HTTP 503 error – Service Unavailable

[armintz]

I notice many of my sites are receiving intermittent “HTTP 503 – Service Unavailable” – usually short-bursts (only being down a minute or two). But some of my sites it is happening 5 times a day, so i know something is not right.

I contacted my host, Siteground. They said “It seems that the issue is caused due to a load spike on your server”

Oct 05 21:13:08 c22144: High load (54.59) reached!
Oct 05 21:13:08 c22144: Critical load (54.59) reached! Killing all php,ftp,smtp,mailnull,archivers procs!
Oct 05 21:13:11 c22144: High load (26.08) reached!
Oct 05 21:13:11 c22144: Critical load (26.08) reached! Killing all php,ftp,smtp,mailnull,archivers procs!
Oct 05 21:13:14 c22144: High load (26.08) reached!
Oct 05 21:13:14 c22144: Critical load (26.08) reached! Killing all php,ftp,smtp,mailnull,archivers procs!

“From what I see, the issue was the gabrielsjewelry.com domain. It appears that the IP – 5.61.35.19 made more than 2500 requests towards the wp-login.php area:”

/usr/local/apache/domlogs/gabrielsjewelry.com:5.61.35.19 - - [05/Oct/2016:07:41:59 -0500] "POST /wp-login.php HTTP/1.0" 400 1070 "-" "-"
/usr/local/apache/domlogs/gabrielsjewelry.com:5.61.35.19 - - [05/Oct/2016:07:42:00 -0500] "POST /wp-login.php HTTP/1.0" 400 1070 "-" "-"
/usr/local/apache/domlogs/gabrielsjewelry.com:5.61.35.19 - - [05/Oct/2016:07:42:01 -0500] "POST /wp-login.php HTTP/1.0" 400 1070 "-" "-"
/usr/local/apache/domlogs/gabrielsjewelry.com:5.61.35.19 - - [05/Oct/2016:07:42:02 -0500] "POST /wp-login.php HTTP/1.0" 400 1070 "-" "-"
/usr/local/apache/domlogs/gabrielsjewelry.com:5.61.35.19 - - [05/Oct/2016:07:42:03 -0500] "POST /wp-login.php HTTP/1.0" 400 1070 "-" "-"

“It appears that the requests were with the intention of brute-forcing the login details. I would recommend that you install security plugins in order to protect the login area of your applications and block such users who make a lot of requests.”

I am of course already running BPS Pro on this site (12.3 at the time, just upgraded to 12.4 now). It seems blocking IPs would be a never ending battle with all the spambots. Do you have any other suggestions, or is there perhaps a setting in BPS pro that I am not following correctly?

Thanks

[AITpro Admin]

We use BPS Pro Login Security and JTC Anti-Spam|Anti-Hacker, which stops/blocks 100% of all automated spambots and hackerbots without causing any server/website performance or usage issues.  Sometimes our forum site is attacked at a rate of 1,000 login attempts/attacks per second (60,000 per minute|3,600,000 per hour for several hours at a time) and no 503 errors occur or anything noticeable at all for that matter besides just a lot of Security Log entries.  The timestamps don’t match for the 2 different things you posted above:  Oct 05 21:13:08 vs 05/Oct/2016:07:41:59 -0500.  Both Login Security and JTC are designed to kill any Form processing immediately (ie no DB connection at all) if invalid Form input is entered.

[armintz]

I am already using Login Security and JTC (screenshots below)… the logs above were copy and pasted from my host.

Is it safe to say my host is incorrect with their assessment for the persistent “HTTP 503 – Service Unavailable” on my site?

https://s22.postimg.org/qt28ksykx/Screen_Shot_2016_10_06_at_1_25_55_PM.png

https://s9.postimg.org/k49anx8hb/Screen_Shot_2016_10_06_at_1_26_15_PM.png

[AITpro Admin]

I don’t really know for sure.  What I do know for sure is that even 1,000 Brute Force Login attacks per second should not cause any problems/resource usage/503 errors.  So if Brute Force Login attacks are causing problems on your particular server/website then there is another factor involved that is not obvious and you would have to get your host involved to determine exactly where the problem is occurring.  ie something on the server, server configuration or something on your website.  if the Brute Force Login attacks are not causing the 503 errors then you would need to get your host involved to determine exactly what is causing that.

[armintz]

thanks. i brought up my concerns to siteground, and they said this:

“The brute force attacks creates a POST request to your website, this might not be a problem on for other CMS but WordPress is making a lot of requests and loading plugins and other modules when you execute POST to the admin page. You can test it and it is taking 1.5-2 seconds to process it with bogus scripts.”

I understand if you can’t respond because we’re getting outside the scope of BPS… I more or less just wanted confirm with you that BPS was doing everything it’s supposed to in regards to the specific attacks that they’re mentioning (which it appears to be doing).

I never had an issue prior to moving to Siteground, so I’m hard pressed to think it’s any other issue but their servers.

[AITpro Admin]

Yes, I can see it’s a POST Request and the Request is malformed since the HTTP Status Code is:  400.  Also it appears be a bot making these malformed POST Requests since the Server Protocol is HTTP/1.0 and not the newer HTTP/1.1 Server Protocol.  So however the hacker/spammer script is attacking your site the hacker/spammer script is defunct/broken/no good since the Request is malformed with a 400 error.  This means that the attack would never succeed, but the hackerbots broken/defunct code could be causing some sort of server usage problem.  These are things that your host should be looking into, but I have suggestions that may help:  Try using this Bonus Custom Code that blocks by the HTTP/1.0 Server Protocol or you may also want to limit logins to only your IP address only and see if that makes any difference:  http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

Also make sure you have this BPS Security Log checkbox option checked:  Limit POST Request Body Data.  You should only uncheck this option when you want to capture hackers and spammers scripts.

[armintz]

Thanks, I’ll try that. Is this step below (from the instructions) still necessary?

3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.

[AITpro Admin]

Oops we missed updating that help text.  I have just corrected that help text. Thanks for pointing that out.

1. Add whichever Brute Force Login Protection Code you want to use in this BPS Root Custom Code text box:  CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION: (add/edit the code and add the IP addresses you want to whitelist/allow if you are using the IP based protection code)
2. Click the Save Root Custom Code button
3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.

[armintz]

thanks for confirming! will give this a go

[armintz]

I think I am misunderstanding what this code does. I followed the steps that blocks by the HTTP/1.0 Server Protocol (didn’t want to deal with client issues with only whitelisting IP addresses) but it appears to be giving me 403 forbidden on the login page.

screenshot: https://s16.postimg.org/no8z247gl/Screen_Shot_2016_10_07_at_9_31_33_AM.png

# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots, HackerBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]

[AITpro Admin]

@ armintz – Does your website/server use a Proxy?  Are you using a Proxy/VPN in your Browser?  That Bonus Custom Code will not work on a website/server/Browser that is using the outdated Server Protocol:  HTTP/1.0.  Post the Security Log entry for your login attempt that was blocked so I can check it and see if Server Protocol:  HTTP/1.0 is being used.

[armintz]

Can I provide temp. cPanel access for you to check these things? It may be faster for both of us. As for browsers, I’m using the latest Chrome and Firefox – nothing special. Thanks

[AITpro Admin]

@ armintz – You can send us a WordPress Administrator login and FTP login to this site.  We do not login to folks web host control panels for any reason.  Note:  We are only allowed to troubleshoot, support and fix BPS Pro related issues/problems.  So for anything that is not related to BPS Pro, we may be able to provide you with some more clues about the cause of the problem.  Our support is limited to only BPS Pro related issues/problems and we do not offer any other kind of services or support for non-BPS related issues/problems.  We can definitely take a look, but are not authorized to fix non-BPS related issues/problems. 😉

[armintz]

Understood. Thanks

[armintz]

Logins have been emailed.

[Author]

Posts