any ideas on how to find out which user on a server is causing problems?

Discussion in 'General Linux HOWTOs' started by ppc, Sep 5, 2006.

  1. ppc

    ppc Moderator

    This has not happend to me yet, but i would like to pose the question as im sure it will occur at some point:

    On a server, lets say you see system usage skyrocketing and pages barely loading, how does one deicpher which client on the server is causing all the problems,

    Any ideas? I'm sure there is a way as big hosting companies have to find these problem customers every day,

    Please be detailed as im new with server/vps's etc.


  2. ppc

    ppc Moderator

    any ideas anyone?
  3. KH-Paul

    KH-Paul CTO Staff Member


    There is no universal solution and no universal answer to this question. I'm pretty sure this is the reason why no one (including myself) was brave enough to step into this ;) I can only give some useful directions on where to dig but your mileage may vary..
    First of all - answer highly depends on what "system usage" term means. It may mean absolutely different things for different people and might be reported differently by different software. If this is about "system usage" bar in VZPP, then this bar shows nothing more but overal resource (memory, file descriptors, buffers for network connections, etc) usage inside the VPS. High "system usage" values reported by VZPP doesn't necessary mean that you have something bad going on inside the VPS.
    If you feel that there is a problem somewhere inside the VPS, the very first step might be to run "top -d 1" command and take a look at CPU usage and most active processes. When you identify the process which uses a lot of CPU or memory take a note of the process ID (first column in top output) and then run "ps auwwfx" command and try to locate the process in ps output - the "f" option will tell ps to sort / display processed based on their dependency to each other. This way you may be able to locate the parent process which was used to execute the run-away application. In general this might help to understand if something was executed by some user who opened an ssh connection to your system (if allowed) or if process was executed by, say, mail delivery agent, etc.
    Then, as you identified the process you may want to take a look at the list of files, network and socket connections created by the process. This information might be useful as it might give a clue where the process was executed from (directory name) and what it is trying to do (i.e. network attack if many network connections are reported, etc). This information can be obtained using the "lsof -np PID" command where PID should be replaced with the process ID of run away process. You may also try to trace the process using the "strace -s4096 -p PID" command but strace output might be overwhelming for someone who is not ready to see it ;)

    I'm going to move this thread to "Linux VPS - General" as it all the information above is useless unless you have root-level ssh access to the system

  4. ppc

    ppc Moderator

    Making this a tutorial. Thanks Paul!
  5. Linda_Ol

    Linda_Ol New Member

    any ideas on how to find out which user on a server is causing problems

    How do I restrict user directory using SFTP ? I know how to do this for FTP. But that doesnt seem to affect SFTP sessions. Any instructions or thoughts..Thank you.-VS
  6. Dan

    Dan Moderator

    Hi Linda_OI,

    SFTP access is through SSH isn't it? You could simply rescind their SSH access, that would certainly do it.

Share This Page