httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grant <>
Subject Re: [users@httpd] Re: apache service interruption
Date Tue, 30 Jul 2013 06:25:26 GMT
> You wouldn't keep a syn proxy rule enabled all the time; only under a DoS
> attack.  You could also implement ModSecurity.

ModSecurity looks good and I think it works with nginx as well as
apache.  Is everyone who isn't running OSSEC HIDS or ModSecurity
vulnerable to a single client requesting too many pages and
interrupting the service?

- Grant

>>> Also, you should be able to limit simultaneous client connections with
>>> your
>>> firewall and pass the traffic in a syn proxy state. There are numerous
>>> ways
>>> to achieve this.
>> Is that the best way to go besides OSSEC HIDS?  I can imagine that
>> sort of thing could cause problems.
>> - Grant
>>>> You can always compile from source ;)
>>>> What version of Apache are you running?
>>>> On 07/29/2013 02:59 AM, Grant wrote:
>>>>>> Was it just an IP exhausting the apache service with too many
>>>>>> connections?  What do you see in the access logs?  I use OSSEC HIDS
>>>>>> my
>>>>>> apache servers to mitigate this.
>>>>> In the access log I see the same IP made many requests during the
>>>>> service interruption and I think that exhausted the apache service.
>>>>> It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  Is there
>>>>> another way to prevent this sort of thing?
>>>>> - Grant
>>>>>>>> My server has 4GB RAM and uses nginx as a reverse proxy to
apache. A
>>>>>>>> little while ago my website became inaccessible for about
>>>>>>>> minutes.
>>>>>>>> I checked my munin graphs and it looks like apache processes
>>>>>>>> to
>>>>>>>> about 29 during this time which is many times greater than
usual. I
>>>>>>>> have MaxClients at 30 and the error log verifies that MaxClients
>>>>>>>> not reached.  The strange part is system disk latency shows
a spike
>>>>>>>> during the interruption which is only very slightly greater
>>>>>>>> other
>>>>>>>> spikes which did not interrupt service.  System CPU, memory,
>>>>>>>> swap
>>>>>>>> usage don't show anything interesting at all.
>>>>>>>> Does this make sense to anyone?  Should I decrease MaxClients?
>>>>>>>> - Grant
>>>>>>> I've looked over my access_log and I can see there is a particular
>>>>>>> which was making many requests during the interruption.  Since
>>>>>>> does not show there was an excessive amount of memory or CPU
>>>>>>> lowering MaxClients won't help?
>>>>>>> - Grant

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message