High CPU usage by Apache is shown in Health Monitor

Created:

2017-02-01 09:20:43 UTC

Modified:

2017-08-08 13:17:54 UTC

3

Was this article helpful?


Have more questions?

Submit a request

High CPU usage by Apache is shown in Health Monitor

Applicable to:

  • Plesk for Linux

Symptoms

Health monitor shows high CPU usage of Apache service in /var/log/plesk/health-alarm.log :

INFO (6): Server health parameter "Services > Apache CPU usage" changed its status from "green" to "yellow".

The maximum CPU is occupied by PHP handlers:

# top -c
PID  USER PR  NI VIRT    RES   SHR   S %CPU% MEM  TIME+      COMMAND
#### user  20  0  326248  61188  9592 R  62.3  0.2  0:13.12 /usr/bin/php-cgi -c /var/www/vhosts/system/example.com/etc/php.ini

/var/www/vhosts/system/example.com/logs/access_log shows that one IP address that is trying to reach server constantly up to 4 times in a second:

203.0.113.2 - - [01/Feb/2017:09:47:25 +0100] "GET /feed HTTP/1.0" 301 333 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:25 +0100] "GET /feed/ HTTP/1.0" 200 66990 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:26 +0100] "GET /feed HTTP/1.0" 301 333 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:26 +0100] "GET /feed/ HTTP/1.0" 200 66990 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:27 +0100] "GET /feed HTTP/1.0" 301 333 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:27 +0100] "GET /feed/ HTTP/1.0" 200 66990 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:28 +0100] "GET /feed HTTP/1.0" 301 333 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:28 +0100] "GET /feed/ HTTP/1.0" 200 66990 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:29 +0100] "GET /feed HTTP/1.0" 301 333 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:29 +0100] "GET /feed HTTP/1.0" 301 333 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:29 +0100] "GET /feed/ HTTP/1.0" 200 66990 "-" "-"
203.0.113.2 - - [01/Feb/2017:09:47:29 +0100] "GET /feed/ HTTP/1.0" 200 66990 "-" "-"

Cause

Denial of service (DoS) attack.

Resolution

Ban IP address that is trying to access site with the Firewall. For instance, use iptables command to protect your server from future high load of Web Services:

# iptables -A INPUT -s <IP_from_the_log> -p tcp -d <server_IP> -j REJECT

Or, alternatively, install Fail2Ban that will automatically ban every IP address that is trying to reach site continuously. If an IP address makes too many login attempts within a time interval defined by the administrator, this IP address is banned for a certain period of time. Fail2Ban can also update firewall rules and send email notifications.

Have more questions? Submit a request
Please sign in to leave a comment.