Magento2 server has gone - security

Hello

I have a Magento2 website on a VPS at Digitalocean.
Today this server has gone.

Képernyőfelvétel (224).png988×1208 101 KB

I think its massive bot attacks.
The memory was full and was the first to close mysql.
Is there any help on what to configure and how on the server side for proper security and protection?
I used to have a similar problem with wordpress sites, where client side protection solved it.

Jumping the gun
Looking at a graph like this, I think it’s very easy to jump to the conclusion that an “attack” is taking place.

Take for example an issue that I once had on a Dev Server. It had similar looking graphs to what you’ve shown here, however the server was crashing due to a cron issue that had developed from a number of factors. The cron tasks would bottleneck and cause MySQL to consume more and more CPU. This would then result in MySQL from hanging and essentially crashing the server.

Run an investigation
Assuming you know what to look for (or even if you don’t), I would glaze over the following logs to try and piece together the story:

• Magento logs
• PHP logs
• MySQL logs
• Apache logs

I can’t tell you what to look for, but you might spot something that resulted in a cascading effect due to some blip on the web server. Sometimes, the best time to look is whilst the issue is occuring.

If it is an attack
Speaking of looking whilst it’s occurring… If it as an attack, then you can usually identify the “rogue” source (IP) address by looking through your server logs at incoming connections (ref link below).

When you see an IP that stands out way more than it should, then you block the IP address. This works well if it’s just a random attack because they eventually move on after a few hours. However, if you’ve made an enemy somewhere along the line then they’ll keep coming back regardless.

My expertise doesn’t focus purely on DevOps, so my advice is limited. However, the following articles may be of some use:

• https://www.loggly.com/blog/how-to-detect-and-analyze-ddos-attacks-using-log-analysis/
• https://serverfault.com/questions/152139/server-under-ddos-attack-how-to-find-out-ips

Also, depending on the type of attack, you can use like Redis to terminate multiple connections within a single session… Or even Cloudflare CDN which offers against attacks.

Final notes
When it comes to attacks and security of this nature, you want to be tackling the issue from the Server level. You do not want to be looking at a Magento solution. That would be like having a leaky tap and trying to plug the tap with a towel rather than replace the valve.

Also, huge enterprise businesses suffer from the same issues. It just happens to be that the bigger your business is, the more resources you have at hand to address it as it occurs. Take for example the Playstation Network. Huge company but was ddos’d a few years ago at Christmas. You can make it harder for attackers, but there is no “perfect” method… Just a good plan to have in place when these things happen.