0

I'm new to all of this, but can't keep my newly spun micro ec2 server up and running (running wordpress). The PHP-FPM log only has this with logging set to debug.

[17-Oct-2016 15:46:38] NOTICE: configuration file /etc/php5/fpm/php-fpm.conf test is successful

My nginx log is continuously filling with errors trying to connect to php5-fpm.sock (hundreds of entries per minute even though there is no one else accessing the site).

2016/10/17 16:32:16 [error] 26389#0: *7298 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 191.96.249.80, server: mysiteredacted.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "removed"

After restarting nginx and PHP-FPM the site works for a few minutes before throwing 502 Bad Gateway errors until I restart them both again.

I don't know where to begin with this. Here is my nginx config file:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;
    port_in_redirect off;
    gzip  on;
    gzip_types text/css text/xml text/javascript application/x-javascript;
    gzip_vary on;

    include /etc/nginx/conf.d/*.conf;
}

Which also include this file in the /conf.d folder:

server {
    ## Your website name goes here.
    server_name mysiteredacted.com www.mysiteredacted.com;
    ## Your only path reference.
    root /var/www/;
    listen 80;
    ## This should be in your http block and if it is, it's not needed here.
    index index.html index.htm index.php;

    include conf.d/drop;

        location / {
                # This is cool because no php is touched for static content
            try_files $uri $uri/ /index.php?q=$uri&$args;
        }

        location ~ \.php$ {
            fastcgi_buffers 8 256k;
            fastcgi_buffer_size 128k;
            fastcgi_intercept_errors on;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            # fastcgi_pass unix:/dev/shm/php-fpm-www.sock;
            fastcgi_pass unix:/var/run/php5-fpm.sock;

        }

        location ~* \.(css|js|png|jpg|jpeg|gif|ico)$ {
                expires 1d;
        }
}
AWS Help
  • 1
  • 1

2 Answers2

0

The second file has this line:

fastcgi_pass unix:/var/run/php5-fpm.sock;

If that file does not exist it will throw this error.

Check this previous question: How to find my php-fpm.sock?

Community
  • 1
  • 1
Matijs
  • 2,533
  • 20
  • 24
0

After hours of searching I finally figured it out.. Turns out it's some sort of brute force attack on /xmlrpc.php as indicated by the thousands of requests of "POST /xmlrpc.php HTTP/1.0".

It's a common WordPress attack. Thanks all.

AWS Help
  • 1
  • 1
  • use cloudflare, it will defend Your server from soft ddos-es, crawling + will cache static files and act as cdn to serve them fast – num8er Oct 17 '16 at 22:57
  • 1
    @num8er Interesting. I was thinking of Varnish for caching but that's clearly different since it'd live on my server. Thanks for the info! – AWS Help Oct 17 '16 at 23:13