We've have been having trouble recently with a cpanel server where httpd stops responding or is very slow. The server is running Cloud Linux 6 and all users are caged. Normally we look at open httpd connections and find the IP(s) with the most # of connections and block them, restart httpd and the load and response goes back to normal.
Sometimes these IP's have 50-200 connections. I thought the CL should stop them at the EP (Entry Process) which we have at the default 20? I suppose they could be hitting multiple sites, but when looking at lvetop, it does not appear to be that way.
I have a few questions.
1) Are there any changes to Cloud Linux you could recommend to help with this issue?
2) Are there any changes to Apache that would help? We have turned off Keep Alives as well as increasing the number of child processes,etc. We are still running EA3.
3) Besides Apache status, top, netstat, iotop, lvetop are there any tools to figure out what sites/URL are being attacked? Most of the time it looks like various accounts on the server so it is not obvious what is getting attacked.
Thanks for any advice.