Portal Home > Knowledgebase > Articles Database > My server CPU Has High Load please help.
My server CPU Has High Load please help.
| Posted by coolsalman_1, 12-18-2010, 03:46 PM |
| My server is overloaded and my sites are opening very very slow.
i did optimization but sites are opening little fast but load is still in between 25- 30 on 12GB DDr3 , Phenom II server.
my hard drive was corrupted and i reinstall the os but again load is high.
guys please help how to reduce it. And what info you guys needed so i will post it here.
Server has mainly hosting wordpress, vbulletin and phpmotion sites.
|
| Posted by Johnny Cache, 12-18-2010, 03:47 PM |
| An output of 'top' would be nice to look at (SHIFT+M to sort by memory usage) so we can track down the process(es) that are overloading your system.
|
| Posted by coolsalman_1, 12-18-2010, 06:35 PM |
| at this time here are the result:
|
| Posted by Johnny Cache, 12-18-2010, 06:48 PM |
| Quite a bit of Apache PIDs in there.
Should come up with something similar to this:
What's your CPU usage showing, and how many idle workers?
Run this: and paste the output. Could be a DoS...
|
| Posted by coolsalman_1, 12-18-2010, 06:52 PM |
| Result:
|
| Posted by Johnny Cache, 12-18-2010, 07:05 PM |
| Looks to me like a DDoS based on the connections to port 80, especially since the IP ranges vary based on country.
Just for confirmation:
Then run 'top' again and see if the load goes down...paste the results, please?
|
| Posted by coolsalman_1, 12-18-2010, 07:08 PM |
| results are below.
|
| Posted by Johnny Cache, 12-18-2010, 07:41 PM |
| Yeah, I think it's safe to say it's a DDoS, your CPU load avg. dropped as soon as you killed Apache.
|
| Posted by coolsalman_1, 12-18-2010, 08:30 PM |
| so how to provent from this. You helped me alot so please help me in solving this issue.
|
| Posted by CoolKoon, 12-18-2010, 08:46 PM |
| Hmmm, actually HDD corruption CAN slow down everything too. I've had that happen numerous times on my laptop and PC as well (oh, the pain and the futile anger ) so as far as the HDD goes, good riddance I'd say
As for the traffic, yes, some of the IPs definitely look suspicious so you might want to make some arrangements against DDoS first (since I doubt that keeping Apache shut down is the solution ). You could install an IDS (intrusion detection/prevention system) which is quite good at scanning for suspicious traffic and blacklist the IPs in question. You could even combine it with mod_security for some additional protection.
If you find your server being still burdened with heavy traffic, you might also want to consider the following optimizations:
- Most of the resources on your server are consumed by DB access (the MySQL process shows heavy CPU usage). Therefore you could try to install a PHP accelerator (provided your sites use PHP) which employs extensive caching and other tricks to speed up the serving of your pages while lowering the load it puts on server.
- If you don't have already, consider setting up a RAID array with mirroring (aka RAID 1) which'll not only speed up your disk access considerably, but also provide you with some fault tolerance
I hope this helps
|
| Posted by Johnny Cache, 12-18-2010, 08:48 PM |
| Sure, I'll help as best I can, but I'm hoping some of the security specialists will peruse this thread and add their suggestions along the way.
I got your message and just responded.
|
| Posted by Johnny Cache, 12-18-2010, 09:04 PM |
| I recommend going to www.configserver.com and applying CSF/LFD to your server. Oh, and CoolK is right, if you haven't restarted Apache, go ahead and do so.
I also agree that recompiling Apache with something like EAccelerator or Zend Optimizer if you haven't yet. Along with mod_security, suhosin, modsec2, etc., to secure Apache as best as you can.
Last edited by Johnny Cache; 12-18-2010 at 09:13 PM.
|
| Posted by coolsalman_1, 12-18-2010, 09:17 PM |
| i have installed xcache which is also good as eaccelerator. i did optimization which gave me by vbulletin. This time load is normal but in peak hours load reaches to 25+
|
| Posted by CoolKoon, 12-19-2010, 08:29 PM |
| Peak load of 25+?! Are you sure it's THAT high (meaning >2400% overload)? Also, it seems then that you only have problems with the load in peak time, right? Then it might not be DDoS after all (although some of the IPs DO look very suspicious ). All in all, you might really want to install (or have an admin install) at least an IDS/IPS (intrusion detection/prevention system). Snort is the most popular one I think, but I've also used OSSEC with great success. You see the point is to discourage suspicious sources from sending traffic to your server. Once that's done, your server load should drop to a manageable level.
|
| Posted by coolsalman_1, 12-20-2010, 06:51 PM |
| I installed firewall but i am having same issue.
|
| Posted by CoolKoon, 12-20-2010, 07:56 PM |
| Look, firewall is basically a passive thing that'll protect you from other types of attacks but not DoS. DoS is an attack that's targeting the ports your firewall has allowed traffic to pass through, mostly port 80 (HTTP), but it can also target some other ports too. However installing an IDS is still a good idea since it acts like an active firewall. What it does is that it monitors the log files for any suspicious activity then uses firewall rules to block the source IP the suspicious activity is coming from. This way quite a few DoS attacks can be thwarted.
Also, considering the fact that the MySQL database seems to have a great share on the load you have, try checking out this topic about some optimizations for it:
http://www.webhostingtalk.com/showthread.php?t=1004104
Hopefully these two things combined will reduce your problems somewhat.
|
Add to Favourites 
Print this Article
Also Read
