• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Hi Total CPU for last 2 days at around same time - HELP

D

dicko_md

Basic Pleskian
Hi

Plesk 11.5.30 #37

Last 2 days at about the same time my server has come to a halt. i took a screen capture of htop. The health monitor says high cpu usage at about 93-96% but htop shows memory been eaten up by apache from what I can see.

How can i drill down and see who or what is the culprit ?

Thanks Martyn

serverb_high_cpu_usage.png
 
Sounds like you were under a DOS attack, which caused your server to run out or memory and hang ...

Firstly, do you have any firewall tools installed on your server? I would highly recommend CSF and with it you can KILL the common dos-attacks with the "SYNFLOOD" flag ..
After installation,
Code: 
vim /etc/csf/csf.conf

And change to:
Code: 
SYN_FLOOD = 1
PORTFLOOD = 80
DENY_TEMP_IP_LIMIT  = 200

and reload service with

Code: 
csf -r

Secondly, you can also prevent DDoS attack by using mod_evasive in Apache 2. Mod_evasive is an Apache module that provides evasive maneuvers action in the event of an HTTP DoS or DDoS (Denial of Service) attack or brute force attack

Thirdly, ddos_deflate is another very good connection based IP banning tool to consider ..
 
Investigating a dos-attack at the time it's occurring

Determine connections on Port 80 with

Code: 
netstat -tulpn| grep :80
netstat -lnp | grep ':80'

No. of Active Connections

Code: 
netstat -n | grep :80 |wc -l

List ALL IPs in active connections with the number of connections

Code: 
netstat -apn|grep :80 |awk '{print $5}'|sort

Optimization of Apache

Code: 
vi /etc/httpd/conf/httpd.conf

For the best performance on most websites leave,

Code: 
KeepAlive On
KeepAliveTimeout to 1 or 2 seconds

With that kind of information, you can easily block IPs that are attacking you..
 
Hi

its just started to go down now and we are under 80% for total cpu but memory is still high using 3323 of 3545

Im guessing someone is running a cron or a script early morning unless someone else has a reason unless I was under ddos attack. Do ddos attacks not just happen all the time or are they every so often or regular intevervals ?

Thanks

Martyn
 
It might not be a dos-attack, but could be a very high traffic and a heavy (UN-optimized) wordpress website eating up your RAM.
If it's a cron, htop should show it...

Please look closely at the above recommendations ...
 
You must log in or register to reply here.

Similar threads

T
Issue 100% CPU
Replies
8
Views
2K
Peter Debik
P
E
Issue Abnormal CPU usage and Apache crash
Replies
13
Views
4K
MartinT
M
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
2K
HHawk
HHawk
randypetersen
Question After upgrade PHP-FPM has high cpu usage.
Replies
6
Views
11K
Peter Debik
P
X
Resolved Plesk Extension: Plesk Email Security (Very Slow Delivery)
Replies
8
Views
8K
Kaspar@Plesk
Kaspar@Plesk
Back
Top