I have a problem with my system load, as soon as I activate the SPAM filter under the mail server, my system load keeps increasing until the system is almost paralyzed.
After a reboot from it runs again up to 7 days.
As soon as I turn off the spam filter, the system load is completely normal.
So as basis serves an Intel Celeron CPU J1900 with 8GB RAM us as SSD and a conventional hard drive as RAID for the directory / var.
2x NIC (green and red)
And here is an excerpt of the message.log, about 5 minutes:
What does he always do with a SOGO User ??
Dec 21 19:47:01 openzwo systemd: Stopping User Slice of apache.
Dec 21 19:47:02 openzwo systemd: Removed slice User Slice of sogo.
Dec 21 19:47:02 openzwo systemd: Stopping User Slice of sogo.
Dec 21 19:47:04 openzwo systemd-logind: Removed session c427.
Dec 21 19:47:04 openzwo systemd: Removed slice User Slice of stb@nandlnet.de.
Dec 21 19:47:04 openzwo systemd: Stopping User Slice of stb@nandlnet.de.
Dec 21 19:47:21 openzwo smbd[18126]: [2017/12/21 19:47:21.751080, 0] ../lib/param/loadparm.c:782(lpcfg_map_parameter)
Dec 21 19:47:21 openzwo smbd[18126]: Unknown parameter encountered: "share modes"
Dec 21 19:47:21 openzwo smbd[18126]: [2017/12/21 19:47:21.751230, 0] ../lib/param/loadparm.c:1791(lpcfg_do_service_parameter)
Dec 21 19:47:21 openzwo smbd[18126]: Ignoring unknown parameter "share modes"
Dec 21 19:47:22 openzwo systemd: Created slice User Slice of stb@nandlnet.de.
Dec 21 19:47:22 openzwo systemd: Starting User Slice of stb@nandlnet.de.
Dec 21 19:47:22 openzwo systemd-logind: New session c428 of user stb@nandlnet.de.
Dec 21 19:47:22 openzwo systemd: Started Session c428 of user stb@nandlnet.de.
Dec 21 19:47:22 openzwo systemd: Starting Session c428 of user stb@nandlnet.de.
Dec 21 19:47:41 openzwo clamd: SelfCheck: Database status OK.
Dec 21 19:47:41 openzwo clamd[10077]: SelfCheck: Database status OK.
Dec 21 19:48:01 openzwo systemd: Created slice User Slice of apache.
Dec 21 19:48:01 openzwo systemd: Starting User Slice of apache.
Dec 21 19:48:01 openzwo systemd: Started Session 18018 of user apache.
Dec 21 19:48:01 openzwo systemd: Starting Session 18018 of user apache.
Dec 21 19:48:01 openzwo systemd: Created slice User Slice of sogo.
Dec 21 19:48:01 openzwo systemd: Starting User Slice of sogo.
Dec 21 19:48:01 openzwo systemd: Started Session 18019 of user sogo.
Dec 21 19:48:01 openzwo systemd: Starting Session 18019 of user sogo.
Dec 21 19:48:01 openzwo systemd: Removed slice User Slice of apache.
Dec 21 19:48:01 openzwo systemd: Stopping User Slice of apache.
Dec 21 19:48:01 openzwo systemd: Removed slice User Slice of sogo.
Dec 21 19:48:01 openzwo systemd: Stopping User Slice of sogo.
Dec 21 19:48:47 openzwo dnsmasq-dhcp[9432]: DHCPREQUEST(br0) 192.168.200.236 c4:57:6e:78:14:18
Dec 21 19:48:47 openzwo dnsmasq-dhcp[9432]: DHCPACK(br0) 192.168.200.236 c4:57:6e:78:14:18
Dec 21 19:49:02 openzwo systemd: Created slice User Slice of apache.
Dec 21 19:49:02 openzwo systemd: Starting User Slice of apache.
Dec 21 19:49:02 openzwo systemd: Started Session 18020 of user apache.
Dec 21 19:49:02 openzwo systemd: Starting Session 18020 of user apache.
Dec 21 19:49:02 openzwo systemd: Created slice User Slice of sogo.
Dec 21 19:49:02 openzwo systemd: Starting User Slice of sogo.
Dec 21 19:49:02 openzwo systemd: Started Session 18021 of user sogo.
Dec 21 19:49:02 openzwo systemd: Starting Session 18021 of user sogo.
Dec 21 19:49:02 openzwo systemd: Removed slice User Slice of apache.
Dec 21 19:49:02 openzwo systemd: Stopping User Slice of apache.
Dec 21 19:49:02 openzwo dnsmasq-dhcp[9432]: DHCPREQUEST(br0) 192.168.200.19 90:cd:b6:8d:49:30
Dec 21 19:49:02 openzwo dnsmasq-dhcp[9432]: DHCPACK(br0) 192.168.200.19 90:cd:b6:8d:49:30 dcp
Dec 21 19:49:02 openzwo systemd: Removed slice User Slice of sogo.
Dec 21 19:49:02 openzwo systemd: Stopping User Slice of sogo.
Dec 21 19:50:01 openzwo systemd: Created slice User Slice of apache.
Dec 21 19:50:01 openzwo systemd: Starting User Slice of apache.
Dec 21 19:50:01 openzwo systemd: Started Session 18022 of user apache.
Dec 21 19:50:01 openzwo systemd: Starting Session 18022 of user apache.
Dec 21 19:50:01 openzwo systemd: Created slice User Slice of sogo.
Dec 21 19:50:01 openzwo systemd: Starting User Slice of sogo.
Dec 21 19:50:01 openzwo systemd: Started Session 18023 of user sogo.
Dec 21 19:50:01 openzwo systemd: Starting Session 18023 of user sogo.
Dec 21 19:50:01 openzwo systemd: Removed slice User Slice of apache.
Dec 21 19:50:01 openzwo systemd: Stopping User Slice of apache.
Dec 21 19:50:02 openzwo systemd: Removed slice User Slice of sogo.
Dec 21 19:50:02 openzwo systemd: Stopping User Slice of sogo.
Dec 21 19:50:31 openzwo systemd: Removed slice User Slice of root.
Dec 21 19:50:31 openzwo systemd: Stopping User Slice of root.
Dec 21 19:51:01 openzwo systemd: Created slice User Slice of apache.
Dec 21 19:51:01 openzwo systemd: Starting User Slice of apache.
Dec 21 19:51:01 openzwo systemd: Started Session 18024 of user apache.
Dec 21 19:51:01 openzwo systemd: Starting Session 18024 of user apache.
Dec 21 19:51:01 openzwo systemd: Created slice User Slice of sogo.
Dec 21 19:51:01 openzwo systemd: Starting User Slice of sogo.
Dec 21 19:51:01 openzwo systemd: Started Session 18025 of user sogo.
Dec 21 19:51:01 openzwo systemd: Starting Session 18025 of user sogo.
Dec 21 19:51:01 openzwo systemd: Removed slice User Slice of apache.
Dec 21 19:51:01 openzwo systemd: Stopping User Slice of apache.
Dec 21 19:51:02 openzwo systemd: Removed slice User Slice of sogo.
Dec 21 19:51:02 openzwo systemd: Stopping User Slice of sogo.
Dec 21 19:51:35 openzwo httpd: [NOTICE] Nethgui\Authorization\User: user `root` authenticated
Dec 21 19:52:01 openzwo systemd: Created slice User Slice of apache.
Dec 21 19:52:01 openzwo systemd: Starting User Slice of apache.
Dec 21 19:52:01 openzwo systemd: Started Session 18026 of user apache.
Dec 21 19:52:01 openzwo systemd: Starting Session 18026 of user apache.
Dec 21 19:52:01 openzwo systemd: Created slice User Slice of sogo.
Dec 21 19:52:01 openzwo systemd: Starting User Slice of sogo.
Dec 21 19:52:01 openzwo systemd: Started Session 18027 of user sogo.
Dec 21 19:52:01 openzwo systemd: Starting Session 18027 of user sogo.
Dec 21 19:52:01 openzwo systemd: Removed slice User Slice of apache.
Dec 21 19:52:01 openzwo systemd: Stopping User Slice of apache.
Dec 21 19:52:02 openzwo systemd: Removed slice User Slice of sogo.
Dec 21 19:52:02 openzwo systemd: Stopping User Slice of sogo.
After about 24 hours of operation, the system load increases again strongly.
Here is the excerpt from the running processes.
It runs again an Apache process with nasty performance data, 394% CPU power, etc …
When I turn off the system continues to run with normal values … it also runs normally again when I turn off the spam filter.
Tasks: 538 total, 2 running, 457 sleeping, 0 stopped, 79 zombie
%Cpu(s): 99.1 us, 0.5 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.4 si, 0.0 st
KiB Mem : 7902388 total, 133332 free, 4298132 used, 3470924 buff/cache
KiB Swap: 6291452 total, 6285016 free, 6436 used. 3123856 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
29959 apache 20 0 424460 40120 2328 S 394.1 0.5 3710:09 j
3154 root 20 0 168408 2784 1592 R 1.0 0.0 0:00.42 top
28338 stb@nan+ 20 0 464224 9052 6320 S 0.7 0.1 0:48.81 smbd
1622 root 20 0 767244 1460 780 S 0.3 0.0 0:06.31 c-icap
1727 sogo 20 0 364908 17112 5264 S 0.3 0.2 2:08.48 sogod
2124 mysql 20 0 2690952 158652 9148 S 0.3 2.0 1:50.96 mysqld
2500 apache 20 0 36944 4356 1416 S 0.3 0.1 0:00.09 /usr/sbin/httpd
3132 root 20 0 154804 6000 4644 S 0.3 0.1 0:00.20 sshd
5261 apache 20 0 36944 4452 1512 S 0.3 0.1 0:03.58 /usr/sbin/httpd
17536 apache 20 0 36944 4452 1512 S 0.3 0.1 0:01.98 /usr/sbin/httpd
I wish you all a merry Christmas!
And that all in peace with your loved ones can enjoy the time!
had searched for the file this morning, but in the tmp directory was nothing like that.
I have now blocked the port on nethserver and additionally in the Fritzbox.
In addition, I have deleted all the content from the tmp directory.
Let’s see what happens.
But how can something like that happen, that something like that fits into the system?
And why is the system again “almost” nrmal when the SPAM filter is switched off …
I don’t think that system load is linked to the spam filter. The load is generated by the j process, which is unknown and suspicious.
We will need to analyze the system. Which software are you running on NethServer? Any app like wordpress? Or other php software? Custom made?