This article explains how to check if your server is facing an attack and how to manage it. Follow the steps below to inspect your server and determine if it might be under some sort of attack. Checking Server Load If you notice your server or website running slowly, one of the first steps is to check your server load. You can do this with the following commands: To find out the number of processors on your server, use these commands: grep processor /proc/cpuinfo | wc -l nproc if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } These commands will show the number of processors on the server, such as 1, 2, 4, etc. Next, check the server load using these commands: uptime cat /proc/loadavg if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } The result of this command is very simple, but you could notice some anomalies here. An example of the uptime command output: The load values indicate CPU utilization. For a server with 1 processor, a load average of 1.00 means 100% CPU utilization. Values higher than 1.00 suggest the CPU is overloaded. For instance: 1.50 means the CPU is overloaded by 50% in the last minute. 2.23 means the CPU is overloaded by 123% in the last 5 minutes. 8.14 means the CPU is overloaded by 714% in the last 15 minutes. If you see values like 8.14, 2.23, 1.50 , this suggests the load is decreasing. Conversely, values like 1.50, 2.23, 8.14 suggest the load is increasing, which could indicate a potential issue. Checking Network Traffic High server load can sometimes be due to increased network traffic. Use netstat to monitor the network and identify possible issues. Here are some useful commands: To show the number of connections each IP has with the server: netstat -ntu | awk '{print $5}' | cut -d: -f1 -s | sort | uniq -c | sort -nk1 -r if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } This helps identify IPs connecting to the server frequently. While multiple connections from the same IP can be normal, an IP with 100+ connections might be suspicious. Additional netstat commands for monitoring: Show all active connections: netstat -na if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Show traffic for a specific port (e.g., port 80): netstat -an | grep :80 | sort if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Show the number of connections by IP via TCP and UDP ports: netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } These commands can help identify unusual activity on your server. Mitigating Attacks If you detect suspicious activity, such as unknown IPs generating numerous connections, you can block these IPs using iptables : iptables -A INPUT -s 111.11.1.1 -j DROP service iptables save service iptables restart if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } If your server remains slow, it could be due to many stuck Apache processes. In this case, kill all Apache processes and restart the service: killall -KILL httpd service httpd start if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Conclusion This article provides a simple method to check if your server is under attack when you have suspicions. There are many other tools, methods, and procedures you can use to further investigate and mitigate attacks. This guide serves as a starting point.

How to Identify and Mitigate Attacks on Your Server

Freya VPS Hosting Team

This article explains how to check if your server is facing an attack and how to manage it. Follow the steps below to inspect your server and determine if it might be under some sort of attack.

Checking Server Load

If you notice your server or website running slowly, one of the first steps is to check your server load. You can do this with the following commands:

To find out the number of processors on your server, use these commands:

grep processor /proc/cpuinfo | wc -l
nproc

These commands will show the number of processors on the server, such as 1, 2, 4, etc.

Next, check the server load using these commands:

uptime
cat /proc/loadavg

The result of this command is very simple, but you could notice some anomalies here. An example of the uptime command output:

The load values indicate CPU utilization. For a server with 1 processor, a load average of 1.00 means 100% CPU utilization. Values higher than 1.00 suggest the CPU is overloaded. For instance:

1.50 means the CPU is overloaded by 50% in the last minute.
2.23 means the CPU is overloaded by 123% in the last 5 minutes.
8.14 means the CPU is overloaded by 714% in the last 15 minutes.

If you see values like 8.14, 2.23, 1.50, this suggests the load is decreasing. Conversely, values like 1.50, 2.23, 8.14 suggest the load is increasing, which could indicate a potential issue.

Checking Network Traffic

High server load can sometimes be due to increased network traffic. Use netstat to monitor the network and identify possible issues. Here are some useful commands:

To show the number of connections each IP has with the server:

netstat -ntu | awk '{print $5}' | cut -d: -f1 -s | sort | uniq -c | sort -nk1 -r

This helps identify IPs connecting to the server frequently. While multiple connections from the same IP can be normal, an IP with 100+ connections might be suspicious.

Additional netstat commands for monitoring:

Show all active connections:

  netstat -na

Show traffic for a specific port (e.g., port 80):

  netstat -an | grep :80 | sort

Show the number of connections by IP via TCP and UDP ports:

  netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

These commands can help identify unusual activity on your server.

Mitigating Attacks

If you detect suspicious activity, such as unknown IPs generating numerous connections, you can block these IPs using iptables:

iptables -A INPUT -s 111.11.1.1 -j DROP
service iptables save
service iptables restart

If your server remains slow, it could be due to many stuck Apache processes. In this case, kill all Apache processes and restart the service:

killall -KILL httpd
service httpd start

Conclusion

This article provides a simple method to check if your server is under attack when you have suspicions. There are many other tools, methods, and procedures you can use to further investigate and mitigate attacks. This guide serves as a starting point.