Harry Tang

DirectAdmin: Block IPs causing high load

DirectAdmin IP Blocking
DirectAdmin IP Blocking

Introduction

If you're managing DirectAdmin servers, one common issue is high server load. In this tutorial, I'll show you how to identify IP addresses generating bad heavy traffic and block them effectively.

Prerequisites

  • Basic Linux knowledge.
  • DirectAdmin server v1.67 with csf installed.

Note: At the time of writing, I used the tools and versions mentioned above. However, this guide might also apply to newer versions or similar tools.

Step-by-step Guide

DirectAdmin usually notifies you of high-load events on your server, including details about the affected user:

This is an automated message notifying you that the 5 minute load average on your system is 11.75.
This has exceeded the 10 threshold.

One Minute      - 12.09
Five Minutes    - 11.75
Fifteen Minutes - 10.21

top - 23:18:33 up 2 days,  1:17,  1 user,  load average: 12.09, 11.75, 10.21
Tasks: 308 total,  14 running, 294 sleeping,   0 stopped,   0 zombie
%Cpu(s): 72.9 us, 25.7 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  1.4 si,  0.0 st
MiB Mem :  23987.6 total,   2279.6 free,   3949.9 used,  17758.0 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.  19577.3 avail Mem 

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
 640035 user123  20   0  263080 129676  94228 R  52.9   0.5   0:07.37 php-fpm: pool user123
 640031 user123  20   0  263208 129900  94260 R  41.2   0.5   0:07.14 php-fpm: pool user123
 640039 user123  20   0  263144 130740  95212 R  23.5   0.5   0:07.33 php-fpm: pool user123
 640033 user123  20   0  263208 130868  95276 R  17.6   0.5   0:07.24 php-fpm: pool user123
 640041 user123  20   0  263144 130600  94860 R  17.6   0.5   0:07.29 php-fpm: pool user123
 640047 user123  20   0  263212 129364  93816 R  17.6   0.5   0:07.27 php-fpm: pool user123
 640037 user123  20   0  263208 130592  94964 R  11.8   0.5   0:07.29 php-fpm: pool user123
 640043 user123  20   0  263148 129536  93856 R  11.8   0.5   0:07.47 php-fpm: pool user123
 640045 user123  20   0  263212 130620  94820 R  11.8   0.5   0:07.17 php-fpm: pool user123
 ...

  1. Inspect the logs to identify IPs generating high request volumes or unusual traffic of the user123's domain

    awk '{print $1}' /var/log/httpd/domains/user123.com.log | sort | uniq -c | sort -nr | head -20

18083 34.66.xxx.yyy
17118 34.123.xxx.yyy
13147 34.58.xxx.yyy
8 66.249.xxx.xxx
...

    As you can see, the IPs starting with 34.xxx.xxx.xxx are generating many thousands of requests to the server.

  2. Identify the ownership of IPs

    Use ipinfo.io or similar tools to check the identity of the IPs and confirm they aren't from legitimate services.

  3. Block the IPs using CSF

    csf -d 34.66.xxx.yyy
csf -d 34.123.xxx.yyy
csf -d 34.58.xxx.yyy

  4. Repeat the process for any other affected users, if applicable

Conclusion

With this simple IP blocking solution, you can ensure your DirectAdmin server runs smoothly. You can automate this process with a Bash script that scans domain logs and blocks suspicious IPs.