VPS: veliko httpd procesov (ram v višave)....

Httpd procesi so poleteli v višave in mi ni jasno zakaj. Uporabljam Directadmin nadzorno ploščo. Strani so bolj slabo obiskane tako da je v povprečju v uporabi par 100mb rama. Danes pa je že par ur ta v višavah (4GB+). Tudi če httpd service resetiram, se procesi hitro spet nabašejo...

httpd (pid 14288 14297 14299 14302 14303 14306 14307 14308 14312 14319 14321 14329 14333 14334 14342 14355 14356 14357 14358 14359 14367 14368 14387 14398 14402 14405 14419 14420 14422 14441 14442 14443 14450 14452 14457 14463 14467 14472 14482 14490 14491 14524 14536 14544 14548 14558 14566 14568 14578 14586 14601 14605 14610 14612 14614 14621 14622 14623 14639 14647 14669 14673 14677 14679 14683 14697 14698 14702 14709 14710 14711 14719 14720 14724 14734 14742 14750 14753 14754 14767 14768 14770 14771 14809 14828 14843 14845 14852 14853 14854 14865 14873 14874 14875 14876 14881 14884 14892 14893 14894 14897 14905 14932 14938 14961 14967 14970 14973 14976 15026 15027 15035 15036 15039 15061 15064 15095 15103 15104 15105 15109 15133 15135 15152 15156 15164 15187 15188 15190 15191 15204 15216 15217 15218 15220 15221 15222 15228 15230 15241 15265 15273 15279 15287 15295 15315 15317 15340 15344 15345 15358 15359 15362 15363 15364 15365 15371 15374 15375 15377 15389 15424 15432 15433 15434 15436 15444 15456 15459 15463 15470 15474 15477 15484 15496 15516 15520 15536 15540 15541 15553 15558 15565 15567 15598 15599 15603 15604 15607 15620 15621 15632 15633 15637 15654 15659 15664 15665 15667 15681 15693 15719 15720 15721 15723 15724 15726 15751 15752 15753 15755 15756 15757 15769 15770 15790 15791 15792 15796 15807 15818 15819 15822 15825 15834 15876 15880 15881 15886 15889 15892 15899 15955 15956 15957 15970 16046 16048 16083 16086 16087 16212 16215 16225 16226 16227 16235 16237 16238 16268 16282 16289 16290 16292 16294 16300 16301 16302 16341 16342 16346 16347 16370 16371 16374 16376 16384 16385 16386 16387 16388 16389 16395 16397 16398 16403 16415 16425 16441 16442 16443 16445 16446 16460 16465 16466 16467 )

Na administracijo strežnikov se ne spoznam prav dosti. Če preverim proces z

cd /proc/id_procesa
ls -la

Se pri večini izpiše spodnje...

dr-xr-xr-x 7 apache apache 0 2015-03-30 15:37 .
dr-xr-xr-x 341 root root 0 2015-03-26 15:40 ..
dr-xr-xr-x 2 apache apache 0 2015-03-30 15:41 attr
-r-------- 1 root root 0 2015-03-30 15:41 auxv
-r--r--r-- 1 root root 0 2015-03-30 15:41 cgroup
--w------- 1 root root 0 2015-03-30 15:41 clearrefs
-r--r--r-- 1 root root 0 2015-03-30 15:41 cmdline
-rw-r--r-- 1 root root 0 2015-03-30 15:41 coredump
filter
-r--r--r-- 1 root root 0 2015-03-30 15:41 cpuset
lrwxrwxrwx 1 root root 0 2015-03-30 15:41 cwd -> /var/www/html/webmail
-r-------- 1 root root 0 2015-03-30 15:41 environ
lrwxrwxrwx 1 root root 0 2015-03-30 15:41 exe -> /usr/sbin/httpd
dr-x------ 2 root root 0 2015-03-30 15:41 fd
dr-x------ 2 root root 0 2015-03-30 15:41 fdinfo
-r--r--r-- 1 root root 0 2015-03-30 15:41 io
-r-------- 1 root root 0 2015-03-30 15:41 limits
-rw-r--r-- 1 root root 0 2015-03-30 15:41 loginuid
-r--r--r-- 1 root root 0 2015-03-30 15:41 maps
-rw------- 1 root root 0 2015-03-30 15:41 mem
-r--r--r-- 1 root root 0 2015-03-30 15:41 mountinfo
-r--r--r-- 1 root root 0 2015-03-30 15:41 mounts
-r-------- 1 root root 0 2015-03-30 15:41 mountstats
dr-xr-xr-x 5 apache apache 0 2015-03-30 15:41 net
-r--r--r-- 1 root root 0 2015-03-30 15:41 numamaps
-rw-r--r-- 1 root root 0 2015-03-30 15:41 oom
adj
-r--r--r-- 1 root root 0 2015-03-30 15:41 oom_score
-r-------- 1 root root 0 2015-03-30 15:41 pagemap
lrwxrwxrwx 1 root root 0 2015-03-30 15:41 root -> /
-rw-r--r-- 1 root root 0 2015-03-30 15:41 sched
-r--r--r-- 1 root root 0 2015-03-30 15:41 sessionid
-r--r--r-- 1 root root 0 2015-03-30 15:41 smaps
-r--r--r-- 1 root root 0 2015-03-30 15:40 stat
-r--r--r-- 1 root root 0 2015-03-30 15:41 statm
-r--r--r-- 1 root root 0 2015-03-30 15:37 status
dr-xr-xr-x 3 apache apache 0 2015-03-30 15:41 task
-r--r--r-- 1 root root 0 2015-03-30 15:41 wchan

Mislite, da mi je kdo vdrl na webmail in zdaj preko mojega strežnika veselo spama ali kaj se to dogaja?

14 odgovorov

A bi mi prosim še nekdo povedal, kako preko DirectAdmin-a nastavim crom, da mi bo httpd reseterialo na 10min, vsaj dokler ne odkrijem napake? (sedaj resetiram ročno, ker imam na voljo samo 2GB rama in mi zna strežnik hitro zmrzniti)

vpsss:
A bi mi prosim še nekdo povedal, kako preko DirectAdmin-a nastavim crom, da mi bo httpd reseterialo na 10min, vsaj dokler ne odkrijem napake? (sedaj resetiram ročno, ker imam na voljo samo 2GB rama in mi zna strežnik hitro zmrzniti)

Firewall nastav najprje da lahko smao ti dostopaš ... pa boš lažje delal.

1

Nekdo ti nabije server
Poglej server-status ko pride do tega

Velika verjetno je, da ti bruteforcajo eno skripto.

p.s. Najemi sys admina, da ti tole uredi.

4

Zna bit kak DOS al pa buggasta skripta. Predvsem pa poglej access in error log od http streznika, znajo bit tam notri kaki cudni requesti, ti bo takoj jasno kaj se dogaja. Na hitro bi rekel, da gre za kak "Slowloris" napad, ampak vecinoma imajo ponudniki gostovanj to porihtano (razen, ce imas unmanaged VPS, kjer moras sam za to poskrbeti).

1

Hvala vsem za odgovore. Gledam appache error_log (za root)

[Mon Mar 30 17:49:49 2015] [error] child process 24261 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24263 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24404 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24218 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24219 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24222 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24223 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24265 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24511 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24267 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24268 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24269 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24270 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24407 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24517 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24340 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24410 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24499 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24420 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24484 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24440 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24442 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24485 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24538 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24502 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24488 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24519 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24520 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24539 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24543 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24573 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24574 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24545 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24578 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24547 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24579 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24580 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24550 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24551 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:49 2015] [error] child process 24553 still did not exit, sending a SIGKILL
[Mon Mar 30 17:49:50 2015] [notice] caught SIGTERM, shutting down
[Mon Mar 30 17:49:53 2015] [warn] RSA server certificate CommonName (CN) localhost' does NOT match server name!?
[Mon Mar 30 17:49:53 2015] [warn] RSA server certificate CommonName (CN)
localhost' does NOT match server name!?
[Mon Mar 30 17:49:53 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Mar 30 17:49:53 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Mar 30 17:49:53 2015] [warn] module php5module is already loaded, skipping
[Mon Mar 30 17:49:54 2015] [warn] RSA server certificate CommonName (CN) localhost' does NOT match server name!?
[Mon Mar 30 17:49:54 2015] [warn] RSA server certificate CommonName (CN)
localhost' does NOT match server name!?
[Mon Mar 30 17:49:54 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Mar 30 17:49:54 2015] [notice] Apache/2.2.29 (Unix) mod
ssl/2.2.29 OpenSSL/0.9.8g DAV/2 PHP/5.2.17 configured -- resuming normal operations

Mogoče kdo razbere kaj očitnega?

Zdajle grem preveriti še error_loge za posamezne strani, da vidim kje je težava ali obstaja kakšen drug način kjer bi mi takoj izpisalo kater url mi nabija procese?

Ja zmanjka ti rama in začne pobijate procese.

Res ti predlagam, da najames admina ki ti bo tole uredil.
Drugace je vzrokov lahko 10000 razlicnih in bos rabil.

Konkretno super za te zadeve je csf firewall, ker ti ob loadu poslje lfd porocilo maj se je zgodil in kaksno je stanje ob loadu

1

Admina sem že kontaktiral samo po parih urah žal še ni odziva.

Veliko bi že naredil, če bi vas ugotovil, kateri IP/stran povzroča težave in bi jo lahko začasno dal offline, ker tole ročno resetiranje httpd strežnika je res zamudno. Pa še VPS je pogosto offline.

Moram namestiti server-status, da preverim. Samo se precej lovim, ker o administraciji žal res skoraj nič ne vem. :/

Mimogrede, predlagate kakšne dobre youtube/spletne tutoriale za administracijo VPS za začetnika ?

Mogoče je čas, da prepustiš administriranje ljudem ki to znajo... Najdi sistemskega administratorja in/ali migriraj stran na ponudnika, ki ti bo proti plačilu nudil podporo pri osnovnih težavah.

2

Naj se navadi, vendar naj se uci na virtualki, ne na produkcijskem strezniku :)

1

Server status je del apacha (apache modul)

Dej mi na ZS dostop ti pogledam jaz, če ne boš rešil prej.

2