Server Optimization

Zhenyapan said:
mysqladmin -uda_admin -p processlist
Click to expand...
what do you see with this result ?

| 420929 | toyotafo_wp851 | localhost | toyotafo_wp851 | Sleep | 11 | | | | 421114 | toyotafo_wp851 | localhost | toyotafo_wp851 | Sleep | 11 | | | | 421118 | threezho_wp679 | localhost | threezho_wp679 | Sleep | 15 | | | | 421120 | threezho_wp679 | localhost | threezho_wp679 | Sleep | 7 | | | | 421121 | threezho_wp679 | localhost | threezho_wp679 | Sleep | 3 | | | | 421122 | threezho_wp679 | localhost | threezho_wp679 | Sleep | 10 | | | | 421124 | threezho_wp679 | localhost | threezho_wp679 | Sleep | 3 | | | | 421131 | threezho_wp679 | localhost | threezho_wp679 | Sleep | 26 | | | | 421136 | threezho_wp679 | localhost | threezho_wp679 | Sleep | 8 | | | | 421199 | idsinsti_wp386 | localhost | idsinsti_wp386 | Sleep | 0 | | | | 421209 | idsinsti_wp815 | localhost | idsinsti_wp815 | Sleep | 8 | |
 
in now day, Botnet will target mysql to make server resouce increase. because normal attack won't working.

If I am hacker. I will do this ways. because it easy to botnet.
imagine, your sql high load = your website will slowest. Also It will make other system slowest too. due it effective to your CPU.
 
Yes its make sense, how to identify and how to stop it, i am losing my customer
 
it hard to identifies.

normally, you need to start looking in "Resource Limit". if you can't find this page. it impossible. maybe hire some system technical to looking for you.

normally this page, it will show per users CPU, RAM, IO, Task usage. I use these information to identifiy who/bad come from.
 
I don't use Cloudlinux. but....
I just google it, maybe "lvetop" can show per user resource usage.


Directadmin have gui page to list all users resource. but cloudlinux only have command line. maybe...
 
Code: 
lvetop

then look for users highest resource. and then trying to suspend User that you thinks it come from.
 
botnet can atack website, website (WP) based on mysql and makes a lot of requests to DB, so check access.log for this domain, maybe it's ddos from one IP, block it. Of it's from subnet - you can block it too. Also you can block this one website till client hide it behind cloudflare.
 
i have used lvetop with some attribute that show me last 48 hours higher users i have suspended them all but server load is same
only if i stop mysql service then server load get normal

should i try to keep suspend account more and more to find real one or is there any other way ?
 
no, just check threezho account, which website under ddos and suspend this domain, or check logs and block IPs from which attack coming, or maybe this user run a lot of crons that ctuck, check his cron also.
 
check logs, only they can show, from ssh from root - you can sort logs in dir by size - check which grows faster
 
no, I don't know your server structure. Go to /var/log/ then find there apache/nginx/litespeed dirs and inside them you can find general or per-domain logs
 
i check directadmin message where i got an ip address is have 15 connection then i login ssh and csf -d ip to ban this ip and got this message

csf: DENY_IP_LIMIT (200), the following IP's were removed from /etc/csf/csf.deny:
43.153.168.248 # lfd: (XMLRPC) WP XMLPRC Attack 43.153.168.248 (JP/Japan/-): 5 in the last 3600 secs - Wed Nov 16 14:27:58 2022
DROP all opt -- in !lo out * 43.153.168.248 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 43.153.168.248
Adding 135.181.21.126 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 135.181.21.126 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 135.181.21.126

i assume i am getting wordpress login attack i should increase limit from 200 to more can you help me where i can increase this limit and what do you think about it ?
 
If it is an Wordpress site, just install Wordfence and throttle amount of connections
 
You must log in or register to reply here.
Back
Top