This morning I was chatting with 2 persons on a Linux server with 4GBytes of RAM and running CentOS 6.4 when suddenly, in the middle of a line the system froze. At first I thought it was my local machine; then I discovered that it was the server, which I could no longer get to via SSH and needed to have a physical person do a physical reboot. Now all is well. No problems whatsoever. Does anyone know if such behavior is a "known issue" when using chat with 2.4.3? And, if so, how to fix it.
In reply to Gary Lebowitz
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
由Ken Task發表於
Many times a Linux server simply fails to respond ... it doesn't really 'crash'. If it did, one might see a .core file in the application folder that caused the 'panic'. Might check moodlecode/mod/chat/ for a .core file. If one is not there, no 'panic' by the server ... ie, it didn't dump core (ie, 'crash').
However, having said that, a 4G RAM server might be a little under-powered for any heavy usage of certain mods in Moodle ... one of those is chat. At the time the chat room was launched, how many users were logged onto Moodle using other courses/resources?
Last time I checked, each chat room uses up approximately 512K. So if there was say only 1 GIG of free RAM left and there were more than one Chat room launched, the math says there's close to 0 free RAM left and the server is now using SWAP space.
The only way to really see what's going on memory wise in realtime is via command line with root user running top. Then start your chat session to see how it affects memory usage.
'spirit of sharing', Ken
In reply to Ken Task
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
由Gary Lebowitz發表於
Thanks for getting back to me, Ken. There was 1 chat room open with 2 other participants besides me, 10 persons logged into various other areas of Moodle viewing resources, adding to forums, etc. One thing I had been doing just before the crash was to switch back and forth several times between the Bubble and Compact theme to see if this really caused all previous lines of chat to disappear or if it was just my machine. After the 4th or 5th switch in rapid succession I noticed I couldn't send a line I'd been typing and the two others reported by email they lost me and each other in chat along with access not only to Moodle but to the entire domain. And when I tried to go in remotely to the server I noticed I couldn't and a physical reboot of the server needed to be done to get going again. Nothing at all seemed broken. And all has been well for the past 24 hours, with dozens of persons working happily away In things other than a chat room--which I am closing down until I've figured out what went wrong. There is no .core by the way. I'm going to concentrate on memory.
By the way I happened on an article yesterday TA-15-314a published by the NCCIC talking abkut the danger of various Web shells written in PHP, etc. that coukd impact to CMSs. I wonder if this is just theoretical or if people are experiencing real attacks because of this. (I want to think my problem was not because of this!)
Regards,
Gary
In reply to Gary Lebowitz
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
Hi Gary
Quote
> One thing I had been doing just before the crash was to switch back and forth several times between the Bubble and Compact theme to see if this really caused all previous lines of chat to disappear or if it was just my machine.
That is highly suspicious. The theme is part of Moodle code and it has to be clean. If possible fall back to a core theme. BTW, do you have theme designer mode ON?
> After the 4th or 5th switch in rapid succession I noticed I couldn't send a line I'd been typing and the two others reported by email they lost me and each other in chat along with access not only to Moodle but to the entire domain. And when I tried to go in remotely to the server I noticed I couldn't and a physical reboot of the server needed to be done to get going again.
That is absurd. If 10 web visitors can take down the whole bunch of servers of an institution, there is something wrong in a big way. Are all these hosted on one (physical) server? Are you sure of the hardware, device drivers? A serious stress testing is needed from the part of the system administrators.
Quote
> One thing I had been doing just before the crash was to switch back and forth several times between the Bubble and Compact theme to see if this really caused all previous lines of chat to disappear or if it was just my machine.
That is highly suspicious. The theme is part of Moodle code and it has to be clean. If possible fall back to a core theme. BTW, do you have theme designer mode ON?
> After the 4th or 5th switch in rapid succession I noticed I couldn't send a line I'd been typing and the two others reported by email they lost me and each other in chat along with access not only to Moodle but to the entire domain. And when I tried to go in remotely to the server I noticed I couldn't and a physical reboot of the server needed to be done to get going again.
That is absurd. If 10 web visitors can take down the whole bunch of servers of an institution, there is something wrong in a big way. Are all these hosted on one (physical) server? Are you sure of the hardware, device drivers? A serious stress testing is needed from the part of the system administrators.
In reply to Ken Task
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
Ken
Glad that you reminded me of the core dump. I am not sure whether it has to be in ./mod/chat/ though. Worth scanning the whole file system.
I have a problem accepting that 4 GB RAM as under-powered. I still think of how we envied the two super computers the university had, a rich university for that matter, with 4 GB RAM each! Recently I did some bench marking on a common (KVM, Qemu) VPS with 2 core and 2 GB RAM, was a huge positive surprise. Must say that I haven't tested the chat module.
One final thing: why do you say top has to run as root?
@Gary
This are some examples of the monitoring you need: https://moodle.org/mod/forum/discuss.php?d=192162.
Glad that you reminded me of the core dump. I am not sure whether it has to be in ./mod/chat/ though. Worth scanning the whole file system.
I have a problem accepting that 4 GB RAM as under-powered. I still think of how we envied the two super computers the university had, a rich university for that matter, with 4 GB RAM each! Recently I did some bench marking on a common (KVM, Qemu) VPS with 2 core and 2 GB RAM, was a huge positive surprise. Must say that I haven't tested the chat module.
One final thing: why do you say top has to run as root?
@Gary
This are some examples of the monitoring you need: https://moodle.org/mod/forum/discuss.php?d=192162.
In reply to Visvanath Ratnaweera
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
由Ken Task發表於
Will spare all the long story about 2 Elementary classrooms and 6 chat rooms on a 2 Gig server, but will say only that 2 Gig's was not enough memory to handle that number of chat rooms.
Chat is a separate little daemon to itself and in Moodle, chat can be configured to use actual chat daemon software, not the built in. In my investigation of that, each chat room used approximately 512K memory. So my experience was with a 2 Gig box, but even with 4 Gig a single chat room might push a server over limits depending upon other daemons ... like apache/mysql/etc..
Reason for top ... known to be installed on all CentOS systems and easiest to get a quick look at memory usage/activity on a box un-seen ... lots of detail left out of the first posting. Yes, plenty of other/better monitoring tools, but then op might have issues installing one of those those ... plus there is proper config of a monitor ... ever configure a monitor to consume more of the server than intended thus creating your own DOS?
4 Gig is normally a good place to start but it's been my experience that through time and usage of Moodle, a stand alone (apache/mysqld/other running on same server) running Moodle will eventually consume more memory ... period.
@Howard as also said that other things worth looking at ... my experience with similar incidents (one with a wiki - which was sort of a DOS) confirms that one could still login (via ssh) and issue commands although extremely slow. Apache still running. Server still up (if you pinged it) ... didn't crash. As far as core dumps and .core files, think the default behavior for CentOS is to save the .core file in the directory of the app that caused the issue. Can be configured differently. And, yes, one could find other daemons on the server causing core dumps so looking at the entire server was a good idea, but since OP was talking about chat in Moodle ... then that's why I suggested looking for .core dumps where I did.
@Gary ... well, new shells are discovered frequently. Who's to say your server doesn't have one ... but if you followed advice given, one is about as 'secure' as one can humanly get and be able to use what's installed! It always has been an 'element of risk' when running anything like a Moodle ... or a Joomla ... or a WordPress ... or a .... on forever.
For the benefit of others, the source referenced by Gary is an overall guide on Web Shells - Threat Awareness. https://www.us-cert.gov/ncas/alerts/TA15-314A
Good thing to be aware. What was advised on the reference I read makes sense for anyone running anything open source on port 80 - one recommendation ... keep your software up to date. Duh! Ya think?
Moodle (like Joomla/WordPress/Drupal, etc. any well known + good open sourced software) is serious about security, but users of that software have to do their part ... keeping up to date.
Recently spent 2 solid days upgrading 1.5.x Joomlas to 3.highest on a server that had WP as well. Joomla's were vulnerable to 'web shell' trojans via a plugin installed in the Joomla's. The WP's on same server did suffer from that as the web shell trojans/header injections etc. from Joomla's spilled into them as well.
So @Gary ... while there are many approaches to this, I'd recommend a place to start is installing ClamAV on server and doing a scan of the entire Moodle code directory - anything at web root. ClamAV will detect some things like trojans, etc.
Am sure @Howard and @Visvanath can share other tools, etc..
'spirit of sharing', Ken
In reply to Ken Task
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
由Gary Lebowitz發表於
Thanks to Ken et al for your ideas about what might have happened. I did see in the most current httpd access log an odd GET from a suspicious place on the planet just before what happened happened. Then stuck. I will go through you guys' suggestions, install ClamAV and test as soon as there is a ltittle lull in the action. In the meantime I have good backups, a second server with everything mirroring my mission-critical platform and various other parachutes I can grab in an emergency. I'll keep you all posted here on what i find in a couple weeks.
In reply to Ken Task
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
由Gary Lebowitz發表於
I am wondering if there really might not have been a DOS attack going on. First time in 5 years, but there's a first time for everything I guess. Just to say that normally when I do a top I see a load of like .10 to .20 unless I am doing something strenuous like doing an entire backup of the server, in which case it can to up to past .50 or .60. Nothing more. And each week I reboot when I see available RAM starting to drop a bit.
I will definitely install ClamAV as soon as the current "flight" is over and the plane is in the hangar as it were and see what's going on here. Again, things have been going just fine over the past couple years, so I was a little surprised to see this. Thank goodness a physical button-press reboot in the room with the machines whirring away by the conscientious team at the place I have my server sitting fixed this. (While previous attempts to do software reboot via their remote interface didn't. At which point I began to ready one of my business-continuity parachutes.) For the past 48 hours all is well.
In reply to ratan singh
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
由Emma Richardson發表於
In reply to Visvanath Ratnaweera
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
由Gary Lebowitz發表於
In reply to Gary Lebowitz
Re: Server crash during chat wtih 2 other persons Moodle 2.4.3
由Howard Miller發表於
Chat won't bring your server down to the point you can't log in.
It's very hard to know what might be going on if you can't get in. Did you try to log in directly to the server (kVM in the back)? It is possible the load went sky high and it just wasn't listening to the ssh deamon.
The only time I have seen anything like this is with a DOS attack or, anyway, something that was effectively a DOS attack. A misconfigured client hammering the server.