How to limit CPU usage per user and/or website

Discussion in 'General' started by Tomislav Aurednik, Dec 31, 2023.

  1. Hello.
    There are more and more attacks on wordpress websites, which then crash the entire server, CPU usage 97 - 100%. That's why the entire server goes down because one or two pages have been hacked. We use WAF.
    I urgently need a solution to limit CPU usage per user and/or website, because this is happening more and more often (now on a weekly basis). As I can see, these issues have already been raised (https://forum.howtoforge.com/threads/cgroups-or-other-way-to-limit-php-fpm-website-cpu.88813/), , but no solution has been given.
    Please for guidance, alternative solution?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    As discussed in the other thread, there is no easy solution for that in a shared hosting setup, as PHP-FPM has no such setting to limit CPU usage per pool. But I'm working on some new things for ISPConfig that will bring features like CPU and memory per-website limits and will put customer website separation on a completely new level. But this needs some more work until I can provide a first beta, probably in Q2/2024.
     
    webguyz, pyte, Korsch and 2 others like this.
  3. Till thanks for the reply.
    I believe we're not the only ones with these problems, so I'm wondering if anyone else here is willing to give some financial support to make this happen for sure by q2/2024?
     
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    is the high cpu usage actually from hacked pages / scripts..
    i've found most of the time, high cpu usage is coming from mass brute force attempts on wp-login.php and xmlrpc.php on wordpress sites..
    or from continuous and repeated crawling attempts from MJ12Bot, or from sources claiming to be MJ12Bot, and which totally ignore any instructions in robots.txt to slow down or stop.
    configuring fail2ban to block excessive repeated post requests to wp-login.php or xmlrpc.php and to ban ip's that claim to be mj12bot.com and make requests way more often than set in robots.txt has been enough to keep cpu usage down to sensible levels.
     
  5. reks2004

    reks2004 New Member

    Maybe we have some new info about that new thing? :)
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The prototype setup is finished and working fine so far. It is based on Docker, so the PHP-FPM process of an ISPConfig runs inside Docker and imports the web directory as a volume. PHP runs as a webX user as usual in ISPConfig. This setup isolates the process from the rest of the server and the other sites, as any hacker who would be able to hack that site is contained inside the Docker container. This also allows it to limit CPU usage and RAM for this Docker container. I need a bite more time to finish the code to integrate this fully into ISPConfig GUI.
     
  7. michelangelo

    michelangelo Active Member

    Could you also collect information about the host resource usage with such a setup in production environments?
    Imho, the (in theory) likely better variant of this would be to use systemd since it is lighter, because there is overhead in the Docker approach.
    I'm just imagining how that performs with 50+ process limited webspaces via Docker on a standard ~100€ range Hetzner server.

    Another point that is of interest for me is how the images will be assigned? I guess we can also use our own images for PHP-FPM in Docker?
     
    ahrasis likes this.
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    But would systemd allow the same kind of isolation that Docker offers? In the way I have build it now, a hacker that would e.g. exploit a flaw in a WordPress plugin would end up inside the Docker container without any chance to access anything outside (at least when the Docker containment does not get breached).

    This Docker setup is likely not the best for every use case, but CPU and RAM resources are getting less expensive every year, and this setup gives some huge benefits security-wise, so I think it's not a bad way to approach this. Also, this will not replace the current php-fpm setup, which already offers chrooting. Another benefit is that it would allow you to build very specific php setups that do not get affected by a Host OS upgrade; think of some kind of custom-built legacy website that can not be shut down but also not be upgraded and needs an old PHP version.

    Currently, I use the official php-fpm images as a basis, which I extended with a custom start script plus some additional PHP extensions installed. But In general, you will be able to use your own images and also you will be able to define custom Docker files if you want to build them locally instead of using your own Docker registry.
     
    michelangelo and ahrasis like this.
  9. michelangelo

    michelangelo Active Member

    I understand your point and I see nothing wrong with the Docker approach - it is just a different one.
    Systemd definitely also offers process isolation options, beside limiting resources, but implementing that will likely require more work than Docker probably does. Especially taking into consideration that you are already working on general Docker availability in ISPConfig, so the "groundwork" is (I assume so) already there while the Systemd approach would have to start from scratch.

    That's good to hear that we can use our own images and registries. Btw. Is Podman support also considered by this new feature?
    Syntax- and image-wise it is less or more compatible with Docker.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    At the moment, I'm building this for Docker only. But maybe I'll add Podman support later.
     
    ahrasis likes this.
  11. reks2004

    reks2004 New Member

    Hello again, any news in topic? ;)

    best regards,
    Konrad
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    As I mentioned, I'm working on that topic. I have a working prototype here, but it's not yet finished. I will announce it in the ISPConfig blog and ISPConfig X and Facebook channels when it's finished.
     
    reks2004 likes this.
  13. reks2004

    reks2004 New Member

    Yep, but you said that 3 month ago, i only checking your progress ;)
    You think how much time you need for it ? 3-6month?

    Best regards,
    Konrad
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    I have a few more things and projects to work on ;) Yes, should be ready somewhere in Q2/2025.
     
    reks2004 likes this.

Share This Page