Rsyslog / imklog problems in Ubuntu with OpenVZ/Proxmox

If by chance you encounter

[rsyslog] imklog: error reading kernel log - shutting down: Bad file descriptor

and your CPU halts at 100% load, you must edit

/etc/rsyslog.conf

And comment (already done):

#$ModLoad imklog # provides kernel logging support

Then simply

/etc/init.d/rsyslog reload

WHY? rsyslog tries to log kernel messages, which is as OpenVZ/Proxmox Container default not possible.

Thank you nikolauspolak.

ConfigServer (CSF) Firewall Cheatsheet

ConfigServer (CSF) Firewall Cheat Sheet:
OPTIONS

 -h, --help
 Show this message
-l, --status
 List/Show the IPv4 iptables configuration
-l6, --status6
 List/Show the IPv6 ip6tables configuration
-s, --start
 Start the firewall rules
-f, --stop
 Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart
 Restart firewall rules
-q, --startq
 Quick restart (csf restarted by lfd)
-sf, --startf
 Force CLI restart regardless of LFDSTART setting
-a, --add ip [comment]
 Allow an IP and add to /etc/csf/csf.allow
-ar, --addrm ip
 Remove an IP from /etc/csf/csf.allow and delete rule
-d, --deny ip [comment]
 Deny an IP and add to /etc/csf/csf.deny
-dr, --denyrm ip
 Unblock an IP and remove from /etc/csf/csf.deny
-df, --denyf
 Remove and unblock all entries in /etc/csf/csf.deny
-g, --grep ip
 Search the iptables and ip6tables rules for a match (e.g. IP,
 CIDR, Port Number)
-t, --temp
 Displays the current list of temporary allow and deny IP entries
 with their TTL and comment
-tr, --temprm ip
 Remove an IP from the temporary IP ban or allow list
-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
 Add an IP to the temp IP ban list. ttl is how long to blocks for
 (default:seconds, can use one suffix of h/m/d). Optional port.
 Optional direction of block can be one of: in, out or inout
 (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
 Add an IP to the temp IP allow list (default:inout)
-tf, --tempf
 Flush all IPs from the temporary IP entries
-cp, --cping
 PING all members in an lfd Cluster
-cd, --cdeny ip
 Deny an IP in a Cluster and add to /etc/csf/csf.deny
-ca, --callow ip
 Allow an IP in a Cluster and add to /etc/csf/csf.allow
-car, --carm ip
 Remove allowed IP in a Cluster and remove from
 /etc/csf/csf.allow
-cr, --crm ip
 Unblock an IP in a Cluster and remove from /etc/csf/csf.deny
-cc, --cconfig [name] [value]
 Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file]
 Send [file] in a Cluster to /etc/csf/
-crs, --crestart
 Cluster restart csf and lfd
-w, --watch ip
 Log SYN packets for an IP across iptables chains
-m, --mail [email]
 Display Server Check in HTML or email to [email] if present
-lr, --logrun
 Initiate Log Scanner report via lfd
--profile [command] [profile|backup] [profile|backup]
 Configuration profile functions for /etc/csf/csf.conf
 You can create your own profiles using the examples provided in
 /usr/local/csf/profiles/
 The profile reset_to_defaults.conf is a special case and will
 always be the latest default csf.conf
list
 Lists available profiles and backups
apply [profile]
 Modify csf.conf with Configuration Profile
backup "name"
 Create Configuration Backup with optional "name" stored in
 /var/lib/csf/backup/
restore [backup]
 Restore a Configuration Backup
keep [num]
 Remove old Configuration Backups and keep the latest [num]
diff [profile|backup] [profile|backup]
 Report differences between Configuration Profiles or Configura-
 tion Backups, only specify one [profile|backup] to compare to
 the current Configuration
-c, --check
 Check for updates to csf but do not upgrade
-u, --update
 Check for updates to csf and upgrade if available
-uf Force an update of csf whether and upgrade is required or not
-x, --disable
 Disable csf and lfd completely
-e, --enable
 Enable csf and lfd if previously disabled
-v, --version
 Show csf version

Exhaustive manual with examples: http://configserver.com/free/csf/readme.txt

Installing ConfigServer Firewall (CSF) on Ubuntu 14.04 LTS

CSF.Conf Setting Ideas

Here are a few csf.conf setting ideas that you may want to consider.  Of course, it fully depends upon what your server does.

LF_DAEMON = “1”

  • The LF Daemon is the service that will watch certain logs on your server for attempted brute force attacks.  The LF Daemon is basically the same as Fail2Ban.  By setting LF_DAEMON to 1, it enables the feature.  Then you will need to go to the section in the CSF.conf that sets the ban limits (also shown in this post just below)

SMTP_BLOCK = “1”

  • If you run a mail server on your system, I would HIGHLY recommend that you sent the SMTP_BLOCK to 1.  This ensures that only the actual mail service (postfix, exim, etc) has the authority to send out messages to the Internet.  One of our customer’s websites was attacked about a year ago and they were able to upload a script that was able to bypass all of the mail system and send out spam directly to the Internet.  By setting SMTP_BLOCK to 1, it will prevent this from occurring.  Also note to set “SMTP_ALLOWUSER” and “SMTP_ALLOWGROUP” with the user accounts and groups that the mail server actually runs from.

SMTP_ALLOWLOCAL = “1”

  • Definitely ensure that this is set to “1” to allow your local server to send messages using the loopback connection, especially if you have SMTP_BLOCK set to 1.

SMTP_ALLOWUSER = “<users>”
SMTP_ALLOWGROUP = “<groups>”

  • In our case, we use Exim as our mail system.  On Ubuntu, Exim runs as the “Debian-exim” user /group.  Therefore, the SMTP_ALLOWUSER and SMTP_ALLOWGROUP is set to “Debian-exim” in our case.  If you leave any of the proper users/groups out when you have SMTP_BLOCK set to 1, your mail service itself won’t be able to send outgoing e-mail.

SYNFLOOD = “1”
SYNFLOOD_RATE = “100/s”
SYNFLOOD_BURST = “150”

  • Turning on Synflood protection.  If you have a fairly decent server, it won’t take much of any processing usage for this although the csf.conf file says it will slow down IP connections.  I’ve not seen any performance issues when turning this on.  In essence, SYN packets are sent to open a connection to the server – but SYNFLOODs are used to send half-open connections to a server and possibly cause a denial of service (DoS) attack.  Therefore, you can turn on the protection by setting SYNFLOOD to 1.  Then you can set the rate of how many SYN packets you are OK with receiving per second and then a burst rate.  The rate and burst were set to the defaults.

CONNLIMIT = “21;2,25;5,80;20,443;20,587;5”

  • This allows you to set how many connections you want to allow per IP address.  This also helps to prevent attackers that want to try and flood a service on your server.  As an example, I limit only two connections to port 21 (hence the 21;2) from the same IP.  I limit port 25 connections to 5 (25;5) from the same IP and so on.  You will put in the port – a semicolon – then the limit.  Separate each by a comma as noted above.

UDPFLOOD = “1”
UDPFLOOD_LIMIT = “100/s”
UDPFLOOD_BURST = “500”

  • Basically the same as SYNFLOOD as noted above – except this is for UDP floods.

LF_PERMBLOCK = “1”
LF_PERMBLOCK_INTERVAL = “86400”
LF_PERMBLOCK_COUNT = “2”
LF_PERMBLOCK_ALERT = “1”

  • I love this.  This is one thing that CSF has over Fail2Ban.  In essence, you can set when you want to “permanantly” ban an IP address after they have attempted several times.  Down further for the settings is the LF blocks setup per service.  Those are temporary bans and you can specify a temporary ban in those spots.  But after someone has been blocked temporarily so many times, it is time to do a more permanent block since they are nothing but trouble.  LF_PERMBLOCK set to 1 enables this feature.  The LF_PERMBLOCK_INTERVAL sets the “permanent” time period.  86400 is 24 hours.
  • LF_PERMBLOCK_COUNT needs a little bit of clarification.  In my case, I have it set to 2.  This means that after someone has been temporarily banned (using the settings for the specific services), the IP address will be banned for the LF_PERMBLOCK_INTERVAL.  However, even though I have it set to 2, it actually is 3.  That is because they will be blocked temporarily two times.  Then on the third time, they will be “permanently” blocked.
  • LF_PERMBLOCK_ALERT is set to 1 – which means I am alerted by e-mail whenever a permanent block goes into effect.

LF_NETBLOCK = “1”
LF_NETBLOCK_INTERVAL = “86400”
LF_NETBLOCK_COUNT = “2”
LF_NETBLOCK_CLASS = “C”
LF_NETBLOCK_ALERT = “1”

  • This is must like the PERMBLOCK noted above, but this actually will block a network range.  In the event that more than one IP address from the LF_NETBLOCK_CLASS is attempting to infiltrate your system, CSF will actually do a “permanent” block (set to the LF_NETBLOCK_INTERVAL) for the entire range of IP addresses.  I would definitely keep the LF_NETBLOCK_CLASS set to C – which means it will block and monitor only a class C network (254 addresses).  If you set this any higher, you are blocking thousands of IPs.

LF_TRIGGER = “0”

  • I would recommend keeping the LF_TRIGGER to 0 unless you are OK with setting the same trigger amount for each of your services.  In essence, this trigger can be set to “5” if desired – which means that after five failed attempts against any of the services you want to monitor – that IP address will be blocked temporarily.  By setting this to 0, it gives you more granular control over how many failed attempts you want to set on a per-service basis.  In my case, I wanted to block FTP after three attempts – and everything else after 5.

LF_TRIGGER_PERM = “0”

  • Again, I set this to 0 so I can specifically set the triggers for each service.  If you want to have the same trigger amount for each service, then this value can be set to the time period you want to temporary ban the IP address that is attempting access to your server.  As an example, set it to 300 seconds if you want to temporarily ban for 5 minutes.

LF_SELECT = “0”

  • I am debating about changing this.  If this is set to 0, that means the IP address that has undergone a temporary ban is only banned from that service (such as POP, IMAP, web, SMTP, etc).  If set to 1, then that means the IP address will be blocked temporarily from accessing anything on the server.

LF_SSHD = “5”
LF_SSHD_PERM = “300”

  • Here is where I specifically say that upon five failed attempts (LF_SSHD), the IP address will be temporarily banned for 300 seconds (LF_SSHD_PERM).  The “PERM” in the variable name is misleading – because it is not a permanent block – only temporary.  Of course, that temporary time period is set based on what you want.  With my systems, I set it to 300 seconds (five minutes) and then because I have the LF_PERMBLOCK set to 1 (noted above), they will be fully blocked for a full 24 hours (LF_PERMBLOCK_INTERVAL) after three temporary bans.

LF_SMTPAUTH = “5”
LF_SMTPAUTH_PERM = “300”
LF_FTPD = “3”
LF_FTPD_PERM = “300”
LF_EXIMSYNTAX = “10”
LF_EXIMSYNTAX_PERM = “300”
LF_POP3D = “5”
LF_POP3D_PERM = “300”
LF_IMAPD = “5”
LF_IMAPD_PERM = “300”
LF_HTACCESS = “5”
LF_HTACCESS_PERM = “300”
LF_MODSEC = “5”
LF_MODSEC_PERM = “300”

  • The settings above are just like the LF_SSHD.  The first one will tell CSF / LFD how many invalid attempts to allow before temporarily blocking the IP address.  Make note of LF_HTACCESS and LF_MODSEC.  I have some custom Regex rules listed below that will help you watch for bots attempting to access password-protected directories.  This is a HUGE benefit to us.

HTACCESS_LOG = “Log_Locations”
MODSEC_LOG = “Log_Locations”

  • One neat thing you can do with CSF is use wildcards (*) in the log file names.  Why?  Well, because if you do web hosting and keep separate log files for each of your customers, you will want to be sure that CSF / LFD scans those logs for any kind of unauthorized access attempts (401 errors).  So, let’s say that you have a setup like this:
    • Customer base path is /var/www/<user-login>
    • Logs are kept in /var/www/<user-login/logs
    • Access log is named access.log
    • Error log is named error.log
  • Well, you can set HTACCESS_LOG = “/var/www/*/logs/error.log” and MODSEC_LOG = “/var/www/*/logs/access.log” to scan every log file in all user directories.  Note the asterisk (*) where the <user-login> is.  Very beneficial.

Speaking of MODSEC logs, that leads me into the next topic of Custom Regex.

Custom Regex Files

This is where things really can help out if you have non-standard services that you also want to monitor connections for.  As an example, I have ensured that some of our other web programs that allow for logins are logged into a file that is already monitored – and then regex items were made to check those for invalid logins.  That way if attempts are made against those systems, they can also be blocked there.

A Regex helper can be found here: http://regex101.com/r/uO1vS2

That allows you to put in the log line that you want to try and match – and then a box above that to fill in the regex.  You will see that it was filled out with a log line I used along with the regex noted below in the first example.

Blocking 401 Unauthorized Attempts Against A Web Server

The big thing that I think will help out many people is to sense whenever someone is attempting to access a password-protected directory on your web server (think wp-admin for WordPress or administrator for Joomla).  When an invalid attempt is made, it throws a “401” error in the access log.  So, ensure that you have MODSEC_LOG set to monitor the log.  Then you will want to add this to your /etc/csf/regex.custom.pm file:

     if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /(\S+)(.*) 401 (.*)/)) {
 $ip = $1; $acc = ""; $ip =~ s/^::ffff://;
 if (&checkip($ip)) {return ("mod_security triggered by","$ip|$acc","mod_security")} else {return}
 }

In essence, you can see the “401” in the first line.  That Regex will find any lines in the MODSEC_LOG file(s) that have a 401 in them (spaces on both sides to ensure it isn’t in an actual URL) and will temporary block the IP based on your LF_MODSEC setting (or LF_TRIGGER if you didn’t want to set the services independently with different trigger values).

Additional Regexes For ProFTPD

The Regexes included with CSF don’t fully match all of the items for ProFTPD logins.  Therefore, I made a couple of extra Regexes to ensure they worked right.  The first one will find any line that has “Login failed” in it.  Of course, if the login failed, you want it to be noted.  The Regex built in with CSF is more restrictive than this one:

     if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /(\S+\S+\s+\d+\s+\S+) (\S+) proftpd\[\d+\] (\S+) \([^\[]+\[(\S+)\]\): USER (\S+) \(Login failed\)(.*)/)) {
 $ip = $4; $acc = $5; $ip =~ s/^::ffff://; $acc =~ s/:$//g;
 if (&checkip($ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
 }

Here is another Regex that will find and block any that have SECURITY VIOLATION in it. This is done if someone tries to login to FTP using a root account:

     if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /(\S+\S+\s+\d+\s+\S+) (\S+) proftpd\[\d+\] (\S+) \([^\[]+\[(\S+)\]\): SECURITY VIOLATION: (.*)/)) {
 $ip = $4; $acc = $5; $ip =~ s/^::ffff://; $acc =~ s/:$//g;
 if (&checkip($ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
 }

Additional Regex for Dovecot IMAP

The built-in IMAP Regex into CSF didn’t work for me – maybe it is because of how I have logging setup, I’m not sure.  So I had to modify the regex to simply look for any line that has “failed” in it:

     if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /(.*)imap-login(.*)failed(.*)rip=(\S+)\,(.*)/)) {
 $ip = $4; $acc = ""; $ip =~ s/^::ffff://;
 if (&checkip($ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
 }
Mirror of: bsntech.com

Use strong SSL for your web server: apache, nginx or lighttpd

Strong Ciphers for:

Apache

SSLCipherSuite AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On
SSLUseStapling on # Requires Apache >= 2.4
SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires >= Apache 2.4
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Frame-Options DENY

Nginx:

ssl_ciphers 'AES256+EECDH:AES256+EDH';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache  builtin:1000  shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options DENY;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;

Lighttpd:

ssl.honor-cipher-order = "enable"
ssl.cipher-list = "AES256+EECDH:AES256+EDH"
ssl.use-compression = "disable"
setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=63072000; includeSubDomains",
    "X-Frame-Options" => "DENY"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

If you need to support Windows XP, use these:
Apache:

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On
SSLUseStapling on # Requires Apache >= 2.4
SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires >= Apache 2.4
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Frame-Options DENY

Nginx:

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache  builtin:1000  shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options DENY;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;

Lighttpd:

ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
ssl.use-compression = "disable"
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=63072000; includeSubDomains")
setenv.add-response-header = ("X-Frame-Options" => "DENY")
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
Mirror of: https://cipherli.st/

Shape linux traffic easily: wondershaper

Taken from MAN pages:

wondershaper is a traffic shaping script that provides low latency, prioritizes bulk transfers below normal web traffic, prioritizes interactive shells above normal web traffic, and attempts to prevent upload and download traffic from affecting each other’s ack packets. Put simply, the wondershaper makes your internet connection more “responsive”.

Install:

apt-get install wondershaper

Check interfaces:

ifconfig

Syntax:

wondershaper [interface] [downlink] [uplink]

Example:

wondershaper venet0 256 256

Note: the speeds are in KBps.

Apache nginx style config: apache2-mod-worker with PHP5-FPM

Did you know that you can run the old fart apache2 server as a “nginx + php5-fpm”? Will publish some blitz.io values for better comparison.

Here we’ll get a working apache2 server which will pass the php requests to php5-fpm, acting as a static file serving… server. Why not using nginx, you might ask? I’m too lazy to convert .htaccess to a .nginx-compatible-file.conf.

1. apt-get install apache2 apache2-bin apache2-data apache2-mpm-worker apache2-utils libapache2-mod-fcgid libapache2-mod-ruid2

This version does NOT understand php at all. If you’d like your “mpm” to dance with builtin php, go with apache2-mod-prefork + libapache2-mod-php5.

  1. Scroll inside apache config /etc/apache2/conf-available/php5-fpm.conf and paste these lines:
<IfModule mod_fastcgi.c>
 AddHandler php5-fcgi .php
 Action php5-fcgi /php5-fcgi
 Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
 FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
</IfModule>
<Directory /usr/lib/cgi-bin>
 Require all granted
</Directory>

The IfModule explains to apache where it can find the php executable. Don’t forget to enable the necessary mods:

  • a2enmod actions fastcgi alias

and to enable (activate) the config file above:

  • a2enconf php5-fpm
  1. Go into /etc/php5/fpm/pool.d/www-conf and tweak the parameters to your desired needs. This may include
  • setting a timeout
  • setting a limit for spawned children & a total number of requests it will serve each and every one

Your phpinfo(); should work from this point.

Later edit:

Nginx + PHP5-FPM results:

This rush generated 7,651 successful hits in 30 seconds and we transferred 21.83 MB of data in and out of your app. The average hit rate of 310.93/second translates to about 26,864,640 hits/day.
The average response time was 599 ms.
This test was aborted at 28 seconds.
RESPONSE TIMES
  • FASTEST: 276 MS
  • SLOWEST: 1,081 MS
  • AVERAGE: 599 MS
TEST CONFIGURATION
  • REGION: VIRGINIA
  • DURATION: 30 SECONDS
  • LOAD: 1-1000 USERS
OTHER STATS
  • AVG. HITS: 311 /SEC
  • DATA TRANSFERED:21.83MB
HITS

This rush generated 7,651 successful hits. The number of hits includes all the responses listed below. For example, if you only want HTTP 200 OK responses to count as Hits, then you can specify --status 200 in your rush.

CODE TYPE DESCRIPTION AMOUNT
200 HTTP OK 2075
404 HTTP Not Found 5576

Apache2-mod-worker + PHP5-FPM results

ANALYSIS
This rush generated 1,243 successful hits in 30 seconds and we transferred 11.73 MB of data in and out of your app. The average hit rate of 43.57/second translates to about 3,764,160 hits/day.
The average response time was 2,945 ms.
This test was aborted at 28 seconds.
You've got bigger problems, though: 51.41% of the users during this rushexperienced timeouts or errors!
RESPONSE TIMES
  • FASTEST: 110 MS
  • SLOWEST: 4,363 MS
  • AVERAGE: 2,945 MS
TEST CONFIGURATION
  • REGION: IRELAND
  • DURATION: 30 SECONDS
  • LOAD: 1-1000 USERS
OTHER STATS
  • AVG. HITS: 44 /SEC
  • DATA TRANSFERED: 11.73MB
  • HITS 48.59% (1243)
  • ERRORS 17.51% (448)
  • TIMEOUTS 33.89% (867)
 HITS

This rush generated 1,243 successful hits. The number of hits includes all the responses listed below. For example, if you only want HTTP 200 OK responses to count as Hits, then you can specify --status 200 in your rush.

CODE TYPE DESCRIPTION AMOUNT
200 HTTP OK 1243
HITS
  • HTTP 200 OK 100% (1243)
 ERRORS

The first error happened at 27.5 seconds into the test when the number of concurrent users was at 916. Errors are usually caused by resource exhaustion issues, like running out of file descriptors or the connection pool size being too small (for SQL databases).

CODE TYPE DESCRIPTION AMOUNT
23 TCP Connection timeout 448 ERRORS
  • CONNECTION TIMEOUT 100% (448)

This is the result i got on a 4vCores VPS, 1024MB RAM and 512MB vSwap along with 100GB HDD.

Good luck at learning nginx syntax!