Hello. There are more and more attacks on wordpress websites, which then crash the entire server, CPU usage 97 - 100%. That's why the entire server goes down because one or two pages have been hacked. We use WAF. I urgently need a solution to limit CPU usage per user and/or website, because this is happening more and more often (now on a weekly basis). As I can see, these issues have already been raised (https://forum.howtoforge.com/threads/cgroups-or-other-way-to-limit-php-fpm-website-cpu.88813/), , but no solution has been given. Please for guidance, alternative solution?
As discussed in the other thread, there is no easy solution for that in a shared hosting setup, as PHP-FPM has no such setting to limit CPU usage per pool. But I'm working on some new things for ISPConfig that will bring features like CPU and memory per-website limits and will put customer website separation on a completely new level. But this needs some more work until I can provide a first beta, probably in Q2/2024.
Till thanks for the reply. I believe we're not the only ones with these problems, so I'm wondering if anyone else here is willing to give some financial support to make this happen for sure by q2/2024?
is the high cpu usage actually from hacked pages / scripts.. i've found most of the time, high cpu usage is coming from mass brute force attempts on wp-login.php and xmlrpc.php on wordpress sites.. or from continuous and repeated crawling attempts from MJ12Bot, or from sources claiming to be MJ12Bot, and which totally ignore any instructions in robots.txt to slow down or stop. configuring fail2ban to block excessive repeated post requests to wp-login.php or xmlrpc.php and to ban ip's that claim to be mj12bot.com and make requests way more often than set in robots.txt has been enough to keep cpu usage down to sensible levels.
The prototype setup is finished and working fine so far. It is based on Docker, so the PHP-FPM process of an ISPConfig runs inside Docker and imports the web directory as a volume. PHP runs as a webX user as usual in ISPConfig. This setup isolates the process from the rest of the server and the other sites, as any hacker who would be able to hack that site is contained inside the Docker container. This also allows it to limit CPU usage and RAM for this Docker container. I need a bite more time to finish the code to integrate this fully into ISPConfig GUI.
Could you also collect information about the host resource usage with such a setup in production environments? Imho, the (in theory) likely better variant of this would be to use systemd since it is lighter, because there is overhead in the Docker approach. I'm just imagining how that performs with 50+ process limited webspaces via Docker on a standard ~100€ range Hetzner server. Another point that is of interest for me is how the images will be assigned? I guess we can also use our own images for PHP-FPM in Docker?
But would systemd allow the same kind of isolation that Docker offers? In the way I have build it now, a hacker that would e.g. exploit a flaw in a WordPress plugin would end up inside the Docker container without any chance to access anything outside (at least when the Docker containment does not get breached). This Docker setup is likely not the best for every use case, but CPU and RAM resources are getting less expensive every year, and this setup gives some huge benefits security-wise, so I think it's not a bad way to approach this. Also, this will not replace the current php-fpm setup, which already offers chrooting. Another benefit is that it would allow you to build very specific php setups that do not get affected by a Host OS upgrade; think of some kind of custom-built legacy website that can not be shut down but also not be upgraded and needs an old PHP version. Currently, I use the official php-fpm images as a basis, which I extended with a custom start script plus some additional PHP extensions installed. But In general, you will be able to use your own images and also you will be able to define custom Docker files if you want to build them locally instead of using your own Docker registry.
I understand your point and I see nothing wrong with the Docker approach - it is just a different one. Systemd definitely also offers process isolation options, beside limiting resources, but implementing that will likely require more work than Docker probably does. Especially taking into consideration that you are already working on general Docker availability in ISPConfig, so the "groundwork" is (I assume so) already there while the Systemd approach would have to start from scratch. That's good to hear that we can use our own images and registries. Btw. Is Podman support also considered by this new feature? Syntax- and image-wise it is less or more compatible with Docker.