Unresponsive/Slow Server

Hello, I don’t think it’s something related to HestiaCP, but I would like to know if anyone can give me a north.

I created an instance in aws (c5a.large) with web and email. The idea would be to migrate emails that are on an external server to use everything in the same new instance.

The server has approximately 40 users/sites with little traffic/compute demand.

I migrated only the sites for now and they worked well for about 2 days. Until everything started to be so slow or unresponsive. I enabled the same firewall ports listed on hestiacp in the Aws security group.

With the problem, I started to disable services that I was not yet using, such as email. I blocked SMTP, IMAP and POP3 ports on AWS. I also disabled these services at the server … and then everything started to normalize.

Also, I disabled the mail function in PHP.

What I find strange is that even with the exim4 service stopped, the use of exim continues to increase, as if it were still sending emails. Why is this happening?

Am I being attacked? Is there any way to increase protection? It is not any of the users abusing the server because as I explained the email server is external. I will probably have to keep the web server separate from the email server if I can’t find a solution.

Thank you
.

The increasing size of the Exim queue size is indeed alarming. This would make me think that there is “something” that sends out emails (or trying to send). Thoroughly check that the emails in the queue are legit. If they’re not, flush the queue. This may help you: Exim Cheatsheet

Disabling php mail() function is a good thought. But you might also consider logging what is going on with that function, to have a better insight. Please consider the following code snippet I use to keep track of the mail() function:

# Log all calls of PHP mail() function to track spam abuse
# This configuration assumes that php-fpm is in use
touch /var/log/phpmail.log
chown admin:hestia-users /var/log/phpmail.log	# Need to set owner/group so all users can write to file
chmod 660 /var/log/phpmail.log
sed -i 's:;mail.log = syslog:mail.log = \/var\/log\/phpmail.log:' /etc/php/*/fpm/php.ini
sed -i 's:mail.add_x_header = Off:mail.add_x_header = On:' /etc/php/*/fpm/php.ini
systemctl restart php*-fpm.service apache2.service

This will log all mail() calls in /var/log/phpmail.log, so you’ll be able to check what is going on.

Another suggestion that comes to my mind is to make use of the IP Lists (Settings > Firewall > Manage IP lists > Add IP list > Data souce = Block malicious).

Do have a look at this as well: Max CPU/RAM and ClamAV disabled - #6 by Felix

2 Likes

I love that snippet. How about PR it to Hestia?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.