Today we deployed some changes to the code of our emergency rescue strategy. In case a Hypernode goes down as a result of a saturated PHP-FPM queue we try to detect malicious patterns in the pending requests running on the FPM workers. If the request pattern across the server looks like a brute-force attack or malicious crawler that we have encountered before, the automation will attempt to deploy deny rules if that is possible without clashing with the previously configured Nginx config.
This applies to various types of attacks with signatures that we can not block outright, since they might be in use legitimately by end-users. For example, we don’t block the /downloader endpoint by default on all servers. Instead we only do so if the server is attacked and the customer has not configured any other mitigation rules. If the use of the disabled functionality is still desirable, the configured Nginx rules can be edited to add IP whitelisting. In case of an automated bot-block, you will receive an email with the details.
In other news, a while back we packaged the obfuscated and encrypted code scanner NeoPi for Debian. This package is now available on all Hypernodes. For more information about the NeoPi tool, see this article. Note that on Hypernode only the command-line utility is available, not the Service Panel integration and the automated mass cans as on the legacy platform. Also additionally to NeoPi we recommend the newer and more specialized magento malware scanner.
Finally we also installed libfcgi. This is a library that enables you to talk directly to the FPM daemon without intervention of Nginx, which can be a convenient tool for debugging.