A question can only have one accepted answer. Are you sure you want to replace the current answer with this one?
You previously marked this answer as accepted. Are you sure you want to unaccept it?
Write for DigitalOcean
You get paid, we donate to tech non-profits.
Find and meet other developers in your city.
Contribute to Open Source
I’m getting weird spikes in bandwidth, disk, and CPU usage. What could be causing this? It’s a pretty standard LAMP stack. Only a few days old.
Add comments here to get more clarity or context around a question. To answer a question, use the “Answer” field below.
When you deploy a droplet, the initial deployment and setup is going to cause CPU, RAM and Disk I/O spikes. This is completely normal and once the droplet is a week old, or older, the graphs will begin to normalize.
but that duration of that spike is almost 5 hour long. also the memory consumption is constantly over 90%. dont you think thats odd?
For a new Droplet, not really, though we can always check a few things to see what’s going on and to see if what’s happening is a cause for concern.
The first thing I would do is check whether your firewall is enabled. If it’s not, some of what you’re seeing could be due to repeated attempts to login by bots or similar. Much of this is and always will be automated, so unless you’re filtering traffic through a firewall, you’re not going to see any reduction.
You can run the command below to see if ufw is enabled.
sudo ufw status
If ufw is not enabled, we need to determine what ports you need open. Most commonly, you should allow ports: 80, 443, and 22 (HTTP, HTTPS, and SSH). We should also setup a default policy to deny connections to any ports that we don’t specifically allow. To do this, we can run:
sudo ufw default deny
Then setup the ports we want to allow access on:
sudo ufw allow 22/tcp \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp
Now we can enable ufw:
sudo ufw enable
It’ll ask you to confirm, simply confirm and your firewall is now enabled and external access will now only be allowed on those 3 ports.
You can also check you logs in /var/log, or the location of your software-specific logs (i.e. Apache, PHP, etc). Look at the access and error logs and see if there’s anything out of the ordinary, such as odd requests for random files, queries with random strings, etc. If you see things like this, while common, it’ll give you an idea of what someone is looking for.
These types of requests, much like attempts to login, are automated and since it’s still traffic to your web server, they will use resources to serve the request. There are ways to filter them, though it really depends on what you’re using (i.e. WordPress?) or something else. I know there are WordPress security plugins that will filter bad requests and there are also ways to do it at the server level.
Check your log files in /var/log