Skip to main content

Tracking down High Server Loads

A list of useful commands that can be used to help identify a high server load:

Apache POST DOS Attach

  • Check the amount of POST requests to Apache:
    1. /usr/sbin/tcpdump -A -nnn -s0 -l 'dst port 80' | grep -Eo "POST\ /.*"
  • Find the culprit on a shared hosting environment:
    1. grep POST /var/www/vhosts/*/statistics/logs/access_log
  • Find the IP address that is doing the most POST requests
    1. grep POST /var/www/vhosts/*/statistics/logs/access_log | awk '{print $1}' | sort | uniq -c | sort -n | tail -n 50

Finding a rogue PHP script using PHP's eval() function

  1. find `pwd` -iname '*.php' -exec grep -H "eval(" {} \; > /tmp/eval_search.txt

Count the number of connections to Apache

  1. netstat -an |grep ":80 " |wc -l

// View the connections to Apache.

  1. netstat -an |grep ":80 "

// Count the connections to Apache per IP address

  1. netstat -an |grep ":80 " | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -n | uniq -c |sort -n

// Count the

  1. netstat -tan| grep -v 'LISTEN'| awk '{print $5}'| grep -v 'and' |grep -v 'Address' |cut -d':' -f1 |sort -n | uniq -c | sort -rn | head -n10

// Sort IP addresses connected to Apache

  1. netstat -tn 2>/dev/null | grep ':80 ' | awk '{print $5}' |sed -e 's/::ffff://' | cut -f1 -d: | sort | uniq -c | sort -rn | head

// Check for failed SSH logins

  1. head -n1 /var/log/secure | awk '{ printf "Failed SSH Login Attempts Since: "$1" "$2": " }' && cat /var/log/secure | grep "Failed password" | wc -l && cat /var/log/secure | grep "Failed password" | perl -ne 'print "$&\n" while m#\d+\.\d+\.\d+\.\d+#g' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq -c | awk 'length($1)>2'

IPTables

// Drop a single IP

  1. /sbin/iptables -I INPUT -j DROP -s 192.243.55.132

// Drop a /24 range of IP addresses
RedHat:

  1. /sbin/iptables -I INPUT -j DROP -s 192.243.55.134/24

Ubuntu:
  1. sudo iptables -I INPUT -j DROP -s 180.76.15.8/24

// Save the rules

  1. /sbin/service iptables save

Removing a blocked IP address

  1. /sbin/iptables -L INPUT -n --line-numbers | grep 'xxx.xxx.xxx.xxx'
  2. /sbin/iptables -D INPUT X

// Good article explaining TOP, VMSTAT and other goodies.
http://www.tummy.com/articles/isolating-heavy-load/


Comments