBOSE="1"

# The fast load feature makes use of the iptables-save/restore facilities to do
# a snapshot save of the current firewall rules on an APF stop then when APF is
# instructed to start again it will restore the snapshot. This feature allows
# APF to load hundreds of rules back into the firewall without the need to
# regenerate every firewall entry.
# Note: a) if system uptime is below 5 minutes, the snapshot is expired
#       b) if snapshot age exceeds 12 hours, the snapshot is expired
#       c) if conf or a .rule has changed since last load, snapshot is expired
#       d) if it is your first run of APF since install, snapshot is generated
#       - an expired snapshot means APF will do a full start rule-by-rule
SET_FASTLOAD="0"

# Virtual Network Sub-System (VNET) creates independent policy rule set for
# each IP on a system to /etc/apf/vnet/IP.rules. These rule files can be
# configured with conf.apf variables for unique but convenient firewall
# policies or custom iptables entries for even greater flexibility.
SET_VNET="0"

# This feature firewalls any additional interfaces on the server as untrusted
# through the VNET sub-system. Excluded are interfaces that have already been
# defined by IFACE_* variables. This feature is ideal for systems running
# private interfaces where not all hosts on the private network are trusted or
# are otherwise exposed to "open" networks through this private interface
# (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..)
SET_ADDIFACE="0"

# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.
SET_MONOKERN="0"

# The expiry interval, in seconds, that bans will be expired out of the trust
# system. This only applies to local bans from deny_hosts.rules and not global
# import rules. The value must not be less than equiv. seconds of SET_REFRESH.
# [value in seconds, 0 to disable, recommended 600]
SET_EXPIRE="0"

# This controls how often, if at all, we want the trust system to refresh rules.
# The firewall will flush & reload all static rules, redownload global rules and
# re-resolve any dns names in the rules. This is ideal when using dynamic dns
# names or downloadable global trust rules. [value in minutes, 0 to disable]
SET_REFRESH="10"

# This is the total amount of rules allowed inside of the deny trust system.
# When this limit is reached, the deny rule files will begin to purge older
# entries to maintain the set limit. [value is max lines, 0 for unlimited]
SET_TRIM="150"

# Verifies that the IFACE_* and IFACE_TRUSTED interfaces are actually routed
# to something. If configured interfaces are found with no routes setup then
# APF will exit with an error to prevent further issues (such as being locked
# out of the system).
VF_ROUTE="1"

# Verifies that crond is running when DEVEL_MODE=1; if not then APF will not
# try to load as if lock-up occurs no cron service to flush firewall.
VF_CROND="1"

# Verifies that all inbound traffic is sourced from a defined local gateway MAC
# address. All other traffic that does not match this MAC address will be
# rejected as untrusted traffic. It is quite easy to forge a MAC address and as
# such this feature executes NO default accept policy. Leave this option empty
# to disable or enter a 48-bit MAC address to enable.
VF_LGATE=""

##
# [Reactive Address Blocking]
##
# Reactive Address Blocking (RAB) monitors addresses as they traverse the firewall
# rules and tracks all policy violations attempted by an address. The firewall then
# reacts to the violations by blocking addresses temporarily on the assumption that
# we are protecting the host from what an attacker may do under the pretext of what
# an attacker has already done. The interface that powers RAB is the iptables kernel
# module 'xt/ipt_recent'; as such there is no external programs required for this
# feature or additional load imposed by it.
RAB="0"

# This enables RAB for sanity violations, which is when an address breaks a
# strict conformity standard such as trying to spoof an address or modify
# packet flags. It is strongly recommended that this option NOT be disabled.
RAB_SANITY="1"

# This enables RAB for port scan violations, which is when an address attempts
# to connect to a port that has been classified as malicious. These types of
# ports are those which are not commonly used in today's Internet but are
# the subject of scrutiny by attackers, such as 1,7,9,11 and so on. The security
# level defines the group of ports that RAB will react against. The port groups
# can be customized in 'internals/rab.ports'.
# 0 = disabled | 1 = low security  | 2 = medium security | 3 = high security
RAB_PSCAN_LEVEL="1"

# This controls the amount of violation hits an address must have before it
# is blocked. It is a good idea to keep this very low to prevent evasive
# measures. The default is 0 or 1, meaning instant block on first violation.
RAB_HITCOUNT="1"

# This is the amount of time (in seconds) that an address gets blocked for if
# a violation is triggered, the default is 300s (5 minutes).
RAB_TIMER="300"

# This allows RAB to 'trip' the block timer back to 0 seconds if an address
# attempts ANY subsiquent communication while still on the inital block period.
RAB_TRIP="1"

# This controls if the firewall should log all violation hits from an address.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_HIT="1"

# This controls if the firewall should log all subsiqent traffic from an address
# that is already blocked for a violation hit, this can generate allot of logs.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_TRIP="0"

##
# [Packet Filtering/Handling]
##
# How to handle TCP packet filtering?
#
#  RESET (sends a tcp-reset; TCP/IP default)
#  DROP  (drop the packet; stealth ?)
#  REJECT (reject the packet)
TCP_STOP="DROP"

# How to handle UDP packet filtering?
#
#  RESET (sends a icmp-port-unreachable; TCP/IP default)
#  DROP  (drop the packet; stealth ?)
#  REJECT (reject the packet)
#  PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"

# How to handle all other packet filtering?
#
#  DROP  (drop the packet)
#  REJECT (reject the packet)
ALL_STOP="DROP"

# The sanity options control the way packets are scrutinized as they flow
# through the firewall. The main PKT_SANITY option is a top level toggle for
# all SANITY options and provides general packet flag sanity as a pre-scrub
# for the other sanity options. In short, this makes sure that all packets
# coming and going conform to strict TCP/IP standards. In doing so we make it
# very difficult for attackers to inject raw/custom packets into the server.
PKT_SANITY="1"

# Block any packets that do not conform as VALID, this feature is safe for most
# but some may experience protocol issues with broken remote clients. This is
# very similar to PKT_SANITY but has a wider scope and as such has the ability
# to affect many application protocols in undesirable ways.
PKT_SANITY_INV="0"

# Block any fragmented UDP packets, this is safe as no UDP packets should
# ever be fragmented.
PKT_SANITY_FUDP="1"

# Block packets with a source or destination of port 0, this is safe as
# nothing should ever communicate on port 0 (technically does not exist).
PKT_SANITY_PZERO="1"

# Default Type of Service (TOS); These values should be set to a comma
# separated list of ports which you would like marked with the given TOS level.
#
# Set the default TOS value [0,2,4,8,16]
TOS_DEF="0"

# Set the default TOS port range
TOS_DEF_RANGE="512:65535"

# 0: Ports for Normal-Service
TOS_0=""

# 2: Ports for Minimize-Cost
TOS_2=""

# 4: Ports for Minimize Delay - Maximize Reliability
TOS_4=""

# 8: Ports for Maximum Throughput - Minimum Delay
TOS_8="21,20,80"

# 16: Ports for No Delay - Moderate Throughput - High Reliability
TOS_16="25,110,143"

# Allow traceroute requests on the defined range of ports. This feature
# is not required for normal operations and some even prefer it disabled.
# Enable Traceroute 	# Traceroute ports
TCR_PASS="1"		TCR_PORTS="33434:33534"

# Set a reasonable packet/time ratio for ICMP packets, exceeding this flow
# will result in dropped ICMP packets. Supported values are in the form of:
# pkt/s (packets/seconds), pkt/m (packets/minutes)
# Set value to 0 for unlimited, anything above is enabled.
ICMP_LIM="30/s"

# Creates firewall rules based on the local name servers as defined in the
# /etc/resolv.conf file. This is the preferred secure method for client side
# name server requests. This option has no bearing on a locally hosted DNS
# service.
RESV_DNS="1"

# When RESV_DNS is enabled, all the untrusted name server traffic can fill the
# logs with client DNS traffic. This can be suppressed with an implicit drop
# of all such traffic (sport 53 inbound) as so to avoid log chains. If you run
# applications that have unique name servers configured, this may break them.
RESV_DNS_DROP="1"

# A common set of known Peer-To-Peer (p2p) protocol ports that are often
# considered undesirable traffic on public Internet servers. These ports
# are also often abused on web hosting servers where clients upload p2p
# client agents for the purpose of distributing or downloading pirated media.
# Format is comma separated for single ports and an underscore separator for
# ranges (4660_4678).
BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778"

# These are common Internet service ports that are understood in the wild
# services you would not want logged under normal circumstances. All ports
# that are defined here will be implicitly dropped with no logging for
# TCP/UDP traffic inbound or outbound. Format is comma separated for single
# ports and an underscore separator for ranges (135_139).
BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"

# You need multicasting if you intend to participate in the MBONE, a high
# bandwidth network on top of the Internet which carries audio and video
# broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/, this is generally
# safe to enable.
BLK_MCATNET="0"

# Block all private ipv4 addresses, this is address space reserved for private
# networks or otherwise unroutable on the Internet. If this host resides behind
# a router with NAT or routing scheme that otherwise uses private addressing,
# leave this option OFF. Refer to the 'internals/private.networks' file for
# listing of private address space.
BLK_PRVNET="0"

# Block all ipv4 address space marked reserved for future use (unassigned),
# such networks have no business talking on the Internet. However they may at
# some point become live address space. The USE_RD option further in this file
# allows for dynamic updating of this list on every full restart of APF. Refer
# to the 'internals/reserved.networks' file for listing of address space.
BLK_RESNET="1"

# Block all ident (tcp 113) requests in and out of the server IF the port is
# not already opened in *_TCP_CPORTS. This uses a REJECT target to make sure
# the ident requests terminate quickly. You can see an increase in irc and
# other connection performance with this feature.
BLK_IDENT="0"

# This is the maximum number of "sessions" (connection tracking entries) that
# can be handled simultaneously by the firewall in kernel memory. Increasing
# this value too high will simply waste memory - setting it too low may result
# in some or all connections being refused, in particular during denial of
# service attacks.
SYSCTL_CONNTRACK="65536"

# These are system control (sysctl) option changes to disable TCP features
# that can be abused in addition to tweaking other TCP features for increased
# performance and reliability.
SYSCTL_TCP="1"

# These are system control (sysctl) option changes intended to help mitigate
# syn-flood attacks by lowering syn retry, syn backlog & syn time-out values.
SYSCTL_SYN="0"

# These are system control (sysctl) option changes to provide protection from
# spoofed packets and ip/arp/route redirection. If you are performing advanced
# routing policies on this host such as NAT/MASQ you should disable this.
SYSCTL_ROUTE="0"

# This system control (sysctl) option will log all network traffic that is
# from impossible source addresses. This option can discover attacks or issues
# on your network you may otherwise not be aware of.
SYSCTL_LOGMARTIANS="0"

# This system control (sysctl) option will allow you to control ECN support
# (Explicit Congestion Notification). This feature provides an improved method
# for congestion avoidance by allowing the network to mark packets for
# transmission later, rather than dropping them from the queue. Please also
# see related USE_ECNSHAME option further down in this file.
SYSCTL_ECN="0"

# This system control (sysctl) option will allow you to make use of SynCookies
# support. This feature will send out a 'syn-cookie' when the syn backlog for a
# socket becomes overflowed. The cookie is used to interrupt the flow of syn
# transmissions with a hashed sequence number that must be correlated with the
# sending host. The hash is made up of the sending host address, packet flags
# etc..; if the sending host does not validate against the hash then the tcp
# hand-shake is terminated. In short, this helps to mitigate syn-flood attacks.
# Note: syncookies seriously violates TCP protocol and can result in serious
#       degradation of some services (i.e. SMTP); visible not by you, but your
#       clients and relays whom are contacting your system.
SYSCTL_SYNCOOKIES="1"

# This system control (sysctl) option allows for the use of Abort_On_Overflow
# support. This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative for
# SynCookies and both should NEVER be enabled at once.
# Note: This option can harm clients contacting your system. Enable option only
#       if you are sure that the listening daemon can not be tuned to accept
#       connections faster.
SYSCTL_OVERFLOW="0"

# The helper chains are designed to assist applications in working with the
# stateful firewall in a more reliable fashion. You should keep these settings
# current with the ports SSH and FTP are operating on. Please DO NOT CONFUSE
# these settings with opening the SSH/FTP port as they have no bearing on
# actually connecting to the services. They are only for helping maintain your
# connection to the services [ESTABLISHED,RELATED connection states, not NEW].
HELPER_SSH="1"
HELPER_SSH_PORT="22"

HELPER_FTP="1"
HELPER_FTP_PORT="21"
HELPER_FTP_DATA="20"

# Configure inbound (ingress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma separated
# and underscore separator for ranges.
#
# Example:
IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,315,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666,2222"
IG_UDP_CPORTS="20,22,21,53,6277,315"
IG_ICMP_TYPES="3,5,11,30"

# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="22,80"

# Common inbound (ingress) UDP ports
IG_UDP_CPORTS=""

# Common ICMP inbound (ingress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

# Configure outbound (egress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Outbound (egress) filtering is not required but makes your firewall setup
# complete by providing full inbound and outbound packet filtering. You can
# toggle outbound filtering on or off with the EGF variable. Format is comma
# separated and underscore separator for ranges.
#
# Example:
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"

# Outbound (egress) filtering
EGF="1"

# Common outbound (egress) TCP ports
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,161,443,465,623,873,3389"

# Common outbound (egress) UDP ports
EG_UDP_CPORTS="20,21,53,161,465,623,873"

# Common ICMP outbound (egress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"

# Configure user-id specific outbound (egress) port access. This is a more
# granular feature to limit the scope of outbound packet flows with user-id
# conditioning. Format is comma separated and underscore separator for ranges.
# This is NOT A FILTERING FEATURE, this is an ACCESS CONTROL feature. That
# means EG_TCP_UID and EG_UDP_UID are intended to ALLOW outbound access for
# specified users, not DENY.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"

# UID-Match outbound (egress) TCP ports
EG_TCP_UID=""

# UID-Match outbound (egress) UDP ports
EG_UDP_UID=""

# Configure executable specific outbound (egress) filtering. This is a more
# granular feature to limit the scope of outbound packet flows with executable
# conditioning. The packet filtering is based on the CMD process field being
# passed along to iptables. All logged events for these rules will also include
# the executable CMD name in the log chain. This is A FILTERING FEATURE, not an
# ACCESS CONTROL feature. That means EG_DROP_CMD is intended to DENY outbound
# access for specified programs, not ALLOW.
#
# Format is comma separated list of executable names you wish to ban from being
# able to transmit data out of your server.

# CMD-Match outbound (egress) denied applications
EG_DROP_CMD="eggdrop psybnc *****x *****X init udp.pl"

##
# [Remote Rule Imports]
##
# Project Honey Pot is the first and only distributed system for identifying
# spammers and the spambots they use to scrape addresses from your website.
# This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks
# from the PHP IP Data at:  http://www.projecthoneypot.org/list_of_ips.php
DLIST_PHP="0"

DLIST_PHP_URL="rfxn.com/downloads/php_list"
DLIST_PHP_URL_PROT="http"

# The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all
# traffic" list, consisting of stolen 'zombie' netblocks and netblocks
# controlled entirely by professional spammers. For more information please
# see http://www.spamhaus.org/drop/.
DLIST_SPAMHAUS="0"

DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso"
DLIST_SPAMHAUS_URL_PROT="http"

# DShield collects data about malicious activity from across the Internet.
# This data is cataloged, summarized and can be used to discover trends in
# activity, confirm widespread attacks, or assist in preparing better firewall
# rules. This is a list of top networks that have exhibited suspicious activity.
DLIST_DSHIELD="0"

DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt"
DLIST_DSHIELD_URL_PROT="http"

# The reserved networks list is addresses which ARIN has marked as reserved
# for future assignement and have no business as valid traffic on the internet.
# Such addresses are often used as spoofed (Fake) hosts during attacks, this
# will update the reserved networks list in order to prevent new ip assignments
# on the internet from getting blocked; this option is only important when
# BLK_RESNET is set to enabled.
DLIST_RESERVED="1"

DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks"
DLIST_RESERVED_URL_PROT="http"			

# ECN is an extension which helps reduce congestion. Unfortunately some
# clueless software/hardware vendors have setup their sites or implemented
# TCP/IP in a very broken manner. If you try to talk to these sites with ECN
# turned on, they will drop all packets from you. This feature uses the ECN
# hall of shame list to turn off ECN in packets to these hosts so your traffic
# is accepted as intended. This option is dependent on setting SYSCTL_ECN="1"
# otherwise it stays disabled.
DLIST_ECNSHAME="0"

DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst"
DLIST_ECNSHAME_URL_PROT="http"

##
# Global Trust
##
# This is an implementation of the trust rules (allow/deny_hosts) but
# on a global perspective. You can define below remote addresses from
# which the glob_allow/deny.rules files should be downloaded from on
# a daily basis. The files can be maintained in a static fashion by
# leaving USE_RGT=0, ideal for a host serving the files.
USE_RGT="0"

GA_URL="yourhost.com/glob_allow.rules"
GA_URL_PROT="http" 			

GD_URL="yourhost.com/glob_deny.rules"
GD_URL_PROT="http"			

##
# [Logging and control settings]
##
# Log all traffic that is filtered by the firewall
LOG_DROP="0"

# What log level should we send all log data too?
# refer to man syslog.conf for levels
LOG_LEVEL="crit"

# Where should we send all the logging data?
# ULOG (Allow ulogd to handle the logging)
# LOG (Default; sends logging to kernel log)
LOG_TARGET="LOG"

# Log interactive access over telnet & ssh; uses
# custom log prefix of ** SSH ** & ** TELNET **
LOG_IA="1"

# Log all foreign gateway traffic
LOG_LGATE="0"

# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
LOG_EXT="0"

# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost (1440 minutes/day * 30 events/minute = 43200 events per/day)
LOG_RATE="30"

# Location of the apf status log; all startup, shutdown and runtime status
# sends outputs to this file
LOG_APF="/var/log/apf_log"

##
# [Import misc. conf]
##
# Internal variable file
CNFINT="$INSTALL_PATH/internals/internals.conf"
. $CNFINT

Fail2Ban is your solution to that.

Is your admin area behind an SSL certificate? Or is it over HTTP? (either way, I’ll have to do some digging on that one)

its all over HTTP

Can you link to your tutorial, I’m not very familiar with APF, so I’ll need to read up on it some more to hopefully find an answer for you. :slight_smile:

Sure I followed this tutotorial

I contacted the hosting company who sold me the VPS and they told me its a known issue when you use direct admin. (they tell me alot of DA users experience brute force attacks)

only thing that can be done is to go to another control panel, and that would solve the issue but would also ask more of the VPS (their awsner)
What do you guys think? stay with DA or go to another CP ?

Hmm… I would think APF tied with DA would be more than sufficient. Can you access the logs generated by APF to see why your website and DA are not accessible? It must be blocking a port that you need to have open.

Also here is a tutorial that specifically works with DA, so this may be worth looking over to see if your IPs are similar/matching.
http://www.voodish.co.uk/articles/how-to-install-linux-firewall-apf-advanced-policy-firewall/

Great thanks I will try again, I Also ordered an other VPS at another company, (30 day trial) so lets see how it will work over their.
Thanks, Ill keep you posted.

A relatively low volume (every other second) brute forcing flood on ssh shouldn’t really slow you down that much. If you’re on a static ip then by all means block all / allow only your ip for your ssh port - be careful though if you’re new to iptables, you might inadvertently lock yourself out - ideally you’ll have out of band console access which traverses network or firewall configuration issues. If not, best to either keep a second ssh connection open while carrying out iptable manipulation, or test your alterations first on a temporary server instance (amazon ec2 is handy for this sort of thing)

Thanks, I am also wondering if this brute force is slowing me down this much, so will have to see what the speed is like on the other VPS
If Its slow on the other VPS aswell, it has to be something inside my opencart configuration.

Hard to figure out whats making it this slow, did you have a look at the website www.ictaanbieding.nl then you know what i mean if I say slow lol

You might also want to consider using keys and [URL=“http://www.marksanborn.net/linux/add-port-knocking-to-ssh-for-extra-security/”]port knocking to make your ssh access security more robust

Something I will do for sure, but first I would like to figure out why its this slow, if its slow for something at the end of the hosting company I might move to another VPS.

It might be useful to create a local virtual machine with the same spec/os/configuration and check the application on that. If it’s still slow, configure the local server with xdebug and use cachegrind to see where any delays occur.