My web server keeps going down I reboot it and then it may work for 5 mins then it down again.

I thought it may be a hacker I closed all port except to my Ip address, but it keeps going down, first the apache soon after I can't get access to root.

I have read in other forums disable root login via SSH, will this stop myself form logging in..

Can anyone make any sugestions on how to track down the error?

A help would be greatly appreciated

It can be a hardware problem. But you should disable login as root by ssh. Login as normal user then do su - to become root.

If it is going down normally (it shuts down all the deamons, and the system), then it is rather some hacker problem. I suggest to change more often your root password and make it quite long.

First of all fill in your user info like distro and such so we know what you're talking about.


I have read in other forums disable root login via SSH, will this stop myself form logging in..
Next add an unprivileged account with which you can log in through ssh (use a passphrase not a password) and with which you can su/sudo to root.


My web server keeps going down I reboot it and then it may work for 5 mins then it down again.
And crackers usually don't crave attention. So (w/o "evidence") I'd say it should classify as a hardware / process checker / watchdog problem and not as a breach of security. Anyway.
When did this behaviour start ocurring?
What changes where made leading up to the first ocurrance?
What does syslog say?

Thanks for the advice, it completly stopped working now.. cant't connect via ssh or via a serial consol, still a few thing I need to extract for the the server.. I have to mount drive in rescue mode..

I inputed the following command

mount /dev/hda1 /mnt

and is not a valid block device

could this be an indication that the Hard drive has gone?


i will update my info now

im using fedora core 4

mount /dev/hda1 /mnt
and is not a valid block device
could this be an indication that the Hard drive has gone?
If /dev/hda1 is meant to be a partition on the HD then I'd run a fsck on the partitions.

I did and that didn't work.. I think there was a hadware fault as when I put in a request to re-image basically it didn;t work and is unreachable

Could you point me in the right direction for more info su - to become root..

This issue just seems to get more confusing as time goes by.. I ordered a new server fearing that the old one was develpoing a hardware fault..

I copied/migrate half of the domians although I had not changed the dns yet.. and the new server was displaying caracteristic of the old one.

Is it possible I have a malicous program in one of my web directories an have copied it over..

Or anybody with any suggetions of what it may be?

Thanks

You haven't even started to answer the questions in post #2 and #3.

Sorry!

The behaviour started two days ago & have not made significant changes to the machine just updated info on a couple of websites..

I have checked the access_log and cannot see anything suspicious although i'm not 100% sure of what to look for...are there any other logs I should check

The orginal server that had the problem seems ok now but the new server (which domain has been tranfered to) is repeating the problems server hangs up at different times.. (I migrated the serve using plesk migration tool.

I have perform a root kit search and nothing was detected..

any advice would be greatly appreciated

First thing I'd do is stop all daemons that are publicly accessable (related to serving content and such) and keep those you need for accessing the box (SSH). Then look at *all* the logs. This:
should show which ones are opened for writing, any missing you get from reading /etc/syslog.conf.