httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grant <emailgr...@gmail.com>
Subject Re: [users@httpd] Re: apache service interruption
Date Tue, 30 Jul 2013 06:25:26 GMT
> You wouldn't keep a syn proxy rule enabled all the time; only under a DoS
> attack.  You could also implement ModSecurity.

ModSecurity looks good and I think it works with nginx as well as
apache.  Is everyone who isn't running OSSEC HIDS or ModSecurity
vulnerable to a single client requesting too many pages and
interrupting the service?

- Grant


>>> Also, you should be able to limit simultaneous client connections with
>>> your
>>> firewall and pass the traffic in a syn proxy state. There are numerous
>>> ways
>>> to achieve this.
>>
>>
>> Is that the best way to go besides OSSEC HIDS?  I can imagine that
>> sort of thing could cause problems.
>>
>> - Grant
>>
>>
>>>> You can always compile from source ;)
>>>> What version of Apache are you running?
>>>>
>>>> On 07/29/2013 02:59 AM, Grant wrote:
>>>>>>
>>>>>>
>>>>>> Was it just an IP exhausting the apache service with too many
>>>>>> connections?  What do you see in the access logs?  I use OSSEC HIDS
on
>>>>>> my
>>>>>> apache servers to mitigate this.
>>>>>
>>>>>
>>>>>
>>>>> In the access log I see the same IP made many requests during the
>>>>> service interruption and I think that exhausted the apache service.
>>>>> It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  Is there
>>>>> another way to prevent this sort of thing?
>>>>>
>>>>> - Grant
>>>>>
>>>>>
>>>>>>>> My server has 4GB RAM and uses nginx as a reverse proxy to
apache. A
>>>>>>>> little while ago my website became inaccessible for about
30
>>>>>>>> minutes.
>>>>>>>> I checked my munin graphs and it looks like apache processes
spiked
>>>>>>>> to
>>>>>>>> about 29 during this time which is many times greater than
usual. I
>>>>>>>> have MaxClients at 30 and the error log verifies that MaxClients
was
>>>>>>>> not reached.  The strange part is system disk latency shows
a spike
>>>>>>>> during the interruption which is only very slightly greater
than
>>>>>>>> other
>>>>>>>> spikes which did not interrupt service.  System CPU, memory,
and
>>>>>>>> swap
>>>>>>>> usage don't show anything interesting at all.
>>>>>>>>
>>>>>>>> Does this make sense to anyone?  Should I decrease MaxClients?
>>>>>>>>
>>>>>>>> - Grant
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I've looked over my access_log and I can see there is a particular
IP
>>>>>>> which was making many requests during the interruption.  Since
munin
>>>>>>> does not show there was an excessive amount of memory or CPU
usage,
>>>>>>> lowering MaxClients won't help?
>>>>>>>
>>>>>>> - Grant

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message