Tuesday, March 22, 2011

Prevent syn floods [SYN_RECV] attack on Linux (cPanel) Server


One of my Linux Server (Cent OS, cPanel) is under syn floods Attacks come from different spoofed ip addresses and ports as below logs.  


root@yes [~]# netstat -n -p | grep SYN_REC | sort -u
tcp        0      0 66.7.221.78:80              109.230.222.43:19324        SYN_RECV    -
tcp        0      0 66.7.221.78:80              109.243.238.214:51875       SYN_RECV    -
tcp        0      0 66.7.221.78:80              109.243.238.214:51877       SYN_RECV    -
tcp        0      0 66.7.221.78:80              109.243.238.214:51881       SYN_RECV    -
tcp        0      0 66.7.221.78:80              109.67.0.116:1864           SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:2130         SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:2588         SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:2986         SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:3162         SYN_RECV    -
tcp        0      0 66.7.221.78:80              110.138.179.58:3296         SYN_RECV    -
tcp        0      0 66.7.221.78:80              117.200.155.197:3742        SYN_RECV    -
tcp        0      0 66.7.221.78:80              117.200.155.197:4116        SYN_RECV    -
tcp        0      0 66.7.221.78:80              118.175.74.56:44640         SYN_RECV    -
tcp        0      0 66.7.221.78:80              118.175.74.56:44663         SYN_RECV    -
tcp        0      0 66.7.221.78:80              118.175.74.56:60025         SYN_RECV    -
tcp        0      0 66.7.221.78:80              118.96.143.54:49278         SYN_RECV    -
tcp        0      0 66.7.221.78:80              119.148.10.218:49468        SYN_RECV    -
tcp        0      0 66.7.221.78:80              122.164.96.85:2034          SYN_RECV    -
tcp        0      0 66.7.221.78:80              125.167.233.138:38001       SYN_RECV    -
tcp        0      0 66.7.221.78:80              125.167.233.138:40720       SYN_RECV    -
tcp        0      0 66.7.221.78:80              125.167.233.138:54342       SYN_RECV    -
tcp        0      0 66.7.221.78:80              128.10.19.52:49852          SYN_RECV    -
tcp        0      0 66.7.221.78:80              128.187.223.212:44272       SYN_RECV    -
tcp        0      0 66.7.221.78:80              128.220.231.2:37871         SYN_RECV    -
tcp        0      0 66.7.221.78:80              129.110.125.52:40194        SYN_RECV    -
tcp        0      0 66.7.221.78:80              129.130.252.141:48734       SYN_RECV    -
tcp        0      0 66.7.221.78:80              129.82.12.188:55490         SYN_RECV    -
tcp        0      0 66.7.221.78:80              131.179.150.72:49705        SYN_RECV    -
tcp        0      0 66.7.221.78:80              137.165.1.115:43573         SYN_RECV    -
tcp        0      0 66.7.221.78:80              141.219.252.133:44643       SYN_RECV    -
tcp        0      0 66.7.221.78:80              149.135.70.236:29968        SYN_RECV    -
tcp        0      0 66.7.221.78:80              149.135.70.236:38562        SYN_RECV    -
tcp        0      0 66.7.221.78:80              164.107.127.13:51938        SYN_RECV    -
tcp        0      0 66.7.221.78:80              169.229.50.12:47415         SYN_RECV    -
tcp        0      0 66.7.221.78:80              169.229.50.15:51748         SYN_RECV    -
tcp        0      0 66.7.221.78:80              169.229.50.15:51782         SYN_RECV    -
tcp        0      0 66.7.221.78:80              169.229.50.18:44910         SYN_RECV    -
tcp        0      0 66.7.221.78:80              170.140.119.70:33785        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.14.76.218:64671         SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.17.218.10:21347         SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.212.238.60:41009        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.218.74.187:50490        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:38248        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:38546        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:38556        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:46806        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:46809        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.236.86.178:47387        SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.242.125.196:37477       SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.68.57.13:60290          SYN_RECV    -
tcp        0      0 66.7.221.78:80              173.86.120.225:60333        SYN_RECV    -

And goes on... ...

The total number of attacked ips are 576 today, this was 1024 on yesterday.

#root@host [~]# netstat -n -p|grep SYN_REC | wc -l
576

I've used CSF (ConfigServer Firewall) but is not protecting. I've set parameters below
+ High Security Level:

Code:
SYNFLOOD  = 1
SYNFLOOD_RATE  = 1/s
SYNFLOOD_BURST  = 3

When it is running, I am not able to login to the server, all services are down, and so I stopped it. Also inetbase ddos script is not working...

This solution worked until today because attacker increased spoofed ips.

Also I am using iptables for filter incomming TCP-SYN requests. My iptables are below:

Code:
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP 
iptables -A OUTPUT -p icmp -j ACCEPT
 

I've limited incomming TCP requests on port 80 by iptables:

Code:
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name http_flood --set
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --name http_flood --update --seconds
10 --hitcount 3 -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

It should be useful to prevent flood SYN_RECV attack on Linux server, You can try this at your own risk

Thank You



Tuesday, March 8, 2011

How to Find and Check Number of Connections to a Server

Whenever a client connects to a server via network, a connection is established and opened on the system. On a busy high load server, the number of connections connected to the server can be run into large amount till hundreds if not thousands. Find out and get a list of connections on the server by each node, client or IP address is useful for system scaling planning, and in most cases, detect and determine whether a web server is under DoS or DDoS attack (Distributed Denial of Service), where an IP sends large amount of connections to the server. To check connection numbers on the server, administrators and webmasters can make use of netstat command.

Below is some of the example a typically use command syntax for ‘netstat’ to check and show the number of connections a server has. Users can also use ‘man netstat’ command to get detailed netstat help and manual where there are lots of configurable options and flags to get meaningful lists and results.

#netstat -na
 
Display all active Internet connections to the servers and only established connections are included.

#netstat -an | grep :80 | sort

Show only active Internet connections to the server at port 80 and sort the results. Useful in detecting single flood by allowing users to recognize many connections coming from one IP.

#netstat -n -p|grep SYN_REC | wc -l
 
Let users know how many active SYNC_REC are occurring and happening on the server. The number should be pretty low, preferably less than 5. On DoS attack incident or mail bombed, the number can jump to twins. However, the value always depends on system, so a high value may be average in another server.

#netstat -n -p | grep SYN_REC | sort -u
 
List out the all IP addresses involved instead of just count.

#netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
 
List all the unique IP addresses of the node that are sending SYN_REC connection status.

#netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
 
Use netstat command to calculate and count the number of connections each IP address makes to the server.

#netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
 
List count of number of connections the IPs are connected to the server using TCP or UDP protocol.

#netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
 
Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

#netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
 
Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.

If you would like to prevent this kind of attack, you can configure the following IPTABLES rule on the server

#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP




Tuesday, March 1, 2011

The whole list of Cpanel backend and log files



In some situations we are using the backend files rather than the GUI interface. Using cpanel backend files are less time consuming and sometimes it is the only way to understand the actual issues. So it is better to byheart these all important cpanel backend and log files. Please take a look at these and I am sure that it will help you in some situations.
Apache
=======
/usr/local/apache
+ bin- apache binaries are stored here - httpd, apachectl, apxs
+ conf - configuration files - httpd.conf
+ cgi-bin
+ domlogs - domain log files are stored here
+ htdocs
+ include - header files
+ libexec - shared object (.so) files are stored here - libphp4.so,mod_rewrite.so
+ logs - apache logs - access_log, error_log, suexec_log
+ man - apache manual pages
+ proxy -
+ icons -

Init Script :/etc/rc.d/init.d/httpd - apache start script
Cpanel script to restart apache - /scripts/restartsrv_httpd
========================================================== 
Exim
=====
Conf : /etc/exim.conf - exim main configuration file
/etc/localdomains - list of domains allowed to relay mail
Log : /var/log/exim_mainlog - incoming/outgoing mails are logged here
/var/log/exim_rejectlog - exim rejected mails are reported here
/exim errors are logged here
Mail queue: /var/spool/exim/input
Cpanel script to restart exim - /scripts/restartsrv_exim
Email forwarders and catchall address file - /etc/valiases/domainname.com
Email filters file - /etc/vfilters/domainname.com
POP user authentication file - /home/username/etc/domainname/passwd
catchall inbox - /home/username/mail/inbox
POP user inbox - /home/username/mail/domainname/popusername/inbox
POP user spambox - /home/username/mail/domainname/popusername/spam
Program : /usr/sbin/exim (suid - -rwsr-xr-x 1 root root )
Init Script: /etc/rc.d/init.d/exim
=========================================================== 
ProFTPD
========
Program :/usr/sbin/proftpd
Init Script :/etc/rc.d/init.d/proftpd
Conf: /etc/proftpd.conf
Log: /var/log/messages, /var/log/xferlog
FTP accounts file - /etc/proftpd/username - all ftp accounts for the domain are listed here
=========================================================

Pure-FTPD
=========
Program : /usr/sbin/pure-ftpd
Init Script :/etc/rc.d/init.d/pure-ftpd
Conf: /etc/pure-ftpd.conf
Anonymous ftp document root - /etc/pure-ftpd/ip-address
==========================================================

Frontpage Extensions
=================
Program - (Install): /usr/local/frontpage/version5.0/bin/owsadm.exe
Uninstall and then install for re-installations
FP files are found as _vti-bin, _vti-pvt, _vti-cnf, vti-log inside the public_html
==========================================================

Mysql
=======
Program : /usr/bin/mysql
Init Script : /etc/rc.d/init.d/mysql
Conf : /etc/my.cnf, /root/.my.cnf
Data directory - /var/lib/mysql - Where all databases are stored.
Database naming convention - username_dbname (eg: john_sales)
Permissions on databases - drwx 2 mysql mysql
Socket file - /var/lib/mysql/mysql.sock, /tmp/ mysql.sock
===========================================================

SSHD
======
Program :/usr/local/sbin/sshd
Init Script :/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
Log: /var/log/messages
=========================================================

Perl
====
Program :/usr/bin/perl
Directory :/usr/lib/perl5/5.6.1/
=======================================================

PHP
====
Program :/usr/local/bin/php, /usr/bin/php
ini file: /usr/local/lib/php.ini - apache must be restarted after any change to this file
php can be recomplied using /scripts/easyapache
=========================================================

Named(BIND)
============
Program: /usr/sbin/named
Init Script: /etc/rc.d/init.d/named
/etc/named.conf
db records:/var/named/
/var/log/messages
========================================================

Cpanel installation directory structure
=============================
/usr/local/cpanel
+ 3rdparty/ - tools like fantastico, mailman files are located here
+ addons/ - AdvancedGuestBook, phpBB etc
+ base/ - phpmyadmin, squirrelmail, skins, webmail etc
+ bin/ - cpanel binaries
+ cgi-sys/ - cgi files like cgiemail, formmail.cgi, formmail.pl etc
+ logs/ - cpanel access log and error log
+ whostmgr/ - whm related files

WHM related files
===============
/var/cpanel - whm files
+ bandwidth/ - rrd files of domains
+ username.accts - reseller accounts are listed in this files
+ packages - hosting packages are listed here
+ root.accts - root owned domains are listed here
+ suspended - suspended accounts are listed here
+ users/ - cpanel user file - theme, bwlimit, addon, parked, sub-domains all are listed in this files
+ zonetemplates/ - dns zone template files are taken from here

Common CPanel scripts
===================
cpanel/whm Scripts are located in /scripts/
+ addns - add a dns zone
+ addfpmail - Add frontpage mail extensions to all domains without them
+ addfpmail2 -Add frontpage mail extensions to all domains without them
+ addnetmaskips - Add the netmask 255.255.255.0 to all IPs that have no netmask
+ addnobodygrp - Adds the gorup nobody and activates security
+ addpop - add a pop account
+ addservlets - Add JSP support to an account (requires tomcat)
+ addstatus - (Internal use never called by user)
+ adduser - Add a user to the system
+ bandwidth - (OLD)
+ betaexim - Installs the latest version of exim
+ biglogcheck - looks for logs nearing 2 gigabytes in size
+ bsdcryptoinstall - Installs crypto on FreeBSD
+ bsdldconfig - Configures the proper lib directories in FreeBSD
+ bsdpkgpingtest - Tests the connection speed for downloading FreeBSD packages
+ buildbsdexpect - Install expect on FreeBSD
+ builddomainaddr - (OLD)
+ buildeximconf - Rebuilds exim.conf
+ buildpostgrebsd-dev - Installs postgresql on FreeBSD.
+ chcpass - change cpanel passwords
+ easyapache - recompile/upgrade apache and/or php
+ exim4 - reinstall exim and fix permissions
+ fixcommonproblems - fixes most common problems
+ fixfrontpageperm - fixes permission issues with Front Page
+ fixmailman - fixes common mailman issues
+ fixnamed - fixes common named issues
+ fixndc - fixes rndc errors with named
+ fixquotas - fixes quota problems
+ fullhordereset - resets horde database to a fresh one - all previous user data are lost
+ initquotas - initializes quotas
+ installzendopt - installs zend optimizer
+ killacct - terminate an account - make sure you take a backup of the account first
+ mailperm - fixes permission problems with inboxes
+ park - to park a domain
+ pkgacct - used to backup an account
+ restartsrv - restart script for services
+ restorepkg - restores an account from a backup file ( pkgacct file)
+ runlogsnow - update logs of all users
+ runweblogs - update stats for a particular user
+ securetmp - secures /tmp partition with options nosuexec and nosuid
+ suspendacct - suspends an account
+ unsuspendacct - unsuspends a suspended account
+ upcp - updates cpanel to the latest version
+ updatenow - updates the cpanel scripts
+ updateuserdomains - updates userdomain entries
==========================================================

Important cpanel/whm files
====================
/etc/httpd/conf/httpd.conf - apache configuration file
/etc/exim.conf - mail server configuration file
/etc/named.conf - name server (named) configuration file
/etc/proftpd.conf - proftpd server configuration file
/etc/pure-ftpd.conf - pure-ftpd server configuration file
/etc/valiases/domainname - catchall and forwarders are set here
/etc/vfilters/domainname - email filters are set here
/etc/userdomains - all domains are listed here - addons, parked,subdomains along with their usernames
/etc/localdomains - exim related file - all domains should be listed here to be able to send mails
/var/cpanel/users/username - cpanel user file
/var/cpanel/cpanel.config - cpanel configuration file ( Tweak Settings )*
/etc/cpbackup-userskip.conf -
/etc/sysconfig/network - Networking Setup*
/etc/hosts -
/var/spool/exim -
/var/spool/cron -
/etc/resolv.conf - Networking Setup--> Resolver Configuration
/etc/nameserverips - Networking Setup--> Nameserver IPs ( FOr resellers to give their nameservers )
/var/cpanel/resellers - For addpkg, etc permissions for resellers.
/etc/chkserv.d - Main >> Service Configuration >> Service Manager *
/var/run/chkservd - Main >> Server Status >> Service Status *
/var/log/dcpumon - top log process
/root/cpanel3-skel - skel directory. Eg: public_ftp, public_html. (Account Functions-->Skeleton Directory )*
/etc/wwwacct.conf - account creation defaults file in WHM (Basic cPanel/WHM Setup)*
/etc/cpupdate.conf - Update Config *
/etc/cpbackup.conf - Configure Backup*
/etc/clamav.conf - clamav (antivirus configuration file )
/etc/my.cnf - mysql configuration file
/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini - php configuration file
/etc/ips - ip addresses on the server (except the shared ip) (IP Functions-->Show IP Address Usage )*
/etc/ipaddrpool - ip addresses which are free
/etc/ips.dnsmaster - name server ips
/var/cpanel/Counters - To get the counter of each users.
/var/cpanel/bandwidth - To get bandwith usage of domain
==========================================================

/var/cpanel
accounting.log - Contains a list of accounting functions performed such as account removal and creation
cpanel.config – Tweak settings for whm can be done in this file
mainip – Main ip of the server is specified in this file
maxemail - Maximum emails per hour for a domain can be specified here The format is like the following domainname=number


Run the script /scripts/build_maxemails_config after editing this file This will create a file named after the corresponding domain name inside the directory maxemailsperdomain with the value specified in it.
Maxemailsperhour - Server wide maximum emails per hour can be set in this file. It applies to the whole domains in the server. You only need to insert the corresponding value in the file. A value of zero means unlimited.
Resellers-nameservers – This file gives you the name of the nameservers used by reseller users
resellers – This file lists the privileges of different reseller users
packages/ - This directory contains files for all the packages created under the WHM and the corresponding files will give all the details related to that package
suspended/ – This directory contains files for all the suspended users. You can get the
reason for suspension from the corresponding user file.
Users/ – This directory contains cpanel user files which contain all the information related to a cpanel account.
Zonetemplates/ - This directory contains templates for zone files, which will be used for creating zone file for a particular domain when a user is created
bandwidth/ - This directory contains files named after the domain names which give separate http and all bandwidth usages for a particular day
datastore/ - This directory contains sub directories named after the cpanel user name which contains two files named mysql-db-count and mysql-disk-usage .These files give you the number of databases a user have and the total disk space used by all these databases respectively.
=========================================================

/etc
localdomains – This file contains domains which are using the local mail server.
remotedomains - This file contains domains which are using a remote mail server instead of the local mail server
userdomains - All the domains of users are listed in this file including the addon, parked and subdomains along with their username.
trueuserdomains - The main domains of all cpanel uesrs are listed in this file along with their username
trueuserowners – All cpanel users along with their owners are listed in this file
wwwacct.conf - This is the default file used in cpanel account creation Information from this file is taken when an account is created
mailips - The ip which should be used for sending mails can be specified in this file Different ips can be set for different domains for sending mails and that can be specified in the file like the following domainname: ip address
ips – This file lists all the ips in the file except the main shared ip
ips.dnsmaster – This file lists all the ips of nameservers used by different domains
ipaddrpool – Lists the ip addresses in the server which are free
cpupdate.conf - Cpanel updation configuration can be done in this file Once you edit this file do not forgot to run the script /scripts/upcp
cpbackup.conf - Cpanel backup configuration can be done in this file You can enable or disable cpanel backup using this file.
Valiases/ - Email forwarders and catchall for a domain can be specified in the corresponding file inside this directory.
The format is like the following *: accountname
vfilters - Email filters can be specified in the corresponding file inside this directory.
========================================================== 
/usr/local/cpanel
bin/ – Cpanel binaries are located in this directory
version – You can get cpanel version from this file
logs/ - All log files of cpanel are located inside this directory.
error_log – cpanel logs any error it incurs in this file
license_log – All cpanel license update attempts are logged in this file stats_log – The stats daemon logs the output from all the status generators like awstats, webalizer.
access_log – General information pertaining to cPanel requests is logged in this file
base/ – Files of phpmyadmin, webmail etc are located in this directory
3rdparty/ – Files of mailman, fantastico etc are located in this directory
==========================================================

Important Log Files
================
Apache
/usr/local/apache/logs – It is the main log for apache
/usr/local/apache/domlogs/ – Domain specific logs are located inside this directory
/usr/local/apache/logs/access_log – This log records all requests processed by the server

Exim
/var/log/exim_mainlog - An entry is created inside this log every time a message is received or delivered
/var/log/exim_rejectlog - An entry is created inside this log every time a message is rejected based on either ACLs or other policies
/var/log/exim_paniclog - An entry is created inside this log when exim doesn’t know how to handle an error
/var/log/messages – General information and login attempts of FTP are logged here
/var/log/secure - General information and login attempts of SSHD are logged here
/var/log/maillog - The IMAP, POP, and SpamAssassin services all log here. This includes all general logging information (login attempts, transactions, spam scoring), along with fatal errors.
/var/log/mysqld.log ; /var/lib/mysql/$(hostname).err – Mysql general informations and errors are logged in either of these two files
/var/log/chkservd.log - The service monitoring daemon (chkservd) logs all service checks here. Failed services are represented with a [-], and active are represented with
/var/log/cron – An entry is created in this file when a cron is executed
/var/log/messages - General informations and errors of named are logged in this File
/var/log/dcpumon/toplog.[timestamp] - This log lists the top processes running Each five minute a new log is created
/usr/local/apache/logs/suexec_log - This log file contains auditing information reported by suexec each time a CGI application is executed.
/var/log/cpanel*install* – These log files contain verbose logs of the cPanel installation.
/var/cpanel/updatelogs/update-[timestamp.log] – It is the log file for upcp. Log entries are created when upcp runs


[See the original post:]

http://techzgroup.blogspot.com/2010/12/whole-list-of-cpanel-backend-and-log.html 





List of TCP and UDP port numbers


Here are the most important list of all TCP and UDP ports

Source from :

5 Tips to Reduce Disk Space on Linux Server



From time to time we need to clear up disk space on our servers, whether it is to just reduce disk space to help minimize the costs and usage of backup servers, or if it’s to clean up the server and help with performance.


Here are 5 easy ways you can instantly clear up hard drive space and reduce the number of inodes on your server:

1.) Remove User Generated cPanel Backups

Many times cPanel users aren’t aware that they should delete a cPanel backup before performing another cPanel backup. Essentially they are taking backups of backups and this can quite easily add up to several gigabytes of space just for one account. A quick and easy way to remove these is to run the following command from root:

for user in #`/bin/ls -A /var/cpanel/users` ; do rm -fv /home/$user/backup-*$user.tar.gz ; done

Make sure to copy the full command exactly how it is above. This will work forcPanel hosting servers only.

2.) Audit your MySQL Databases

Not only will this free up disk space but it can greatly help with increasing the performance on your server. Large MySQL databases on sites that are receiving a large amount of traffic can really slow down a server. Many times the tables that are using the most space in a database are simply from visitor logging or caching, things that can be freed up instantly be truncating the table.
Use the following command when logged in as root to show the highest usage
databases on the server:

#du -k --max-depth 1 /var/lib/mysql | sort -n

This will show a list of individual databases from lowest to highest. Databases larger than 500mb can be an issue with performance so it is worth it to investigate them.
Once you have the results from the command above, it is easy to go into phpMyAdmin and find the database. Once you have clicked on the database you should sort the table size by space, clicking it twice so that it shows the highest usage table on the top.
If the table is some type of visitor logging or tracking table, it generally is okay to truncate it. The same goes for caching. Make sure to backup the database just in-case before doing so, and it won’t hurt to do a quick google search to see if that table is okay to empty. Searching for the exact term/table name usually will bring up the results you are looking for.
This is a great way to free up disk space, RAM and help increase overall server performance.

3.) Remove Installatron and Fantastico Backups

If you are running Installatron or Fantastico on your server, it is easy for the backups for these files to use up a lot of inodes and space, taking up resources and slowing down performance. Usually once every few months we will remove these for that reason. You can do so by entering the following commands:

For Fantastico:

#rm -rfv /home/*/fantastico_backups

For Installatron:

#rm -rfv /home/*/.installatron/backups

These are the two software installers I am familiar with, if you are using another software installer the same can be done for it if you just insert the proper location where the backups are stored. Consult with the software developer to make sure it is okay to do so first.

4.) Get Rid of Cached Yum Files

Updates from Yum usually leave some unneeded files on the server. Do some
Yum house cleaning:

#yum clean all

5.) Delete Failed FTP Uploads

When users are uploading files via pure-ftp and the upload either fails or is interrupted it will leave a partial file on the server. You can quickly get rid of these to clean up some disk space:

#locate .pureftpd-upload | xargs rm -fv

Using the above five ways we have sometimes cleared hundreds of Gigabytes of space and doing all of the above should take you less than an hour.

Let us know your results or if you have anything to add.