Over the weekend the load average on my server leaped from an average of 0.5 to 15, and got pinned there. The culprit was miniserv.pl. A dozen instances of this were running at 100% cpu usage. I changed the user password and killed all their instances of miniserv.pl, and life went back to normal for the server. Even during the peak of the problem, the server was still able to deliver email and web content without any noticable slowness.
It turns out that the user left an instance of webmail running on a computer the kid was playing on, and then tried to launch multiple usermin windows from another computer, which were not letting him in. Most of these were running at almost 100% cpu capacity. He was on a MacIntosh logging in with Safari. Any reason why these were running at such a high CPU utilization? Such a comedy of errors, I was on the server at the same time killing his windows, thinking I was under a DOS attack, thinking what a silly way for someone to try tying up my server!
Well, there’s also certain actions that can take place within Webmin that are CPU intensive. Looking through logs I think is one of them, amongst others.
You might consider looking at the logs in /var/webmin/ and /var/usermin/ to see what was going on around the time the load spiked.
As far as brute force attacks go – you might want to take a peek in Webmin -> Webmin -> Webmin Configuration -> Authorization. In there, you can have it block hosts with more than N failed login attempts for some timeframe.
I think that’s on by default, but you could increase the time the host is blocked for added security.
well, it happened again. I can make it happen any time by simply logging into the client account and clicking on the spam folder in usermin. The browser then hangs, and the process miniserv.pl is running at 100% cpu utilization. I found many instances running, caused by the client trying to get to his spam folder to check for false positives. From a ‘top’ run on my server, before I killed the processes:
He has a lot of sent items that were migrated along with his email account from the old server. I will be using your interface to put a ‘delete after so many days’ on the sent items folder. The spam was not migrated, of course.
Jamie,
The reason I have not deleted it already is in case you needed anything for analysis. There seems to be a spam out there that can give your code a problem. If my end users get bombed with this spam, I could have a potential disaster on my hands if several of them log into usermin and try to check their spam folder and many shells get launched, each hogging 100% CPU. My system would bog down to a halt eventually. Have you ever seen anything like this before, or should I just delete the folder and stick my head in the sand, hoping that it does not happen again. BTW Jaime, virtualmin RULES! Don’t think I’m not grateful. When we upgraded to the paid version, and we saw how many script installers there were, the staff here went nuts over it.
Jaime,
I saved a copy of the spam folder for you if you need it, deleted it from the user account, reinitialized it with the gtube string, and logged into the usermin interface as the user and checked the spam folder. Everything worked just fine.
If you could email me a tar file of the spam folder at jcameron@virtualmin.com , I could take a look and see if there is something in one of the messages that is making Usermin hang …
I had similar slowness issue. Been puzzling for a few day.
What I changed that improve the situation is –
I changed the usermin preference (login to usermin at http://localhost:2000/) and in
Configuration category | Show unread messages count Yes Only for IMAP No <-- I set this to No.
I had one folder that is about 3GB – which causes the cpu + io wait to go off the roof all the time.
your situation may be different, but this is what fixes mine