|
VSFTPD Max CPU - Persistent problem
I have been battling an issue with my Gameservers company for 3 weeks to no avail to anything I've tried. Every now and than around the timeframe of 11:30AM to 4PM (this is peak time) multiple VSFTPD processes start up and use max CPU which lags out the box for my clients and makes it impossible for me to access Putty to stop it. I can stop it but, If I start it back up too soon the process starts all over again. This is hurting my business alot and my customers aswell as me are very stressed. The box runs fine other than that. Doesn't really go over 70% CPU usage, ram is low and as long as FTP is off the server runs fine but, than my clients cannot update their files which becomes quite an issue. I have also all of a sudden had an issue with remote locations not being able to access our My SQL databases. I have googled for help on all of these issues and have had none. I really would like to get this sorted today and put it behind me so I can grow my business and keep the clients I already have because, every time I think I fixed it I let my clients know the issues has now been resolved and it never is. I would appreciate any help and hope I posted in the right section.
I have started a thread at WHT I am also seeking help but, I really need this problem resolved so I am seeking alternative sources. (http://www.webhostingtalk.com/showthread.php?t=1014062) - Hope I was allowed to post that if not feel free to remove it it was just to refer to any progress I've made and input of others. |
Since you're new to Linux you should know some responses are less than perfect. For instance this person writing "You might wanna consider changing to ProFTPD. It's much more lightweight. I'm not sure how it's now, but earlier vsftpd was kinda easy 'exploitable'." is completely clueless as it's exactly the other way around (as this shows). Unless you have some gut feeling your machine is compromised or unless there's evidence of that running Chkrootkit or Rootkit Hunter won't "fix" things.
A multi-layered approach to make FTP traffic less resource-intensive and more robust by: 0) ensuring best Netfilter rule-parsing performance by putting state ESTABLISHED,RELATED traffic before NEW, 1) not mucking around with /proc/sys/net/ip*/*mem* sysctls unless you are certain they do work for you, 2) dropping "bad" traffic using fail2ban, 3) rate-limiting traffic in VsFTPd itself: see the VsFTPd FAQ "Help! Does vsftpd support bandwidth limiting?" entry (also see maximum sessions, maximum concurrent connections per IP and other performance settings and the hints in the TUNING document), 4) using "iptables -m recent" rules as posted there, 5) bandwidth-limiting traffic using iproute ('man tc') (or search for "LARTC wondershaper" as example) would be best I think. * This is not a Linux Security issue so I'll be moving this to the Networking forum shortly. |
What would be your recommended configurations for fail2ban? I have it running atm actually I installed it a while back in hopes it would fix the issue but, it never did. I still don't understand why 20 processes tend to start up randomly and use up ALL the CPU. It isn't like the box is under too much stress with FTP. Its been under more stress in the past and the problem seems to always happen between 11:30 and 4:00 PM I have limited the connection to 1 per person.
|
Just did a bunch of the changes and there it goes... again max cpu... again... upset customers again.
Noticed This: Jan 15 15:08:37 rs238 kernel: possible SYN flooding on port 80. Sending cookies. Jan 15 15:16:43 rs238 kernel: samp03svr[22945]: segfault at 0000000050f6f962 rip 00000000f7e38c63 rsp 00000000ff8eaea0 error 4 Jan 15 15:32:52 rs238 kernel: possible SYN flooding on port 80. Sending cookies. Jan 15 15:33:52 rs238 kernel: possible SYN flooding on port 80. Sending cookies. Jan 15 15:35:52 rs238 last message repeated 2 times Jan 15 15:36:53 rs238 kernel: possible SYN flooding on port 80. Sending cookies. Jan 15 15:38:59 rs238 yum: Installed: fail2ban-0.8.2-3.el5.rf.noarch Oh and btw sendmail seems to be using 37.7% of the CPU or some reason. I've never seen it do that. |
You seem to have more than one issue and things segfaulting on you isn't good. I don't really like to trace multiple issues all at once but it seems it's unavoidable.
- Please post detailed hardware specs of this machine. - Post what distribution and release and what software the machine runs and what your web server serves (exactly which forum or tracker or game server software)? - Post a detailed list of all the issues you have encountered so far so we don't miss information. - Do attach as plain text the output files in /tmp from running as root: - package validation (this might take a while to finish): 'rpm -Vva 2>&1 | grep -v '^\.\{8\}' > /tmp/rpm.txt &;' - effective iptables rule set: '/sbin/iptables-save > /tmp/iptables.txt;' - locate your vsftpd.conf and substitute "/path/to/": 'grep -v ^# /path/to/vsftpd.conf | grep . > /tmp/vsftpd.txt;' - locate your httpd.conf and substitute "/path/to/": 'grep -v ^# /path/to/httpd.conf | grep . > /tmp/httpd.txt;' - connection list: netstat -antlpe 2>&1 | sed -e "s|[0-9]\{1,3\}\.|n.|g" > /tmp/netstat.txt;' - process list: '/bin/ps axfwwwe 2>&1 > /tmp/ps.txt;' - process top: 'top -bn1 2>&1 > /tmp/top.txt;' - kernel tweaks: '/sbin/sysctl -a | egrep -vie "(host|random|cdrom|fs\.|parp)" > /tmp/sysctl.txt;'. ...or as one-liner: Code:
(rpm -Vva 2>&1|grep -v '^\.\{8\}'; /sbin/iptables-save; grep -v ^# /etc/vsftpd/vsftpd.conf|grep .; grep -v ^# /etc/httpd/conf/httpd.conf | grep .; netstat -antlpe 2>&1|sed -e "s|[0-9]\{1,3\}\.|n.|g"; /bin/ps axfwwwe 2>&1; top -bn1 2>&1; /sbin/sysctl -a | egrep -vie "(host|random|cdrom|fs\.|parp)"; who; last; lastlog; ) > /tmp/output.txt* Note I only anonymized netstat output. Check all logs before you post and run 'sed -i "s|[0-9]\{1,3\}\.|n.|g" /path/to/logfile;' to anonymize them as necessary. Please do not delete lines you can not determine as irrelevant. Please attach a Logwatch report ('logwatch --detail High --range All --archives --numeric --output unformatted --save /tmp/logwatch.txt') if you run Logwatch. Once we have your output we'll assess health of the box, limit traffic and processes and take it from there. |
1 Attachment(s)
Issue 1: Randomly in the middle of the day my clients will report that the servers are acting slow, It will take me some time to get into Putty when I finally do get in it will show either 1 VSFTPD process using 100% CPU or a few all using substantial amounts - This usually happens everyday between 11:30 AM and 4:00 PM and a restart won't make it go away as it will come right back. I need to end it for a while and turn it back on. Have never had it happen in the evening. No CPU problems from general use just the random spikes and its not gradual raise I mean its sudden the second it happens it goes all out and just lags out all my clients gameservers.
Issue 2: I think I recieved some sort of ddos/dos attack this morning I had similar issues to the FTP issue but, I couldn't get into putty at all I ha d to restart the box and when I started it back up there were tons of httpd processes running using quite a bit of CPU I had to end the httpd service to get rid of them. Issue 3: Clients can't connect to their mysql databases remotely anymore I think I may have caused this when installing CSF Firewall (Which is not running atm btw as it caused issues with the connection between my webserver and dedicated server) |
Just a quick summary of the log you posted (thanks):
- no iptables (-t filter) rules AT ALL meaning this server runs completely unprotected, - VsFTPd running with local user access (OK, through PAM) but without any bandwidth, concurrent connection or session limiting, - HTTPd with all modules loaded including proxy, - RPC and MySQL listening on eth0 (instead of localhost only), - 31 SMTP processes on TCP/25 (check /var/log/maillog), - users server1114, server1129, server444, server578, server526 using 11 processes on TCP/6667 (IRC), - user server93 running GTA server on port TCP/5554, - user "toord" has root rights, - user "toord" has logged in as root, - superfluous services running (RPC, Avahi, Bluetooth, CUPS), - CSF component "lfd" still running. Based on this the first course of action would be to limit inbound traffic and log denied traffic. Iptables rule set to load as root user: Code:
#!/bin/bash --In case of breakage set a safeguard beforehand. As root run: 'service atd start && echo "service iptables restart"|/usr/bin/at "now + 5 minutes";'. This will restore your default iptables rule set after 5 minutes after which you can troubleshoot any problems. To load the above rule set just save to file and execute the script. Don't forget to rerun the script after 5 minutes if you can still access the machine because of the safeguard and restart VsFTPd and Sendmail. |
Nice, @unSpawn
I must take some time to read through this in more detail. |
GTA San Andreas runs on a multitude of ports. The clients select which port they want for there server between 4500 - 21474 so I think I'll need a custom ruleset for that.
Also I believe those servers to be using IRC as there is an IRC plugin that some servers use. btw Toord is an account my partner made which was basically supposed to have root without using root I guess I'm not 100% sure. I'm also afraid to flush the IPTables as there is one rule to make the webserver work and if it isn't active than they disconnect from each other. iptables -A INPUT -s 96.30.60.204 -p tcp --destination-port 25 -j DROP Thats the rule above. I have also attached maillog the sendmail process has been using quite a bit of CPU lately and the log looked concerning thought you should take a look. I limited the MAX CLIENTS to 8 and MAX CONNECTIONS to 11 for VSFTPD. BTW I apperciate all the help. Edit: maillog was too big but, I uploaded it here - http://www.2shared.com/file/qZRar9ou/maillog.html I also forgot to give you the specs.. Intel(R) Core(TM) i3 530 @ 2x 2.93GHz + H/T 4GB DDR3 Memory 160 SATAII Synergy upstream |
Quote:
Code:
iptables -A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 4500:21474 -j ACCEPTQuote:
Quote:
Code:
#!/bin/bash --Code:
#!/bin/bash --Quote:
Quote:
|
I updated the post when you we're replying. You might want to read it over and when I removed iptables -A INPUT -s 96.30.60.204 -p tcp --destination-port 25 -j DROP from the IP tables by accident it disconnected the web server from accessing the dedicated server and I had to readd that rule.
What should I save the file as and what do I need to type to run it? (I probably sound like a total Linux noob but truly, This wasn't initially what I was supposed to manage my partner left) And you know something I noticed the VSFTPD process issue the processes are always root or nobody yet if a client with an account is using it will show their username/server name listed in top so it can't be a client doing something directly I wouldn't think. Maybe I can block VSFTPD processes on root since I only use FTP on toord or as a client with a user account. Edit: I added serlist_deny=YES to my cfg which is supposed to block root bin daemon adm lp sync shutdown halt news uucp operator games nobody from running VSFTPD processes. Is there a way to check if the block is working though? |
Quote:
- very little email sent by Apache, fail2ban and regular user accounts, - evidence of a process (probably other than Sendmail) causing ludicrous load problems, highest I saw was 1115 IIRC, making Sendmail halt its own processing until load drops, - a lot of mail sent by root. If these are warnings sent by email as a convenience then I would disable most and find another way to get alerted. Check your root mailbox and tell us. Other than that I don't see any problems: very few messages show delivery problem status like "Connection refused" or "Service unavailable". Quote:
Code:
anonymous_enable=NOQuote:
Quote:
Quote:
Code:
for TABLE in $(cat /proc/net/ip_tables_names); do /sbin/iptables -t ${TABLE} -n -v -x -L --line-numbers; doneQuote:
Quote:
Quote:
|
I fixed the broken pipe issue. I type the command in wrong.
Output: Chain INPUT (policy ACCEPT 15914022 packets, 1334023601 bytes) num pkts bytes target prot opt in out source destination 1 0 0 fail2ban-VSFTPD tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 2 1 39 DROP udp -- * * 77.46.0.0/16 2 13.5.176.155 udp dpt:7782 3 17 679 DROP udp -- * * 178.223.0.0/16 2 13.5.176.155 udp dpt:7782 4 0 0 DROP udp -- * * 93.87.0.0/16 2 13.5.176.155 udp dpt:7782 5 3 117 DROP udp -- * * 109.93.0.0/16 2 13.5.176.155 udp dpt:7782 6 5 195 DROP udp -- * * 79.101.0.0/16 2 13.5.176.155 udp dpt:7782 7 1 39 DROP udp -- * * 93.86.0.0/16 2 13.5.176.155 udp dpt:7782 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 34621229 packets, 4517872658 bytes) num pkts bytes target prot opt in out source destination Chain fail2ban-VSFTPD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 RETURN all -- * * 0.0.0.0/0 0 .0.0.0/0 Chain PREROUTING (policy ACCEPT 67517 packets, 2822571 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 8454 packets, 554497 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8454 packets, 554497 bytes) num pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 15918220 packets, 1334234603 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 15914853 packets, 1334096650 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 34623135 packets, 4518057991 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 34623135 packets, 4518057991 bytes) num pkts bytes target prot opt in out source destination Oh and I'm also noticing kjournald uses quite a bit of CPU when sendmail does. |
evidence of a process (probably other than Sendmail) causing ludicrous load problems, highest I saw was 1115 IIRC, making Sendmail halt its own processing until load drops
Would there be anyway to pinpoint the process? Also Jan 16 18:52:25 rs238 sshd[10880]: reverse mapping checking getaddrinfo for ptr110.49.dnion.com failed - POSSIBLE BREAK-IN ATTEMPT! *Jan 16 18:52:25 rs238 sshd[10880]: Invalid user test1 from 122.11.49.110 *Jan 16 18:52:25 rs238 sshd[10880]: Invalid user test1 from 122.11.49.110 Jan 16 18:52:25 rs238 sshd[10880]: reverse mapping checking getaddrinfo for ptr110.49.dnion.com failed - POSSIBLE BREAK-IN ATTEMPT! Jan 16 18:52:25 rs238 sshd[10883]: input_userauth_request: invalid user test1 Jan 16 18:52:25 rs238 sshd[10880]: pam_unix(sshd:auth): check pass; user unknown *Jan 16 18:52:25 rs238 sshd[10880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.11.49.110 |
Quote:
Quote:
Quote:
- 'top' (or 'atop 2 -g -C -f') should show if it's a process currently running. - 'iostat' (or 'atop 2 -g -D -f') might also show clues if disk I/O is a bottleneck. - Code:
top -b -n 1 | awk '{if (NR <=7) print; else if ($8 == "D") {print; count++} } END {print "Total status D: "count}'- 'dstat' and 'collectl' can log statistics to file, but even better, - 'atop' can log statistics to a binary file which means you can interactively review the process table at any given point in time (interval). Any non-standard tools listed should be in the RPMForge repo. If you decide to install and run Atop shoot me an email after system load has gone through the roof again so we can discuss where to send the binary log. |
| All times are GMT -5. The time now is 03:39 PM. |