The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

httpd with nobody

Discussion in 'Workarounds and Optimization' started by ullalla, Jul 29, 2010.

  1. ullalla

    ullalla Well-Known Member

    Joined:
    Jan 20, 2006
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    If httpd with nobody causing the load then can you please assist me how to evaluate the root cause

    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    nobody 23271 52.3 2.2 124648 94696 ? R 23:25 1:35 /usr/local/apache/bin/httpd -k start -DSSL
    nobody 23245 51.4 2.2 124716 94856 ? R 23:25 1:34 /usr/local/apache/bin/httpd -k start -DSSL
    nobody 23472 50.8 2.2 124648 94704 ? R 23:25 1:31 /usr/local/apache/bin/httpd -k start -DSSL
    nobody 23272 50.7 2.2 124648 94696 ? R 23:25 1:32 /usr/local/apache/bin/httpd -k start -DSSL
    nobody 23564 49.3 2.2 124648 94704 ? R 23:25 1:28 /usr/local/apache/bin/httpd -k start -DSSL
    nobody 23572 48.3 2.2 124648 94704 ? R 23:25 1:26 /usr/local/apache/bin/httpd -k start -DSSL
    nobody 23573 48.1 2.2 124648 94708 ? R 23:25 1:26 /usr/local/apache/bin/httpd -k start -DSSL
     
  2. jeffmonte

    jeffmonte Member

    Joined:
    Jul 28, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    You may try to optimize apache if its picking up high load.

    Better you can complile the server with suPHP, as we can track back if any particular account is causing such issues.

    And if there is any spammers who send mails with php scripts, you may try enabling extended logging on exim configurations.

    Hope you can manage things, with others suggestions too :D
     
  3. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    Even with suPHP, FCGI or CGI enabled (all run as the user for PHP scripts, while DSO doesn't), there's no guarantee the sites are PHP scripts that are being hit. If he isn't showing a bunch of PHP processes, it's far more possible if Apache is showing high activity that he's getting too many hits to one or more sites.

    WHM > Apache Status is the first place to look. Any sites showing 75% or more of the activity there are the possible issue for high Apache activity.

    Next, trying some netstat commands to check the number of processes that are SYN_RECV ones (indicating that the machine might be getting a synflood attack).

    Here are the commands you might try for netstat to see activity:

    Checking the SYN_RECV port 80 processes
    Code:
    netstat -an|grep :80|grep SYN|awk {'print $5'}|cut -d: -f 1|sort|uniq -c
    Checking a listing of all IPs and the number of connections on port 80
    Code:
    netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n
    A count of the number of port 80 processes
    Code:
    netstat -an|grep :80|wc -l
    A count of the number of port 80 processes in SYN_RECV state
    Code:
    netstat -an|grep :80|grep SYN|wc -l
     
  4. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    if you have the http log format set to include the PID you can grep the pid out of the log to see which domain and which file is using the resources - thats assuming of course that you have a script thats doing it.

    If its just a static HTML page being hit repeatedly that wont help much.

    You could also use mod_evasive to stop DDOS style attacks like that where an ip/host is hitting the server to fast and it speed bumps them. You can even hook that into apf/csf to block them for a small period of time ( a 20 second initial ban with an additional 10 seconds for each successive hit).

    Additionally mod_cband works well for analyzing traffic and showing you which vhost is taking the lionshare of ingress bandwidth.
     
  5. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    B12Org is right.

    If running suPHP then the account name will show and the /usr/local/apache/bin/httpd -k start -DSSL will go, If a Dos attack is in place then you will see alot of /usr/local/apache/bin/httpd -k start -DSSL When I see this, A few mins later I get an email saying ( blah blah banned IP with so many connections ) Usually alot of them !

    But as B12Org said, Just use mod_evasive with IPtables and you will be fine. Don't set to low though or you could end up banning innocent members with hungry connections, Now..You can do this a few ways, Setup mod_evasive and dos_delfate but with both different values, Say dos_delfate for permenant block with 500 connecions or more, And then mod_evasive for a tempory block with around 150 conenctions, Yeah sounds alot but this is not, I saw my own IP using 300+ at times.

    Edit: Bit slow on this....

    Try Disabling KeepAlive within your httpd.conf
     
    #5 GaryT, Sep 11, 2010
    Last edited: Sep 15, 2010
  6. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    I usually give advice on this but now I have rought the same issue, But its consuming a fair bit of memory, 5MB each process.

    So the commands I know but I will post the output.


    Checking the SYN_RECV port 80 processes
    Code:
    netstat -an|grep :80|grep SYN|awk {'print $5'}|cut -d: -f 1|sort|uniq -c
    1

    Checking a listing of all IPs and the number of connections on port 80
    Code:
    netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n
    maximum is from a server IP: 46

    A count of the number of port 80 processes
    Code:
    netstat -an|grep :80|wc -l
    569

    A count of the number of port 80 processes in SYN_RECV state
    Code:
    netstat -an|grep :80|grep SYN|wc -l
    0
    Cannot figure this out, Server loads is around 0.00 / 0.20

    /usr/local/apache/bin/httpd -k start -DSSL, Around 50 processes consuming 5mb each but 0% CPU
     
    #6 GaryT, Sep 22, 2010
    Last edited: Sep 22, 2010
  7. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    That doesnt seem that bad, if your load is at 0 and your memory footprint is only 250MB that should be ok.
     
  8. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Sorry for the slow reply..

    Yes but still... Is there any way of limiting that process ?
     
  9. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    You can play arround with the apache rlimits - like RLimitMEM where it would limit memory - I think the general rule is to profile anormal use server for a while, take the largest valid memory usage for a single process and then increase it by 50-100%.
     
  10. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    To get a starting point, you can use Memory Usage Restrictions in Main >> Service Configuration >> Apache Configuration. This will review past usage by Apache and set new values. You can then modify the directives it will place in /usr/local/apache/conf/httpd.conf manually, but it will at least create a baseline for future configuration changes.
     
  11. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Its on 128 - I had to use this value as clients who want new IPB installations require this or chucks out memory errors and unable to install the board.

    I was thinking of

    but to be perfectly honest with you I'm unsure of what tweeking is needed.
     

Share This Page