The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Recent changes making loads higher?

Discussion in 'General Discussion' started by dunno, Oct 27, 2004.

  1. dunno

    dunno Active Member

    Joined:
    Jun 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    I don't hang out here enough to know whether this impression is true or not.

    But I've noticed that a lot more people have been asking about stats not processing due to load issues.

    On my end, my load has increased a lot with the last cpanel/whm upgrade I did, ftp has been crashing and there has been general instability.

    Since the logs not processing is a symptom of high load I wonder if the real problem is some unstable code in the new versions that is causing higher loads.

    Anyone have any comments on this impression?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The only load issues that I've seen mentioned seem to be related to the new SpamAssassin v3.* and spamd processes consuming resources - if you run SpamAssassin that way of course ;)

    You really need to look at your own server to find out what is consuming resources. Use tools, such as top to determine where they're being used.
     
  3. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    I agree - the latest SA upgrade seems to increase load a bit. Tie that in with ever increasing spammer activity and servers will undoubtedly work harder!
     
  4. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    yes, i agree. After upgrading my cpanel the load is getting higher on the server. specially when viewinng the bandwidht stats or accessing cpanel as general.

    is there a way to downgrade back to cpanel 9.7 ?
     
  5. junglecat

    junglecat Well-Known Member

    Joined:
    Jul 6, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Same here, I have 5 servers, and almost immediately after that last update, I am having all kinds of issues with high server load, even from the 4 servers that had never given an ounce of trouble before.
    My end users are doing a lot of complaining and cussing, I hope I don't start losing my clients over this issue. :(
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    ...and have you investigated where the server resources are being used and what is causing the high load? You need to identify exactly where the problem is before cPanel or anyone else can offer help.
     
  7. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I have been seeing spamd do this to my boxes as well. Today loads are like 2.5 to 3.5 ..I kill spamd and the loads instantly go down to like .95 -1.30. I am also seeing tons of dictionary attacks on my box and normally when that happens I see like 5-10 spamd listed in top.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  9. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I tried this on one box a month ago and changed all the :blackhole: domains to :fail: and I wound up with 2 million failed return messages in queue.

    I was wondering of we could use a RBL for dictionary attchks ..mayeb that would be pretty good? any ideas about that?


    I found this dictionary attack list.
    http://spam.sux.com/

    was wondering if you would help me with a code sample for implementing it in exim?
     
    #9 rpmws, Nov 5, 2004
    Last edited: Nov 5, 2004
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Do you have a lot of auto-responders with no Forwarder or POP3 account? If you do you need to either create one or create a Forwarder with :blackhole:, that way you can still use :fail: for the Default Address. You should also check that you have verify = recipient in the 2nd textbox in the first set of 3 in the exim configuration editor in WHM.

    Using RBL's in exim is quite straightforward, if you look at this post and place the code within the second textbox of the first set of 3 textboxes within the WHM Exim Configuration Editor, it should work:
    http://forums.cpanel.net/showthread.php?p=138707
     
  11. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    OMG!!!! I just used that list of RBLs these below: I can NOT believe how much spam that covers!!! I am tailing my mail logs and every second I see mail being rejected. Wondering if this would be less load intensive on a heavy spamed server. Also wondering how many will get blocked and are legitimate senders. I haven't plugged in my dictionary rbl yet. man ...you should see the spam getting blocked.. i get like 1 out of 100 get through. Hell I might not even need spamassassin now??

    dnsbl.njabl.org : \
    bl.spamcop.net : \
    sbl.spamhaus.org : \
    list.dsbl.org : \
    cbl.abuseat.org : \
    relays.ordb.org

    I just dropped my loads instantly from 1.90 to .15 !!! I can not believe how much of my load is junk mail!!! This is a dual zeon with 2GB of ram on scsi drives. It's got 190 domains on it and total transfer is about 40GB month and ther is 2 databases on this box and one of those is mine. I just cut my mail down by 99%!!! i haven't seen spamd on top in 10 minutes ..before it was alwasy top 3 or 4 constantly.
     
    #11 rpmws, Nov 6, 2004
    Last edited: Nov 6, 2004
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The good thing about RBL's (and especially a dictionary attack ACL if you can get one working in your setup - this can often block more that the RBL's and is more efficient since there's no DNS lookups required) is that spam that does get through them is stopped by SpamAssassin, but the loads stay low because there are far fewer emails to scan ;)
     
  13. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Chripy i have only been running like this for 30 minutes nad i dumped my logs about 10 minutes ago ..look at this ..i greped for "Completed"

    2004-11-06 11:55:25 1CQUmb-0003rp-7z Completed
    2004-11-06 11:55:30 1CQUmf-0003s0-MR Completed
    2004-11-06 11:55:37 1CQUmn-0003sB-0X Completed
    2004-11-06 11:55:40 1CQUmp-0003sE-Ep Completed
    2004-11-06 11:55:41 1CQUmq-0003sG-4t Completed
    2004-11-06 11:55:42 1CQUmr-0003sH-EV Completed
    2004-11-06 11:55:51 1CQUmx-0003rr-FN Completed
    2004-11-06 11:55:55 1CQUn1-0003sj-LO Completed
    2004-11-06 11:55:57 1CQUn6-0003t0-9x Completed
    2004-11-06 11:55:57 1CQUn6-0003st-2l Completed
    2004-11-06 11:56:10 1CQUnJ-0003wV-4x Completed
    2004-11-06 11:56:34 1CQUnh-0003wu-12 Completed
    2004-11-06 11:56:40 1CQUnn-0003wy-54 Completed
    2004-11-06 11:56:41 1CQUnm-0003wz-10 Completed
    2004-11-06 11:56:44 1CQUnr-0003wz-LE Completed
    2004-11-06 11:57:09 1CQUo7-0003wR-N2 Completed
    2004-11-06 11:57:18 1CQUoP-0003xW-QM Completed
    2004-11-06 11:57:19 1CQUoQ-0003xg-CM Completed
    2004-11-06 11:57:33 1CQUod-0003xu-UK Completed
    2004-11-06 11:57:38 1CQUok-0003yI-9d Completed
    2004-11-06 11:57:47 1CQUoX-0003xt-1Y Completed
    2004-11-06 11:57:53 1CQUow-0003yQ-2q Completed
    2004-11-06 11:57:54 1CQUoz-0003yZ-S4 Completed
    2004-11-06 11:57:57 1CQUp3-0003ye-GE Completed
    2004-11-06 11:57:58 1CQUp3-0003yd-Lz Completed
    2004-11-06 11:58:00 1CQUp5-0003yW-54 Completed

    ---------------------------------------------------------------------------

    In contrast I searched for the word "Junkmail" which i used in my reject message and I found 490 lines already in the same 5 minutes of logs!!! I wonder if clients are going to complain about some of these I am using. I haven't even applied the dictionary list I found yet.
     
  14. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    I shouldnt had update my cpanel

    After the "security update" httpd and mysql are getting the server to many cpu overloads

    Memory was also high consumed but i changed my syslog.conf and it get back to normal levels

    but cpu and server overload are common after this upgrade

    spam assassin seems to be overloading but nothing compared to mysql and httpd

    its certanly an issue as server was pretty cool before : (

    Regards

    Claudio
     
  15. junglecat

    junglecat Well-Known Member

    Joined:
    Jul 6, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Same here. :(
     
  16. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    Hey chirpy ..thanks for all your help!! I changed all my :blackhole: addresses to :fail: and now I can sit here are watch the dictionary attacks flow in the logs. So ... without RBLs (which I took out becuase I am a little scared) I tryed your script for dictionary attacks. I can't get it to see these abvious attacks i am watching. I mean a row of about 15-20 at a time ..all kinds of random addresses to the same domains. I cat the deny file and nothing is there. I run the perl script and nothing. I don't see it working. I added the ACL and exim is running fine.

    example of what I see constantly to all kinds of domains on my box.
    2004-11-06 17:19:17 H=(user-0ceicq1.cable.mindspring.com) [24.233.51.65] F=<CPEPBPJAZZJU@backwards.com> rejected RCPT <ventura@domain.net>:
    2004-11-06 17:19:18 H=(user-0ceicq1.cable.mindspring.com) [24.233.51.65] F=<CPEPBPJAZZJU@backwards.com> rejected RCPT <timmons@domain.net>:
    2004-11-06 17:19:19 H=(user-0ceicq1.cable.mindspring.com) [24.233.51.65] F=<CPEPBPJAZZJU@backwards.com> rejected RCPT <trotter@domain.net>:
    2004-11-06 17:19:20 H=(user-0ceicq1.cable.mindspring.com) [24.233.51.65] F=<CPEPBPJAZZJU@backwards.com> rejected RCPT <winkler@domain.net>:
    2004-11-06 17:19:21 H=(user-0ceicq1.cable.mindspring.com) [24.233.51.65] F=<CPEPBPJAZZJU@backwards.com> rejected RCPT <whaley@domain.net>:
    2004-11-06 17:19:22 H=(user-0ceicq1.cable.mindspring.com) [24.233.51.65] F=<CPEPBPJAZZJU@backwards.com> rejected RCPT <trotter@domain.net>:
    2004-11-06 17:19:23 H=(user-0ceicq1.cable.mindspring.com) [24.233.51.65] F=<CPEPBPJAZZJU@backwards.com> rejected RCPT <temple@domain.net>:
    2004-11-06 17:19:24 H=(user-0ceicq1.cable.mindspring.com) [24.233.51.65] F=<CPEPBPJAZZJU@backwards.com> rejected RCPT <stallings@domain.net>:
    2004-11-06 17:19:25 H=(user-0ceicq1.cable.mindspring.com) [24.233.51.65] F=<CPEPBPJAZZJU@backwards.com> rejected RCPT <story@domain.net>:
     
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Unfortunately, These dictionary attack ACLs only work if the emails come in in batches on a single SMTP connect. If they come in one at a time, then they won't be picked up. One other possibilities is that if you haven't got the blank lines between the ACL sections exactly right. I'd suggest that you double check them as exim.conf is dependent on the blank lines being in the right place otherwise it changes the meaning of the ACL.
     
  18. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    so looking at that log snip ..does that look like one connect? cause my box has been getting hammered on about 20 domains like this constantly. I changed everything to :fail: and that reduced my load a huge amount ..but I am still getting hammered. I wonder if we could improve on this dictionary attack script to also protect against these separate hits that are consecutive?
     
  19. mdweb

    mdweb Member
    PartnerNOC

    Joined:
    Nov 23, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I changed process stats from .3 to 1 (once per day) and this seemed to lower the level. Also when the server reaches 2 of 4 CPUs the server will stop processing. This seems to have stop the constant high load.
     
Loading...

Share This Page