[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: =?UTF-8?B?UmU6IFt1c2Vyc0BodHRwZF0gQXc6wqBSZTogW3VzZXJzQGh0dHBkXSBB?= =?UTF-8?Q?pache_in_under_attack
From: Andrea Croci <andrea.croci () gmx ! de>
Date: 2021-01-13 9:59:12
Message-ID: 81739476-b047-e62b-bb21-8add8a6508fc () gmx ! de
[Download RAW message or body]
Hi James,
what was the command you used to see that apache uses ~1GB of memory? I
deleted the mail and that was a bad idea: there were some very useful
commands you were giving us here.
On 12.01.21 12:17, James Smith wrote:
> That shows you only have 2 incoming requests. How many lines if you remove the \
> TIME_WAIT
> Try: netstat -n | grep ':80 ' | wc
>
> This may show lots of short requests happening over time
>
> But to be honest the host important thing you need to do is strip down the list of \
> modules you are using - that is what is causing you problems - the apache processes \
> are so large you are causing the server to swap -
> If you are permanently using a lot of swap then that slows down your processes and \
> can cause your request to back up (a bit like a traffic jam)
> You should only really have about 20-30 modules running.
>
> -----Original Message-----
> From: Jason Long <hack3rcon@yahoo.com.INVALID>
> Sent: 12 January 2021 11:14
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]
>
> It show me:
>
> # netstat -n | grep ':80 ' | grep -v TIME_WAIT
> tcp6 0 0 X.X.X.X:80 X.X.X.X:16126 FIN_WAIT2
> tcp6 0 0 X.X.X.X:80 X.X.X.X:64595 FIN_WAIT2
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith <js5@sanger.ac.uk> \
> wrote:
>
>
>
>
> If you want incoming traffic you can do:
>
> netstat -n | grep ':443 ' | grep -v TIME_WAIT
>
> The incoming IP should be the 2nd address
>
> (or ':80 ' if you aren't doing SSL)
>
> Remove the grep -v TIME_WAIT to see all connections {and recent connections}
>
> -----Original Message-----
> From: Jason Long <hack3rcon@yahoo.com.INVALID>
> Sent: 12 January 2021 10:33
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]
>
> Output is:
>
> 1688 323400 80850 0 /usr/sbin/httpd -DFOREGROUND
> 6384 517620 129405 0 /usr/sbin/httpd -DFOREGROUND
> 1163280 3898288 974572 63 /usr/sbin/httpd -DFOREGROUND
> 1250040 3912624 978156 64 /usr/sbin/httpd -DFOREGROUND
> 1299300 3986396 996599 84 /usr/sbin/httpd -DFOREGROUND
> 1367304 4012976 1003244 74 /usr/sbin/httpd -DFOREGROUND
>
> How can I see the IP addresses and their incoming traffic?
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith <js5@sanger.ac.uk> \
> wrote:
>
>
>
>
> Another thing to look at is to restart the apache process and see memory usage. You \
> can either use top. Or you can use a cron job which emails you the output of:
> ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n
>
> to see if you start or if it grows gradually
>
> -----Original Message-----
> From: Jason Long <hack3rcon@yahoo.com.INVALID>
> Sent: 12 January 2021 10:01
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]
>
> I did below rule, but not worked:
> # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j \
> REJECT --reject-with tcp-reset
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm \
> <flo@flo-films.de> wrote:
>
>
>
>
>
> It can be done with iptables or take a look at fail2ban:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35 \
> 773_213194&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX \
> 0XM7vQ&m=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA&s=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o&e=
>
> Am 12.01.21, 10:26 schrieb Jason Long <hack3rcon@yahoo.com.INVALID>:
> > Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP \
> > sending many request then it automatically blocked.
> >
> >
> >
> >
> >
> > On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith \
> > <js5@sanger.ac.uk> wrote:
> >
> >
> >
> >
> > Jason,
> >
> > I would also query why your process are ~ 1G resident that seems quite large for \
> > apache.
> > What modules do you have enabled - even with mod_perl embedded I would not want \
> > them to go about 500-800M depending on the site of your box.
> > I know Apache is very good at grabbing memory for each process - but it doesn't \
> > tend to hand it back - and just keeps it (just in case)
> > It looks like you either have a memory leak - or the code is collecting too much \
> > data before squirting it out
> > There are other setups that you may want to look at if you have large dynamic \
> > requests and a lot of small static request (images/css/js) where you run two web \
> > servers - one serving static content and proxying back to dynamic content.
> > James
> >
> > -----Original Message-----
> > From: James Smith <js5@sanger.ac.uk>
> > Sent: 12 January 2021 09:09
> > To: users@httpd.apache.org
> > Subject: RE: [users@httpd] Apache in under attack. [EXT]
> >
> > Put a firewall rule into block whatever that first IP address is then.
> >
> > Something like:
> >
> > firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source \
> > address='X.X.X.X' reject"
> > If you are seeing a current attack then you can tweak Charles' command line to:
> >
> > tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head
> >
> > or I often use cut instead of awk..
> >
> > tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head
> >
> > -----Original Message-----
> > From: Jason Long <hack3rcon@yahoo.com.INVALID>
> > Sent: 12 January 2021 08:53
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Apache in under attack. [EXT]
> >
> > It show me:
> >
> > 13180 X.X.X.X
> > 1127 X.X.X.X
> > 346 X.X.X.X
> > 294 X.X.X.X
> > 241 X.X.X.X
> > 169 X.X.X.X
> > 168 X.X.X.X
> > 157 X.X.X.X
> > 155 X.X.X.X
> > 153 X.X.X.X
> >
> >
> >
> >
> >
> >
> >
> >
> > On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles \
> > <charles@beachcamera.com.invalid> wrote:
> >
> >
> >
> >
> > Run this against your log file in bash shell
> >
> > cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head
> >
> > This will show you most frequent IPs, sorted in descending order. Block as needed
> >
> > On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:
> >
> > Can you help me?
> >
> >
> >
> >
> >
> >
> > On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> \
> > wrote:
> >
> >
> >
> >
> > Concentrate on just one...
> >
> > On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
> > > It is a lot of IP addresses !!!
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino \
> > > <nick@folino.us> wrote:
> > >
> > >
> > >
> > >
> > > How to find pattern:
> > > Look at log.
> > > Find bad things that are similar.
> > >
> > > Then:
> > > Block bad things from reaching web server.
> > >
> > > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
> > > > How to find pattern?
> > > > Log show me: \
> > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMv \
> > > > RrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oD \
> > > > X0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e=
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali \
> > > > <cifali.filipe@gmail.com> wrote:
> > > >
> > > >
> > > >
> > > >
> > > > Yeah it's probably not going to matter if you don't know what's attacking you \
> > > > before setting up the rules, you need to find the patterns, either the attack \
> > > > target or the attackers origins.
> > > > On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> \
> > > > wrote:
> > > > > I used a rule like:
> > > > >
> > > > > # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port \
> > > > > port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" \
> > > > > level="warning" limit value="100/s"'
> > > > > But not matter.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali \
> > > > > <cifali.filipe@gmail.com> wrote:
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > You need to investigate your logs and find common patterns there, also \
> > > > > there are different tools to handle small and big workloads like you could \
> > > > > use iptables/nftables to block based on patterns and number of requests.
> > > > > On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> \
> > > > > wrote:
> > > > > > Hello,
> > > > > > On a CentOS web server with Apache, someone make a lot of request and it \
> > > > > > make slowing server. when I disable "httpd" service then problem solve. \
> > > > > > How can I find who made a lot of request? \
> > > > > > [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3q \
> > > > > > l-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp \
> > > > > > 0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e=
> > > > > > Any idea to solve it?
> > > > > >
> > > > > >
> > > > > > Thank you.
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > [ ]'s
> > > > >
> > > > > Filipe Cifali Stangler
> > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > [ ]'s
> > > >
> > > > Filipe Cifali Stangler
> >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > >
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> >
> > --
> > The Wellcome Sanger Institute is operated by Genome Research Limited, a charity \
> > registered in England with number 1021457 and a company registered in England \
> > with number 2742969, whose registered office is 215 Euston Road, London, NW1 \
> > 2BE.B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [ \
> > X ܚX KK[XZ[ \ \ ][ X ܚX P
> > \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[
> > \ \ Z[
> > \X K ܙ B
> >
> >
> >
> >
> > --
> > The Wellcome Sanger Institute is operated by Genome Research
> > Limited, a charity registered in England with number 1021457 and a
> > company registered in England with number 2742969, whose registered
> > office is 215 Euston Road, London, NW1 2BE.
>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> --------------------------------------------------------------------- To \
> unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, \
> e-mail: users-help@httpd.apache.org
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic