New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Random cPanel CPU Spikes
agoldenberg
Member, Host Rep
in Help
Hey Guys
I'm noticing a weird issue with my cPanel vm.
For some reason at around 10:30pm est my cpu spikes to over 100% for about 20 minutes.
All I host are a few Wordpress sites. Any ideas what the cause may be?
When I run top all I see is a few users with php running high cpu percentage.
But believe me when I say this. Not one of the sites I hosthas anything other than Wordpress running and the clients know nothing about php.
Comments
It's not weird. Wordpress can very well spike up server load easily if there's a lot of visitors or if the client installs a lot of Wordpress plugins. CloudLinux can help you set a limit for this.
I notice spikes on a few wordpress sites I host when some of the auto-backup scripts come into play.
check Configure cPanel Cron Jobs at first menu tab in whm and your VM / Server time... There is major cpanel update to 11.46 and upcp is done around 1:20 am... If your sever is in Europe or set time some EU time zones it can mach with the time you mentioned... and 1 cpu easily can go to 100% pecent when upcp is running
Check what time your cPanel stats updates run.
Do you see what PHP script is running? If it's wordpress page most likely from traffic, for example some bot unrealistically crawls every single page of your users website. If it's wp-login.php most likely brute force attempts, or see if it's from certain plugins that could be very heavy.
Check top to see which process is doing that.
Faced ksoftirqd/0 process in near past & it was due to client's mobile broken website.
stat updates/backup runs at that time?
What process is racking up the load?
If it's the cpanel cron jobs/backups running don't worry about them, they should be running at a lower priority so everything else won't slow down.
Do a
I bet someone is brute-forcing the Wordpress login page. The command above will show you the IP of the 'brute forcer' and the number of login attempts.
@Amitz here's the output:
I blocked that last IP in CPHulk but the number keeps going up. I dunno what else to do.
Dang! That's quite a lot of attempts!
If you have CSF installed, try it with
csf -d 195.154.235.55
That ALWAYS works for me.
I am not sure whether CPHulk can help here. By the way: I have this on a daily basis. A whole core saturated by one IP trying to brute force wp-login.php.
@Amitz I have no idea how to configure CSF. I have it installed and have tried a couple times but all that ends up happening is I end up blocking all traffic.
@Amitz just dropped the massive offenders using IPTables.
It is quite easy, especially using cPanel. You should give it a try again. I am also willing to help you as much as I can... It should also be well possible using some mod_security rules for Apache, but this is something that I never made experiences with...
That does the job equally well. CSF would do nothing else in the end! The annoying thing: It will happen again tomorrow and probably from a new IP. You can stop it this way, but doing this every day is not a pleasure. There are several options that you could look at:
http://codex.wordpress.org/Brute_Force_Attacks
https://wordpress.org/plugins/limit-login-attempts/
I tried this. It does not help against the high load. The fu**ing bot just goes on. You need a solution that blocks the offending IP on network level, unfortunately.
Doesnt fail2ban have a WP Plugin?
https://wordpress.org/plugins/wp-fail2ban/
Password protect your wplogin with http auth so it's not using so much CPU when people try to brute force it.
Yeah see I host other people. These sites aren't mine so it would be a problem to password protect all the logins for each wordpress site.
@linuxthefish @agoldenberg A shared host one of my clients uses did this for wp-login.php:
They were just getting hammered, and this cut down on pretty much all automated attacks.
@agoldenberg: CSF + Fail2ban (custom rules) are a good combination to mitigate brute-forcing.
@mikeyur again this would be at the descretion of each individual client. They all get hammered. These f***ing wordpress brute force script kiddies just hammer every instance of wordpress they find. I host a few high traffic sites and see brute force attempts through cphulk every few minutes.
cphulk only records login attempts to the server, like SSH or cPanel login. It's not gonna help with WordPress/script level brutes.
iptables should do it as mentioned, and on user level you can block the IP using .htaccess or IP Deny Manager.
Or fail2ban...
(Custom) fail2ban rule looking for posts to wp-login.php should do the trick
Edit: or use the plugin @wych linked
Or fail2ban...
(if you can make the user install it)
This! Try that out because I was also having one of my servers absolutely hammered by wp-login attacks the past few weeks and after adding an auth login to each wordpress wp-login page I am no longer getting any attacks (and the ones that tried there was hardly a blip on cpu usage). It really does work.