Basic Load Checks In Linux
The server load can be occur in many ways. Here we discussing the basic steps we need to follow when server have huge load. ->Firstly we need to check load and how much core the server have “w” command will give the load result and “nproc” command will give how much core have the server.
If the server core is 8 then it means the server can have maximum 8 load.
->Checking for any ddos attack by checking Which IPs are Connecting to Your Server using below command netstat -ntu|awk ‘{print $5}’|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r You can check and see how many, and which, IP addresses are connecting to your server at once and if have huge amount then we can block that particular IPs. ->Then we can check which user is using more CPU, Memory and MySql usage using below command
OUT=$(/usr/local/cpanel/bin/dcpumonview | grep -v Top | sed -e ‘s#<[^>]># #g’ | while read i ; do NF=echo $i | awk {‘print NF’} ; if [[ “$NF” == “5” ]] ; then USER=echo $i | awk {‘print $1’}; OWNER=grep -e “^OWNER=” /var/cpanel/users/$USER | cut -d= -f2 ; echo “$OWNER $i”; fi ; done) ; (echo “USER CPU” ; echo “$OUT” | sort -nrk4 | awk ‘{printf “%s %s%\n”,$2,$4}’ | head -5) | column -t ;echo;(echo -e “USER MEMORY” ; echo “$OUT” | sort -nrk5 | awk ‘{printf “%s %s%\n”,$2,$5}’ | head -5) | column -t ;echo;(echo -e “USER MYSQL” ; echo “$OUT” | sort -nrk6 | awk ‘{printf “%s %s%\n”,$2,$6}’ | head -5) | column -t ;
From this we can get the user having high usage. We can check under the user for any active attack by checking accesslog and if any infected files showing in it then we can scan the user using our scanner utility to verify whether the account is infected or not. Also we can suspend the user temporarly to avoid the load and we can inform the client too.
Also using below command we can get which process having high usage in a particular account.
/usr/local/cpanel/bin/dcpumonview | sed -e ‘s/<[^>]>/ /g’ | grep username In that replace the username with the account user.
->We can check for any wordpress login attack or xmlrpc attack using below commands,
grep -s $(date +”%d/%b/%Y:”) /usr/local/apache/domlogs/* | grep wp-login.php | awk {‘print $1,$6,$7’} | sort | uniq -c | sort -n
grep -s $(date +”%d/%b/%Y:”) /usr/local/apache/domlogs/* | grep xmlrpc | awk {‘print $1,$6,$7’} | sort | uniq -c | sort -n