apache down for short periods

sondroyo

• June 09, 2025 15:48

I have my server (AlmaLinux v9.6.0 standard cPanel 126.0.19) on pingdom monitoring. Recently, there have been short periods of non-response downtime just on webpages but across accounts (not on cPanel/WHM pages, SSH, or ping). I had trouble tracing this issue, and wanted to share the solution. My usual go-to is:

netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

but there is no difference during the downtime event and 5 minutes after the downtime event.

netstat -plant

similarly just shows a lot of regular traffic.

sar -r

just shows about 10% more memory under %commit and 

sar -q

just shows regular cpu usage.

Since this was such a specific apache related issue, I decided I needed a snapshot of what was going on across accounts at that time.

cat /home/*/access-logs/* > combined_access_logs.txt

Then search for cases of the timestamp inside the combined access log.

This revealed the account that was getting attacked (in this case, with a mountain of traffic from Scrapy despite being behind Cloudflare). I set up specific defenses in Cloudflare's WAF targeting Scrapy and I guess this is solved until the next AI data miner shows up.

• 

  Andrew

  • June 09, 2025 18:55
  • Edited

  Fantastic work.

  Andrew N. - cPanel Plesk VMWare Certified Professional
  Do you need immediate assistance? 20 minutes response time!* Open a ticket
  EmergencySupport - Professional Server Management and One-time Services

  0
• 

  cPRex Jurassic Moderator

  • June 09, 2025 18:53

  sondroyo - excellent detective work!

  0

Please sign in to leave a comment.