The Planet Forums > Server Usage Spiking!

The Planet Forums > Control Panels > Plesk

TheFreak

Oct 19 2002, 02:15 PM

I have a serious problem. We host about 30 sites, not receiving more than a combined 60,000 hits/day. However, the server's stats are (through "top" command) all around 90.0 !!! That is rediculous! We don't receive the hits to justify this. I check in top, and the only thing (that is using considerable resources) is httpd process from apache. All of this occurs daily, just as a little traffic starts to come in.

What steps should I take to look into this matter further? What logs should I look at?

ALSO: The same things was happening on an old server using Ensim instead of Plesk. However, now I use Plesk and it seems the same problem (high spikes in resource usage).

I really need some help with this.

Orange

Oct 22 2002, 09:06 AM

I know Plesk can be funny like that, aspecially if you are using php. Plesk will count the number of pages accessed through the server rather than from the client. Forums can be the biggest cause of incorrect statistics.

Jonathan

Oct 23 2002, 03:59 AM

From what you have said it would suggest there is a script your hosting that is causing the spike in the load.

Time to spend a while going through each site disabling scripts to see if any make a difference.

TheFreak

Oct 27 2002, 06:46 PM

We host at least 45 sites now, is there any other way?

Albo

Oct 28 2002, 01:22 AM

If you are sure that all your services apache/mysql/ are running just fine, you need to track the problem down.

Before you do anything:

# look at your network stats
netstat -a

#look at your tcp connections
netstat -tn

If you see a huge number of connections coming from one 1 IP than, most likely you are under attack. Copy that IP and do a reverse lookup

# get some info who this sucker is attacking from
dig -x IP

It is also a good idea to have server-status enabled for Apache so you can see at any time the number of processes running from apache.

# to ban the IP, go to .htaccess file and add this line to the end of file

deny from IP

Apache will through a forbiden error to any connection from that IP.

#restart your network
/sbin/service network restart

#restart apache
/sbin/service apache restart

This helps if you are under attack, but it doesn't help with misconfiguration of services. If netstats look good go to:
/var/log/ and explore your recent log files.

You need a firewall installed, SIM helps monitor services, and you need to monitor your machine for some time.

Also there are some really easy steps you need to take configuring TCP/IP in order to prevent several types of attack. Look at my /etc/sysctl.conf

QUOTE

[root@ensim phpacache]# cat /etc/sysctl.conf
# Disables packet forwarding
net.ipv4.ip_forward = 1

# Enables source route verification
net.ipv4.conf.all.rp_filter = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Modify system limits for Ensim WEBppliance
fs.file-max = 65000

# Modify system limits for Ensim WEBppliance
fs.file-max = 65000

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Improve file system performance
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2

# Improve virtual memory performance
vm.buffermem = 90 10 60

# Allowed local port range
net.ipv4.ip_local_port_range = 32768 61000

# Improve the number of open files
fs.file-max = 98304

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.