[cpuwatchcheck] Cpu/Server Overload

[Divvy]

Hi guys,

Since one month ago that I'm receiving many emails with notifications from my server about CPU overload.

Can please someone tell me how can I detect the account or issue that is causing this overload? I use WHM and also have access via SSH.

This is a copy of the last email:

IMPORTANT: Do not ignore this email.
*This is cPanel cpuwatch on server.enigmahost.org!
*While processing, the cpu has been 
maxed out for more than a 6 hour period. *The current load/uptime line on the server at the time of 
this email is
*10:49:04 up 233 days, 22:06, *0 users, *load average: 2.20, 2.34, 2.49
*You should check the server to see why the load is so high and take 
steps to lower the load. *If you want stats to continue to run even with a high load; Edit 
/var/cpanel/cpanel.config and change extracpus to a number larger then 0 (run 
/usr/local/cpanel/startup

Thank you

 

[Bharat]

Go to tweak settings under server setting , there you will find something like notifications , just disable it . Or increase the value .

 

[Divvy]

Hmm thank you for your reply.
I don't want to disable notifications, only need to know what account is causing this issue...
I don't have any website with huge traffic in this server...
And only have this problem since a few days ago.

Is there any way to identify the account?
Thank you!

 

[feronso]

Load time 2.20, 2.34, 2.49 is such a high load. look like DDOS or Brute-force attack.
and your server is up from 233days ? its very hard to stable a server for a year. just restart it one time to refresh any service.

 

[Divvy]

DDOS attack? damn... how can I solve that?
Will the restart help? How can I restart my server?

Thank you

 

[awaiz007]

Restart server from solusvm or vps control panel

 

[Divvy]

Will solve my problem?

Btw, I have a dedicated server...
How can I restart via WHM or SSH?

 

[gfxguru]

from ssh type top

see which process is taking high cpu.

 

[Divvy]

Thank you for your reply.

Doing the top command, can you give an example of what I need to looking for?

Thank you

 

[Lock Down]

use top -c to get a better understanding.

top alone looks like:

last pid: 25384; load avg: 1.06, 1.04, 0.76; up 351+06:30:24 00:10:08 139 processes: 2 running, 136 sleeping, 1 zombie
CPU states: 93.5% user, 0.0% nice, 6.3% system, 0.0% idle, 0.2% iowait
Kernel: 8 newproc
Memory: 5149M used, 2965M free, 303M buffers, 1341M cached
Swap: 6840K used, 1986M free, 1844K cached
PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND
25174 root 1 25 0 4256K 716K run 0:24 99.59% egrep
14120 www 1 15 0 127M 110M sleep 0:08 8.00% mongrel_rails
10243 root 1 15 0 48M 45M sleep 46.1H 3.60% ruby
8880 www 1 15 0 146M 131M sleep 0:12 1.80% mongrel_rails
18157 www 1 15 0 155M 140M sleep 0:21 0.60% mongrel_rails

here a is a tutorial for sites under attack

These are few steps to be taken when you feel that the server is under attack:
--------------------------------------------------------------------------------
-
Step 1: Check the load using the command "w".

Step 2: Check which service is utilizing maximum CPU by "nice top".

Step 3: Check which IP address is taking maximum connection using the command:

netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n
netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c

Step 4: Check the IP address of the server having maximum connection using the
command:

netstat -alpn | grep :80 | awk '{print $4}' | cut -d: -f1 |sort |uniq -c

Step 5: Then block the IP address using APF firewall "apf -d <IP address>" or
using CSF firewall "csf -d <IP address>
--------------------------------------------------------------------------------
-

In future, to avoid DDoS attack or to lower its intensity you can install the
following modules.

============
*Mod_security: Since DDoS often targets HTTP (port 80), it is a good idea to
have a filtering system for Apache. 'Mod_security' will analyze requests before
passing them to the web server.

*Mod_dosevasive: This is an Apache module which performs 'evasive' action in the
event of an HTTP DDoS attack or brute force attack.

*(D)DoS Deflate: This is a shell script which assists in combating denial of
service attacks.
============

Please go through the following URLs for more information on how to install
"mod_security", "mod_evasive" and "dos_deflate" on your server:

-------------------
http://prasadnaik15.wordpress.com/how-to-prevent-ddos-attack/
-------------------
http://www.eth0.us/mod_evasive
-------------------
http://forum.whmdestek.com/security/758-mod_security-installation.html
-------------------

You can also enable Sysctl protection against DDoS. Please go through the
following URL for more information in this regard:

----------
http://forums.softlayer.com/showthread.php?t=304 [use your portal
username/password to login]

As mentioned by others, having some connections in TIME_WAIT is a normal part of the TCP connection. You can see the interval by examining /proc/sys/net/ipv4/tcp_fin_timeout:
[root@host ~]# cat /proc/sys/net/ipv4/tcp_fin_timeout
60

And change it by modifying that value:
[root@dev admin]# echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

Or permanently by adding it to /etc/sysctl.conf
net.ipv4.tcp_fin_timeout=30

Also, if you don't use the RPC service or NFS, you can just turn it off:
/etc/init.d/nfsd stop

And turn it off completely
chkconfig nfsd off

 

[Divvy]

Lock Down, thank you for your reply mate! Very good information!

Can someone help me read my server stats?

WHM Service Status:
http://screensnapr.com/e/xcw0GJ.jpg

ssh top command:
http://screensnapr.com/e/fjajSL.jpg

ssh top -c command:
http://screensnapr.com/e/JrVFLi.jpg

Thank you!

 

[XSLTel]

I think that gzip is causing high CPU load.

I guess there is backup is running in background

 

[Divvy]

Process Manager:
http://screensnapr.com/e/ncwwtj.jpg

 

[l0calh0st]

Screenshot of Daily Process Log please.

 

[Divvy]

XSLTel, thank you for your reply.

Yes, It looks like gzip is using 33.6% of CPU
And MySQL 31.4%

How can I fix this?

 

[Divvy]

l0calh0st, thank you for your reply!

Here It is:
http://screensnapr.com/e/HF8GoI.jpg
http://screensnapr.com/e/Ws4nb1.jpg

 

[l0calh0st]

Your MySQL is using way too much resources. Also gzip may be stuck, to optimize MySQL first kill gzip from using the resources one time.

Execute the following in SSH:
pidof gzip
kill -9 PIDHERE

Then try this to optimize your MySQL:
http://www.wjunction.com/13-tutorials-guides/116141-optimize-mysql-mysqltuner.html

 

[Divvy]

Thank you for your reply mate!

I dont know what to do now:
http://screensnapr.com/e/DfxCLC.jpg

Can you give me exactly commands?

 

[Lock Down]

I think the mysql is high for the same reason gzip is high.

You have have a scheduled backup of your database and it is passing the information directly to gzip.

Never do it that way. First create the mysql backup to a file and then run the gzip to compress it.

That way only one is eating cpu not both.

Do you have auto backups set up in whm or in a cron added by someone on your staff or at your host??

Try using a simple command like
mysqldump -u YourUser -pYourPassword YourDB > YourDB.sql;
then run
gzip -9 YourDB.sql;

By the way you are welcome for the info.

 

[Divvy]

Lock Down, thank you very much for that good information that you posted.

I don't think that I have any cron to auto backups... this is a dedicated server and only I have access to him. But I pay for someone to config my server... How can I see If I have any cron to auto backup?

Btw, this is my WHM Configure Backup:
http://screensnapr.com/e/krTHUG.jpg

Can you please help me fix this issue?