Re: [users@httpd] Apache in under attack.

[Jason Long]

Is you mean below lines in "httpd.conf" file?
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" 
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" 
combinedio








On Thursday, January 14, 2021, 11:43:33 PM GMT+3:30, Richard 
 wrote: 





You should look at adding the %D and %T format strings to your httpd
access log configuration so that you can capture the amount of time
spent in delivery of a resource.


> Date: Thursday, January 14, 2021 11:48:55 +
> From: Jason Long 
>
> Server have 4 CPU cores and 6GB of RAM.
> I pasted Apache configuration. In your opinion, which parts of
> servers must be examine?
> 
> 
> On Wednesday, January 13, 2021, 08:30:58 PM GMT+3:30, @lbutlr
>  wrote: 
> 
> 
>> On 12 Jan 2021, at 01:52, Jason Long 
>> wrote:
>> 
>> It show me:
>> 
>> 13180 X.X.X.X
>>     1127 X.X.X.X 
>>     346 X.X.X.X 
>>     294 X.X.X.X 
>>     241 X.X.X.X 
>>     169 X.X.X.X 
>>     168 X.X.X.X
>>     157 X.X.X.X
>>     155 X.X.X.X
>>     153 X.X.X.X
> 
> Your server would not be getting bogged down by that few
> connections unless your hardware is very weak or you are hosting
> something insane.
> 
> I have a very lightly used web server that gets more than 40K hits
> a day running on a Celeron machine with a whole 4GB of RAM and my
> load average is in the 1.2 range consistently.
> 
> I wonder if there is not some configuration error.
> 
> Also, the URLs shown in your logs starting with /tag/ followed by a
> long series of hex digits, do those look like valid URLs for your
> server?
> 
> Do a dig -x on the IP that is hitting you 13,000 times and see
> where it is. You can try firewalling it, but if it's not some
> misconfigured server, the DOS will simply move to another IP.
> 
>> https://paste.ubuntu.com/p/PsxM8yPXPQ/
> 
> I haven't run F2B in quite a while, but is that a list of IPs that
> you are whitelisiing or does [Protect] mean "Protect FROM"?
> 
> But if 13,000 queries are crippling your web server, I think your
> real problem lies elsewhere than the 13,000 hits.
> 
> (You are loading almost double the modules that I am, by the way.
> It seems like an lot. Do you know why each of those modules is
> enabled?)

 End Original Message 




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Apache in under attack. [EXT]

[James Smith]

The first place to look in this case is the size of the apache processes. Once 
the OP has got on top of this - then other issues can be investigated.

So process would be:
1) Reduce number of modules in Apache (>100 at the moment) should be 
around 15-25 region;
2) Look at memory usage;
3) If high would also look to see which PHP packages have been 
installed;
4) Once past these I would start looking at the actual attack and the 
particular requests;



-Original Message-
From: @lbutlr  
Sent: 15 January 2021 06:37
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

On 14 Jan 2021, at 04:48, Jason Long  wrote:
> Server have 4 CPU cores and 6GB of RAM.
> I pasted Apache configuration. In your opinion, which parts of servers must 
> be examine?

Throwing more resources at the problem is not likely to fix the problem. You 
need to figure out what is going on with your server and WHY it is taking so 
much time it is bogging down and WEHRE the slowdown is happening.

This is not something that someone can just say "Oh, it's this" because the 
problem is unique to your machine, your content, and your users.

I would start with those very suspicious (to me) looking URL requests 
containing dozens of digits of hex. Do those look like they are legitimate 
links to your server's web content?

Also, please stop top-posting and quoting the entire message thread below.

-- 
We are born naked, wet and hungry; then it's all downhill.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



--
 The Wellcome Sanger Institute is operated by Genome Research
 Limited, a charity registered in England with number 1021457 and a
 company registered in England with number 2742969, whose registered
 office is 215 Euston Road, London, NW1 2BE.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[@lbutlr]

On 14 Jan 2021, at 04:48, Jason Long  wrote:
> Server have 4 CPU cores and 6GB of RAM.
> I pasted Apache configuration. In your opinion, which parts of servers must 
> be examine?

Throwing more resources at the problem is not likely to fix the problem. You 
need to figure out what is going on with your server and WHY it is taking so 
much time it is bogging down and WEHRE the slowdown is happening.

This is not something that someone can just say "Oh, it's this" because the 
problem is unique to your machine, your content, and your users.

I would start with those very suspicious (to me) looking URL requests 
containing dozens of digits of hex. Do those look like they are legitimate 
links to your server's web content?

Also, please stop top-posting and quoting the entire message thread below.

-- 
We are born naked, wet and hungry; then it's all downhill.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Richard]

You should look at adding the %D and %T format strings to your httpd
access log configuration so that you can capture the amount of time
spent in delivery of a resource.


> Date: Thursday, January 14, 2021 11:48:55 +
> From: Jason Long 
>
> Server have 4 CPU cores and 6GB of RAM.
> I pasted Apache configuration. In your opinion, which parts of
> servers must be examine?
> 
> 
> On Wednesday, January 13, 2021, 08:30:58 PM GMT+3:30, @lbutlr
>  wrote: 
> 
> 
>> On 12 Jan 2021, at 01:52, Jason Long 
>> wrote:
>> 
>> It show me:
>> 
>> 13180 X.X.X.X
>>     1127 X.X.X.X 
>>     346 X.X.X.X 
>>     294 X.X.X.X 
>>     241 X.X.X.X 
>>     169 X.X.X.X 
>>     168 X.X.X.X
>>     157 X.X.X.X
>>     155 X.X.X.X
>>     153 X.X.X.X
> 
> Your server would not be getting bogged down by that few
> connections unless your hardware is very weak or you are hosting
> something insane.
> 
> I have a very lightly used web server that gets more than 40K hits
> a day running on a Celeron machine with a whole 4GB of RAM and my
> load average is in the 1.2 range consistently.
> 
> I wonder if there is not some configuration error.
> 
> Also, the URLs shown in your logs starting with /tag/ followed by a
> long series of hex digits, do those look like valid URLs for your
> server?
> 
> Do a dig -x on the IP that is hitting you 13,000 times and see
> where it is. You can try firewalling it, but if it's not some
> misconfigured server, the DOS will simply move to another IP.
> 
>> https://paste.ubuntu.com/p/PsxM8yPXPQ/
> 
> I haven't run F2B in quite a while, but is that a list of IPs that
> you are whitelisiing or does [Protect] mean "Protect FROM"?
> 
> But if 13,000 queries are crippling your web server, I think your
> real problem lies elsewhere than the 13,000 hits.
> 
> (You are loading almost double the modules that I am, by the way.
> It seems like an lot. Do you know why each of those modules is
> enabled?)

 End Original Message 



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Jason Long]

Server have 4 CPU cores and 6GB of RAM.
I pasted Apache configuration. In your opinion, which parts of servers must be 
examine?






On Wednesday, January 13, 2021, 08:30:58 PM GMT+3:30, @lbutlr 
 wrote: 







> On 12 Jan 2021, at 01:52, Jason Long  wrote:
> 
> It show me:
> 
> 13180 X.X.X.X
>    1127 X.X.X.X 
>    346 X.X.X.X 
>    294 X.X.X.X 
>    241 X.X.X.X 
>    169 X.X.X.X 
>    168 X.X.X.X
>    157 X.X.X.X
>    155 X.X.X.X
>    153 X.X.X.X

Your server would not be getting bogged down by that few connections unless 
your hardware is very weak or you are hosting something insane.

I have a very lightly used web server that gets more than 40K hits a day 
running on a Celeron machine with a whole 4GB of RAM and my load average is in 
the 1.2 range consistently.

I wonder if there is not some configuration error.

Also, the URLs shown in your logs starting with /tag/ followed by a long series 
of hex digits, do those look like valid URLs for your server?

Do a dig -x on the IP that is hitting you 13,000 times and see where it is. You 
can try firewalling it, but if it's not some misconfigured server, the DOS will 
simply move to another IP.

> https://paste.ubuntu.com/p/PsxM8yPXPQ/

I haven't run F2B in quite a while, but is that a list of IPs that you are 
whitelisiing or does [Protect] mean "Protect FROM"?

But if 13,000 queries are crippling your web server, I think your real problem 
lies elsewhere than the 13,000 hits.

(You are loading almost double the modules that I am, by the way. It seems like 
an lot. Do you know why each of those modules is enabled?)

-- 
They say whisky'll kill you, but I don't think it will I'm ridin'
    with you to the top of the hill



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[@lbutlr]

> On 12 Jan 2021, at 01:52, Jason Long  wrote:
> 
> It show me:
> 
> 13180 X.X.X.X
>1127 X.X.X.X 
> 346 X.X.X.X 
> 294 X.X.X.X 
> 241 X.X.X.X 
> 169 X.X.X.X 
> 168 X.X.X.X
> 157 X.X.X.X
> 155 X.X.X.X
> 153 X.X.X.X

Your server would not be getting bogged down by that few connections unless 
your hardware is very weak or you are hosting something insane.

I have a very lightly used web server that gets more than 40K hits a day 
running on a Celeron machine with a whole 4GB of RAM and my load average is in 
the 1.2 range consistently.

I wonder if there is not some configuration error.

Also, the URLs shown in your logs starting with /tag/ followed by a long series 
of hex digits, do those look like valid URLs for your server?

Do a dig -x on the IP that is hitting you 13,000 times and see where it is. You 
can try firewalling it, but if it's not some misconfigured server, the DOS will 
simply move to another IP.

> https://paste.ubuntu.com/p/PsxM8yPXPQ/

I haven't run F2B in quite a while, but is that a list of IPs that you are 
whitelisiing or does [Protect] mean "Protect FROM"?

But if 13,000 queries are crippling your web server, I think your real problem 
lies elsewhere than the 13,000 hits.

(You are loading almost double the modules that I am, by the way. It seems like 
an lot. Do you know why each of those modules is enabled?)

-- 
They say whisky'll kill you, but I don't think it will I'm ridin'
with you to the top of the hill


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[James Smith]

You can get the information from top - but if you want it in the command line 
you run:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

rsz - is the resident size - this is the amount of memory the programme is 
actually reserving in memory

The output had the following type of lines:

> 1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND

So you can three the resident memory is approx. 1.25G

-Original Message-
From: Andrea Croci  
Sent: 13 January 2021 09:59
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Hi James,

what was the command you used to see that apache uses ~1GB of memory? I deleted 
the mail and that was a bad idea: there were some very useful commands you were 
giving us here.

On 12.01.21 12:17, James Smith wrote:
> That shows you only have 2 incoming requests. How many lines if you 
> remove the TIME_WAIT
>
> Try: netstat -n | grep ':80 ' | wc
>
> This may show lots of short requests happening over time
>
> But to be honest the host important thing you need to do is strip down 
> the list of modules you are using - that is what is causing you 
> problems - the apache processes are so large you are causing the 
> server to swap -
>
> If you are permanently using a lot of swap then that slows down your 
> processes and can cause your request to back up (a bit like a traffic 
> jam)
>
> You should only really have about 20-30 modules running.
>
> -Original Message-
> From: Jason Long 
> Sent: 12 January 2021 11:14
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under 
> attack. [EXT]
>
> It show me:
>
> # netstat -n | grep ':80 ' | grep -v TIME_WAIT
> tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2
> tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith 
>  wrote:
>
>
>
>
>
> If you want incoming traffic you can do:
>
> netstat -n | grep ':443 ' | grep -v TIME_WAIT
>
> The incoming IP should be the 2nd address
>
> (or ':80 ' if you aren't doing SSL)
>
> Remove the grep -v TIME_WAIT to see all connections {and recent 
> connections}
>
> -Original Message-
> From: Jason Long 
> Sent: 12 January 2021 10:33
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under 
> attack. [EXT]
>
> Output is:
>
> 1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
>   6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
> 1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
> 1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
> 1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
> 1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND
>
> How can I see the IP addresses and their incoming traffic?
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
>  wrote:
>
>
>
>
>
> Another thing to look at is to restart the apache process and see memory 
> usage. You can either use top. Or you can use a cron job which emails you the 
> output of:
>
> ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 
> -n
>
> to see if you start or if it grows gradually
>
> -Original Message-
> From: Jason Long 
> Sent: 12 January 2021 10:01
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under 
> attack. [EXT]
>
> I did below rule, but not worked:
> # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit 
> --connlimit-above 20 -j REJECT --reject-with tcp-reset
>
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
>  wrote:
>
>
>
>
>
>
> It can be done with iptables or take a look at fail2ban:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexc
> hange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZF
> I0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX
> 88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
>
> Am 12.01.21, 10:26 schrieb Jason Long :
>>    Thank you, but "Firewalld" or "iptables" can't do it automatically? When 
>> an IP sending many request then it automatically blocked.
>>
>>
>>
>>
>>
>>
>> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>>  wrote:
>>
>>
>>
>>
>>
>> Jason,
>>
>> I would also query why your process are ~ 1G resident that seems quite large 
>> for apache.
>>
>> What modules do yo

Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[Antony Stone]

On Wednesday 13 January 2021 at 10:59:12, Andrea Croci wrote:

> Hi James,
> 
> what was the command you used to see that apache uses ~1GB of memory? I
> deleted the mail and that was a bad idea: there were some very useful
> commands you were giving us here.

You can view the entire thread archive at 
http://mail-archives.apache.org/mod_mbox/httpd-users/202101.mbox/browser

Regards,


Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[Andrea Croci]

Hi James,

what was the command you used to see that apache uses ~1GB of memory? I
deleted the mail and that was a bad idea: there were some very useful
commands you were giving us here.

On 12.01.21 12:17, James Smith wrote:

That shows you only have 2 incoming requests. How many lines if you remove the 
TIME_WAIT

Try: netstat -n | grep ':80 ' | wc

This may show lots of short requests happening over time

But to be honest the host important thing you need to do is strip down the list 
of modules you are using - that is what is causing you problems - the apache 
processes are so large you are causing the server to swap -

If you are permanently using a lot of swap then that slows down your processes 
and can cause your request to back up (a bit like a traffic jam)

You should only really have about 20-30 modules running.

-Original Message-
From: Jason Long 
Sent: 12 January 2021 11:14
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

# netstat -n | grep ':80 ' | grep -v TIME_WAIT
tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2
tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2






On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith 
 wrote:





If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-Original Message-
From: Jason Long 
Sent: 12 January 2021 10:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
  6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote:





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long 
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote:






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=

Am 12.01.21, 10:26 schrieb Jason Long :

   Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
IP sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
 wrote:





Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-
From: James Smith 
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd

Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[Gene Heskett]

On Tuesday 12 January 2021 05:01:09 Jason Long wrote:

> I did below rule, but not worked:
> # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit
> --connlimit-above 20 -j REJECT --reject-with tcp-reset

Lessons learned while trying to stop the &^$>#@# bots from mirroring my 
content on a 10 mbit circuit 10 times a day, burning up my upload 
bandwidth.

1. I watch the other* log.
2. on stretch, I still use iptables
3. I don't reject, I DROP, they get no response to even prove I'm there.
4. since they move bots addy's around weekly to get around people like 
me, I block that whole 256 wide block with a /24 appended to the ipv4 
addy.

5. I'm in ipv4 territory, so when I see a bot in that log, I use its ipv4 
address in /24 format to save writing 255 more rules.

6. really stubborn addresses that don't obey robots.txt get the /16 
treatment.

7. 114 such rules later, I finally have my internet back. But it does 
take some maintenance time. I haven't changed my habits, but my 
bandwidth useage has dropped from 300+G a month a year ago to 30 or 40 
now. And now if I have something of use to others, they can get it. 
Slowly, but they can get it.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[James Smith]

For that answer you will probably have to ask a RH expert - in ubuntu there are 
two folders mods_enabled & mods_available - the mods_available contains links 
to the files in mods_enabled - and you can just remove the symlinks.

Not sure for just a wordpress site whether this list would be sufficient - it's 
using mod_php - which is easy to setup - someone else may be able to point you 
in the direction of the fastcgi solution {which isn't necessarily faster! Or 
more performant}

 alias_module (shared)
 expires_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 php7_module (shared)
 rewrite_module (shared)
 status_module (shared)

You are almost certainly getting large numbers of requests because it is a 
wordpress site - and so there are standard attack patterns to try and 
compromise your admin interface (or PHP)

-Original Message-
From: Jason Long  
Sent: 12 January 2021 11:51
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

# netstat -n | grep ':80 ' | wc
     12      72     960

> How to disable modules? It just a WordPress website.






On Tuesday, January 12, 2021, 02:55:14 PM GMT+3:30, James Smith 
 wrote: 





That shows you only have 2 incoming requests. How many lines if you remove the 
TIME_WAIT

Try: netstat -n | grep ':80 ' | wc

This may show lots of short requests happening over time

But to be honest the host important thing you need to do is strip down the list 
of modules you are using - that is what is causing you problems - the apache 
processes are so large you are causing the server to swap - 

If you are permanently using a lot of swap then that slows down your processes 
and can cause your request to back up (a bit like a traffic jam)

You should only really have about 20-30 modules running.

-Original Message-
From: Jason Long  
Sent: 12 January 2021 11:14
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

# netstat -n | grep ':80 ' | grep -v TIME_WAIT
tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2  
tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2 






On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith 
 wrote: 





If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote: 





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
&g

Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[Jason Long]

Output is:

# netstat -n | grep ':80 ' | wc
     12      72     960

How to disable modules? It just a WordPress website.






On Tuesday, January 12, 2021, 02:55:14 PM GMT+3:30, James Smith 
 wrote: 





That shows you only have 2 incoming requests. How many lines if you remove the 
TIME_WAIT

Try: netstat -n | grep ':80 ' | wc

This may show lots of short requests happening over time

But to be honest the host important thing you need to do is strip down the list 
of modules you are using - that is what is causing you problems - the apache 
processes are so large you are causing the server to swap - 

If you are permanently using a lot of swap then that slows down your processes 
and can cause your request to back up (a bit like a traffic jam)

You should only really have about 20-30 modules running.

-Original Message-
From: Jason Long  
Sent: 12 January 2021 11:14
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

# netstat -n | grep ':80 ' | grep -v TIME_WAIT
tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2  
tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2 






On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith 
 wrote: 





If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote: 





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -----Original Message----- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[James Smith]

That shows you only have 2 incoming requests. How many lines if you remove the 
TIME_WAIT

Try: netstat -n | grep ':80 ' | wc

This may show lots of short requests happening over time

But to be honest the host important thing you need to do is strip down the list 
of modules you are using - that is what is causing you problems - the apache 
processes are so large you are causing the server to swap - 

If you are permanently using a lot of swap then that slows down your processes 
and can cause your request to back up (a bit like a traffic jam)

You should only really have about 20-30 modules running.

-Original Message-
From: Jason Long  
Sent: 12 January 2021 11:14
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

# netstat -n | grep ':80 ' | grep -v TIME_WAIT
tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2  
tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2 






On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith 
 wrote: 





If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote: 





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -----Original Message----- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -Original Message- 
&

Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[Jason Long]

It show me:

# netstat -n | grep ':80 ' | grep -v TIME_WAIT
tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2  
tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2 






On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith 
 wrote: 





If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote: 





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -----Original Message----- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -Original Message- 
> From: Jason Long  
> Sent: 12 January 2021 08:53 
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] Apache in under attack. [EXT] 
> 
> It show me: 
> 
> 13180 X.X.X.X 
>    1127 X.X.X.X 
>     346 X.X.X.X 
>     294 X.X.X.X 
>     241 X.X.X.X 
>     169 X.X.X.X 
>     168 X.X.X.X 
>     157 X.X.X.X 
>     155 X.X.X.X 
>     153 X.X.X.X 
> 
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
>  wrote: 
> 
> 
> 
> 
> 
> Run this against your log file in bash shell 
> 
> cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> This will show you most frequent IPs, sorted in descending order. Block as 
> 

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[James Smith]

If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote: 





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -----Original Message----- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -Original Message- 
> From: Jason Long  
> Sent: 12 January 2021 08:53 
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] Apache in under attack. [EXT] 
> 
> It show me: 
> 
> 13180 X.X.X.X 
>    1127 X.X.X.X 
>     346 X.X.X.X 
>     294 X.X.X.X 
>     241 X.X.X.X 
>     169 X.X.X.X 
>     168 X.X.X.X 
>     157 X.X.X.X 
>     155 X.X.X.X 
>     153 X.X.X.X 
> 
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
>  wrote: 
> 
> 
> 
> 
> 
> Run this against your log file in bash shell 
> 
> cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> This will show you most frequent IPs, sorted in descending order. Block as 
> needed 
> 
> On 1/11/21, 7:11 PM, "Jason Long"  wrote: 
> 
>     Can you help me? 
>     
>     
>     
>     
>     
>     
>     On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
>  wrote: 
>     
>     
&

Re: [users@httpd] Apache in under attack. [EXT]

[Jason Long]

Fail2ban show me:
https://paste.ubuntu.com/p/PsxM8yPXPQ/






On Tuesday, January 12, 2021, 01:47:28 PM GMT+3:30, James Smith 
 wrote: 





That's one shed load of modules - when I run it on my dev server I have - you 
should really go through the modules and work out which ones you are actually 
using:

Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
alias_module (shared)
apreq_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
cgi_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
filter_module (shared)
headers_module (shared)
include_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
perl_module (shared)
php7_module (shared)
proxy_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
rewrite_module (shared)
setenvif_module (shared)
status_module (shared)

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:06
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Modules are:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_DJSWpSP7xZ_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=puY-fTQsV1ysiCnOpy4EHYLVx0o9AIycA5oenO7FFMM=gP5iBUkwbSUx03jK4ekkBLEDcX-4sn9jg_x70ubMVto=
 






On Tuesday, January 12, 2021, 01:26:48 PM GMT+3:30, James Smith 
 wrote: 





Can't see anything that should blow up like that to be honest - I usually use 
ubuntu - which configures apache in a much, much nicer way {generally for web 
development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-Original Message-
From: Jason Long  
Sent: 12 January 2021 09:43
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg=
 

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY=
 

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU=
 

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long 
 wrote: 





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g=
 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
eithe

Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[Jason Long]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith 
 wrote: 





Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -----Original Message----- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -Original Message- 
> From: Jason Long  
> Sent: 12 January 2021 08:53 
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] Apache in under attack. [EXT] 
> 
> It show me: 
> 
> 13180 X.X.X.X 
>    1127 X.X.X.X 
>     346 X.X.X.X 
>     294 X.X.X.X 
>     241 X.X.X.X 
>     169 X.X.X.X 
>     168 X.X.X.X 
>     157 X.X.X.X 
>     155 X.X.X.X 
>     153 X.X.X.X 
> 
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
>  wrote: 
> 
> 
> 
> 
> 
> Run this against your log file in bash shell 
> 
> cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> This will show you most frequent IPs, sorted in descending order. Block as 
> needed 
> 
> On 1/11/21, 7:11 PM, "Jason Long"  wrote: 
> 
>     Can you help me? 
>     
>     
>     
>     
>     
>     
>     On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
>  wrote: 
>     
>     
>     
>     
>     
>     Concentrate on just one... 
>     
>     On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
> wrote: 
>     > It is a lot of IP addresses !!! 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
>  wrote: 
>     > 
>     > 
>     > 
>     &g

RE: [users@httpd] Apache in under attack. [EXT]

[James Smith]

Yes - it is something we need to do when we come under attack at work - as 
often the attacks are not enough to trigger standard intrusion detection (esp 
as our requests can be quite heavy)

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:07
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

System administrators doing it manually???






On Tuesday, January 12, 2021, 01:28:50 PM GMT+3:30, James Smith 
 wrote: 





Rate limiting may work - but the rate may be just slightly to slow for your 
setting - manually doing it is a good thing ...

-Original Message-
From: Jason Long 
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP 
sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
 wrote: 





Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-
From: James Smith 
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >&g

RE: [users@httpd] Apache in under attack. [EXT]

[James Smith]

Sometimes we are attacked from a farm of machines so it may have to be an ip 
range that is the issue

-Original Message-
From: James Smith 
Sent: 12 January 2021 10:19
To: 'users@httpd.apache.org' 
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Yes - it is something we need to do when we come under attack at work - as 
often the attacks are not enough to trigger standard intrusion detection (esp 
as our requests can be quite heavy)

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:07
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

System administrators doing it manually???






On Tuesday, January 12, 2021, 01:28:50 PM GMT+3:30, James Smith 
 wrote: 





Rate limiting may work - but the rate may be just slightly to slow for your 
setting - manually doing it is a good thing ...

-Original Message-
From: Jason Long 
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP 
sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
 wrote: 





Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-
From: James Smith 
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port=&q

RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[James Smith]

Another thing to look at is to restart the apache process and see memory usage. 
You can either use top. Or you can use a cron job which emails you the output 
of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o=
 

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -----Original Message----- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -Original Message- 
> From: Jason Long  
> Sent: 12 January 2021 08:53 
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] Apache in under attack. [EXT] 
> 
> It show me: 
> 
> 13180 X.X.X.X 
>    1127 X.X.X.X 
>     346 X.X.X.X 
>     294 X.X.X.X 
>     241 X.X.X.X 
>     169 X.X.X.X 
>     168 X.X.X.X 
>     157 X.X.X.X 
>     155 X.X.X.X 
>     153 X.X.X.X 
> 
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
>  wrote: 
> 
> 
> 
> 
> 
> Run this against your log file in bash shell 
> 
> cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> This will show you most frequent IPs, sorted in descending order. Block as 
> needed 
> 
> On 1/11/21, 7:11 PM, "Jason Long"  wrote: 
> 
>     Can you help me? 
>     
>     
>     
>     
>     
>     
>     On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
>  wrote: 
>     
>     
>     
>     
>     
>     Concentrate on just one... 
>     
>     On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
> wrote: 
>     > It is a lot of IP addresses !!! 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
>  wrote: 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > How to find pattern: 
>     > Look at log. 
>     > Find bad things that are similar. 
>     > 
>     > Then: 
>     > Block bad things from reaching web server. 
>     > 
>     > On Mon, Jan 11, 2021 at 6:49 PM Jason Long 
>  wrote: 
>     >> How to find pattern? 
>     >> Log show me: 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34All

RE: [users@httpd] Apache in under attack. [EXT]

[James Smith]

That's one shed load of modules - when I run it on my dev server I have - you 
should really go through the modules and work out which ones you are actually 
using:

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 alias_module (shared)
 apreq_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 cgi_module (shared)
 dir_module (shared)
 env_module (shared)
 expires_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 perl_module (shared)
 php7_module (shared)
 proxy_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 status_module (shared)

-Original Message-
From: Jason Long  
Sent: 12 January 2021 10:06
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Modules are:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_DJSWpSP7xZ_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=puY-fTQsV1ysiCnOpy4EHYLVx0o9AIycA5oenO7FFMM=gP5iBUkwbSUx03jK4ekkBLEDcX-4sn9jg_x70ubMVto=
 






On Tuesday, January 12, 2021, 01:26:48 PM GMT+3:30, James Smith 
 wrote: 





Can't see anything that should blow up like that to be honest - I usually use 
ubuntu - which configures apache in a much, much nicer way {generally for web 
development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-Original Message-
From: Jason Long  
Sent: 12 January 2021 09:43
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg=
 

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY=
 

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU=
 

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long 
 wrote: 





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g=
 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason 

Re: [users@httpd] Apache in under attack. [EXT]

[Jason Long]

System administrators doing it manually???






On Tuesday, January 12, 2021, 01:28:50 PM GMT+3:30, James Smith 
 wrote: 





Rate limiting may work - but the rate may be just slightly to slow for your 
setting - manually doing it is a good thing ...

-Original Message-
From: Jason Long  
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP 
sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
 wrote: 





Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-
From: James Smith 
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also 
there are diffe

Re: [users@httpd] Apache in under attack. [EXT]

[Jason Long]

Modules are:
https://paste.ubuntu.com/p/DJSWpSP7xZ/






On Tuesday, January 12, 2021, 01:26:48 PM GMT+3:30, James Smith 
 wrote: 





Can't see anything that should blow up like that to be honest - I usually use 
ubuntu - which configures apache in a much, much nicer way {generally for web 
development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-Original Message-
From: Jason Long  
Sent: 12 January 2021 09:43
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg=
 

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY=
 

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU=
 

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long 
 wrote: 





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g=
 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>> 
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>> 
    >>> But not matter.
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>> 
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
    >>>> 
[url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com

Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[Jason Long]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
-j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm 
 wrote: 






It can be done with iptables or take a look at fail2ban:
https://security.stackexchange.com/q/35773/213194

Am 12.01.21, 10:26 schrieb Jason Long :
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an 
>IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
>  wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large 
> for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not 
> want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it 
> doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too 
> much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic 
> requests and a lot of small static request (images/css/js) where you run two 
> web servers - one serving static content and proxying back to dynamic 
> content. 
> 
> James 
> 
> -----Original Message----- 
> From: James Smith  
> Sent: 12 January 2021 09:09 
> To: users@httpd.apache.org 
> Subject: RE: [users@httpd] Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
> address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line 
> to: 
> 
> tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -Original Message- 
> From: Jason Long  
> Sent: 12 January 2021 08:53 
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] Apache in under attack. [EXT] 
> 
> It show me: 
> 
> 13180 X.X.X.X 
>    1127 X.X.X.X 
>     346 X.X.X.X 
>     294 X.X.X.X 
>     241 X.X.X.X 
>     169 X.X.X.X 
>     168 X.X.X.X 
>     157 X.X.X.X 
>     155 X.X.X.X 
>     153 X.X.X.X 
> 
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
>  wrote: 
> 
> 
> 
> 
> 
> Run this against your log file in bash shell 
> 
> cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> This will show you most frequent IPs, sorted in descending order. Block as 
> needed 
> 
> On 1/11/21, 7:11 PM, "Jason Long"  wrote: 
> 
>     Can you help me? 
>     
>     
>     
>     
>     
>     
>     On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
>  wrote: 
>     
>     
>     
>     
>     
>     Concentrate on just one... 
>     
>     On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
> wrote: 
>     > It is a lot of IP addresses !!! 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
>  wrote: 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > How to find pattern: 
>     > Look at log. 
>     > Find bad things that are similar. 
>     > 
>     > Then: 
>     > Block bad things from reaching web server. 
>     > 
>     > On Mon, Jan 11, 2021 at 6:49 PM Jason Long 
>  wrote: 
>     >> How to find pattern? 
>     >> Log show me: 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
>  
>     >> 
>     >> 
>     >> 
>     >> 
>     >> 
>     >> 
>     >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
>  wrote: 
>     >> 
>     >> 
>     >> 
>     >> 
>     >> 
>     >> Yeah it's probably not going to matter if you don't know what's 
> attacking you before setting up the rules, you need to find the patterns, 
> either the attack target or the attackers origin

RE: [users@httpd] Apache in under attack. [EXT]

[James Smith]

Rate limiting may work - but the rate may be just slightly to slow for your 
setting - manually doing it is a good thing ...

-Original Message-
From: Jason Long  
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP 
sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
 wrote: 





Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-
From: James Smith 
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of re

RE: [users@httpd] Apache in under attack. [EXT]

[James Smith]

Can't see anything that should blow up like that to be honest - I usually use 
ubuntu - which configures apache in a much, much nicer way {generally for web 
development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-Original Message-
From: Jason Long  
Sent: 12 January 2021 09:43
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg=
 

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY=
 

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU=
 

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long 
 wrote: 





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g=
 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>> 
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>> 
    >>> But not matter.
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>> 
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
    >>>> 
[url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=lEeMNZprno3

Re: [users@httpd] Apache in under attack.

[Jason Long]

Apache configuration is:
https://paste.ubuntu.com/p/RTC2WWMdYH/

And "www.conf" is:
https://paste.ubuntu.com/p/S9q5Kwpfcc/

And other settings:
https://paste.ubuntu.com/p/NydSyZghJ8/

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long 
 wrote: 





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>> 
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>> 
    >>> But not matter.
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>> 
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
     Hello,
     On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
     [url]https://imgur.com/O33g3ql[/url]
     Any idea to solve it?
     
     
     Thank you.
     
     -
     To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
     For additional commands, e-mail: users-h...@httpd.apache.org
     
     
    >>> 
    >>> 
    >>> -- 
    >>> [ ]'s
    >>> 
    >>> Filipe Cifali Stangler

    >>> 
    >>> 
    >>> -
    >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    >>> For additional commands, e-mail: users-h...@httpd.apache.org
    >>> 
    >>> 
    >> 
    >> 
    >> -- 
    >> [ ]'s
    >> 
    >> Filipe Cifali Stangler

    >> 
    >> 
    >> -
    >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    >> For additional commands, e-mail: users-h...@httpd.apache.org
    >> 
    >> 
    > 
    > 
    > -
    > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    > For additional commands, e-mail: users-h...@httpd.apache.org
    > 
    > 
    
    
    -
    To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    For additional commands, e-mail: users-h...@httpd.apache.org
    
    


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[Florian Schwalm]

 
 It can be done with iptables or take a look at fail2ban:https://security.stackexchange.com/q/35773/213194Am 12.01.21, 10:26 schrieb Jason Long :

  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP sending many request then it automatically blocked.
   
   
   
   
   
   
   On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith  wrote: 
   
   
   
   
   
   Jason,
   
   I would also query why your process are ~ 1G resident that seems quite large for apache.
   
   What modules do you have enabled  - even with mod_perl embedded I would not want them to go about 500-800M depending on the site of your box.
   
   I know Apache is very good at grabbing memory for each process - but it doesn't tend to hand it back - and just keeps it (just in case)
   
   It looks like you either have a memory leak - or the code is collecting too much data before squirting it out
   
   There are other setups that you may want to look at if you have large dynamic requests and a lot of small static request (images/css/js) where you run two web servers - one serving static content and proxying back to dynamic content.
   
   James
   
   -Original Message-
   From: James Smith  
   Sent: 12 January 2021 09:09
   To: users@httpd.apache.org
   Subject: RE: [users@httpd] Apache in under attack. [EXT]
   
   Put a firewall rule into block whatever that first IP address is then.
   
   Something like:
   
   firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='X.X.X.X' reject"
   
   If you are seeing a current attack then you can tweak Charles' command line to:
   
   tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head
   
   or I often use cut instead of awk..
   
   tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head
   
   -Original Message-
   From: Jason Long 
   Sent: 12 January 2021 08:53
   To: users@httpd.apache.org
   Subject: Re: [users@httpd] Apache in under attack. [EXT]
   
   It show me:
   
   13180 X.X.X.X
      1127 X.X.X.X
       346 X.X.X.X
       294 X.X.X.X
       241 X.X.X.X
       169 X.X.X.X
       168 X.X.X.X
       157 X.X.X.X
       155 X.X.X.X
       153 X.X.X.X
   
   
   
   
   
   
   
   
   On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles  wrote: 
   
   
   
   
   
   Run this against your log file in bash shell
   
   cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head
   
   This will show you most frequent IPs, sorted in descending order. Block as needed
   
   On 1/11/21, 7:11 PM, "Jason Long"  wrote:
   
       Can you help me? 
       
       
       
       
       
       
       On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino  wrote: 
       
       
       
       
       
       Concentrate on just one...
       
       On Mon, Jan 11, 2021 at 7:02 PM Jason Long  wrote:
       > It is a lot of IP addresses !!!
       >
       >
       >
       >
       >
       >
       > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino  wrote: 
       >
       >
       >
       >
       >
       > How to find pattern:
       > Look at log.
       > Find bad things that are similar.
       >
       > Then:
       > Block bad things from reaching web server.
       >
       > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  wrote:
       >> How to find pattern?
       >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
       >>
       >>
       >>
       >>
       >>
       >>
       >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali  wrote: 
       >>
       >>
       >>
       >>
       >>
       >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins. 
       >>
       >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  wrote:
       >>> I used a rule like:
       >>>
       >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
       >>>
       >>> But not matter.
       >>>
       >>>
       >>>
       >>>
       >>>
       >>>
       >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali  wrote: 
       >>>
       &g

Re: [users@httpd] Apache in under attack. [EXT]

[Jason Long]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP 
sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith 
 wrote: 





Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-
From: James Smith  
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. H

RE: [users@httpd] Apache in under attack. [EXT]

[James Smith]

Jason,

I would also query why your process are ~ 1G resident that seems quite large 
for apache.

What modules do you have enabled  - even with mod_perl embedded I would not 
want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't 
tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too 
much data before squirting it out

There are other setups that you may want to look at if you have large dynamic 
requests and a lot of small static request (images/css/js) where you run two 
web servers - one serving static content and proxying back to dynamic content.

James

-Original Message-
From: James Smith  
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long 
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
    >>>> 
[url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=

RE: [users@httpd] Apache in under attack. [EXT]

[James Smith]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source 
address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -1 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -1 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-Original Message-
From: Jason Long  
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE=
 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>> 
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>> 
    >>> But not matter.
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>> 
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
    >>>> 
[url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D=DwIFaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vQ=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0=
 
    >>>> Any idea to solve it?
    >>>> 
    >>>> 
    >>>> Thank you.
    >>>> 
    >>>> -
    >>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    >>>> For additional commands, e-mail: users-h...@httpd.apache.org
    >>>> 
    >>>> 
    >>> 
    >>> 
    >>> -- 
    >>> [ ]'s
    >>> 
    >>> Filipe Cifali Stangler
    >>> 
    >>> 
    >>> -
    >>>

Re: [users@httpd] Apache in under attack.

[Jason Long]

It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles 
 wrote: 





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

    Can you help me? 
    
    
    
    
    
    
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 
    
    
    
    
    
    Concentrate on just one...
    
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
    >> How to find pattern?
    >> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
    >>> I used a rule like:
    >>> 
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
    >>> 
    >>> But not matter.
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
    >>> 
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
     Hello,
     On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
     [url]https://imgur.com/O33g3ql[/url]
     Any idea to solve it?
     
     
     Thank you.
     
     -
     To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
     For additional commands, e-mail: users-h...@httpd.apache.org
     
     
    >>> 
    >>> 
    >>> -- 
    >>> [ ]'s
    >>> 
    >>> Filipe Cifali Stangler
    >>> 
    >>> 
    >>> -
    >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    >>> For additional commands, e-mail: users-h...@httpd.apache.org
    >>> 
    >>> 
    >> 
    >> 
    >> -- 
    >> [ ]'s
    >> 
    >> Filipe Cifali Stangler

    >> 
    >> 
    >> -
    >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    >> For additional commands, e-mail: users-h...@httpd.apache.org
    >> 
    >> 
    > 
    > 
    > -
    > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    > For additional commands, e-mail: users-h...@httpd.apache.org
    > 
    > 
    
    
    -
    To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
    For additional commands, e-mail: users-h...@httpd.apache.org
    
    


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Ruben Safir]

On 1/11/21 6:06 PM, Jason Long wrote:
> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it make 
> slowing server. when I disable "httpd" service then problem solve. How can I 
> find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?
> 
netstat (or ss) output)?

Apache logs?

> 
> Thank you.
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Bender, Charles]

Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as 
needed

On 1/11/21, 7:11 PM, "Jason Long"  wrote:

Can you help me? 






On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 





Concentrate on just one...

On Mon, Jan 11, 2021 at 7:02 PM Jason Long  
wrote:
> It is a lot of IP addresses !!!
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 
> 
> 
> 
> 
> 
> How to find pattern:
> Look at log.
> Find bad things that are similar.
> 
> Then:
> Block bad things from reaching web server.
> 
> On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
wrote:
>> How to find pattern?
>> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
>> 
>> 
>> 
>> 
>> 
>> 
>> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 
>> 
>> 
>> 
>> 
>> 
>> Yeah it's probably not going to matter if you don't know what's 
attacking you before setting up the rules, you need to find the patterns, 
either the attack target or the attackers origins. 
>> 
>> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
wrote:
>>> I used a rule like:
>>> 
>>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'
>>> 
>>> But not matter.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> You need to investigate your logs and find common patterns there, also 
there are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 
>>> 
>>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
 wrote:
 Hello,
 On a CentOS web server with Apache, someone make a lot of request and 
it make slowing server. when I disable "httpd" service then problem solve. How 
can I find who made a lot of request?
 [url]https://imgur.com/O33g3ql[/url]
 Any idea to solve it?
 
 
 Thank you.
 
 -
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org
 
 
>>> 
>>> 
>>> -- 
>>> [ ]'s
>>> 
>>> Filipe Cifali Stangler
>>> 
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>> 
>>> 
>> 
>> 
>> -- 
>> [ ]'s
>> 
>> Filipe Cifali Stangler
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Nick Folino]

I just did.  Look at the logs.  What doesn't seem right?

On Mon, Jan 11, 2021 at 7:11 PM Jason Long 
wrote:

> Can you help me?
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <
> n...@folino.us> wrote:
>
>
>
>
>
> Concentrate on just one...
>
> On Mon, Jan 11, 2021 at 7:02 PM Jason Long 
> wrote:
> > It is a lot of IP addresses !!!
> >
> >
> >
> >
> >
> >
> > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <
> n...@folino.us> wrote:
> >
> >
> >
> >
> >
> > How to find pattern:
> > Look at log.
> > Find bad things that are similar.
> >
> > Then:
> > Block bad things from reaching web server.
> >
> > On Mon, Jan 11, 2021 at 6:49 PM Jason Long 
> wrote:
> >> How to find pattern?
> >> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <
> cifali.fil...@gmail.com> wrote:
> >>
> >>
> >>
> >>
> >>
> >> Yeah it's probably not going to matter if you don't know what's
> attacking you before setting up the rules, you need to find the patterns,
> either the attack target or the attackers origins.
> >>
> >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long 
> wrote:
> >>> I used a rule like:
> >>>
> >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port
> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit"
> level="warning" limit value="100/s"'
> >>>
> >>> But not matter.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <
> cifali.fil...@gmail.com> wrote:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> You need to investigate your logs and find common patterns there, also
> there are different tools to handle small and big workloads like you could
> use iptables/nftables to block based on patterns and number of requests.
> >>>
> >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
> wrote:
>  Hello,
>  On a CentOS web server with Apache, someone make a lot of request and
> it make slowing server. when I disable "httpd" service then problem solve.
> How can I find who made a lot of request?
>  [url]https://imgur.com/O33g3ql[/url]
>  Any idea to solve it?
> 
> 
>  Thank you.
> 
>  -
>  To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>  For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> >>>
> >>>
> >>> --
> >>> [ ]'s
> >>>
> >>> Filipe Cifali Stangler
> >>>
> >>>
> >>> -
> >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >>> For additional commands, e-mail: users-h...@httpd.apache.org
> >>>
> >>>
> >>
> >>
> >> --
> >> [ ]'s
> >>
> >> Filipe Cifali Stangler
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >>
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache in under attack.

[Jason Long]

Can you help me? 






On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino 
 wrote: 





Concentrate on just one...

On Mon, Jan 11, 2021 at 7:02 PM Jason Long  wrote:
> It is a lot of IP addresses !!!
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
>  wrote: 
> 
> 
> 
> 
> 
> How to find pattern:
> Look at log.
> Find bad things that are similar.
> 
> Then:
> Block bad things from reaching web server.
> 
> On Mon, Jan 11, 2021 at 6:49 PM Jason Long  
> wrote:
>> How to find pattern?
>> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
>> 
>> 
>> 
>> 
>> 
>> 
>> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
>>  wrote: 
>> 
>> 
>> 
>> 
>> 
>> Yeah it's probably not going to matter if you don't know what's attacking 
>> you before setting up the rules, you need to find the patterns, either the 
>> attack target or the attackers origins. 
>> 
>> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
>> wrote:
>>> I used a rule like:
>>> 
>>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
>>> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
>>> level="warning" limit value="100/s"'
>>> 
>>> But not matter.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
>>>  wrote: 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> You need to investigate your logs and find common patterns there, also 
>>> there are different tools to handle small and big workloads like you could 
>>> use iptables/nftables to block based on patterns and number of requests. 
>>> 
>>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long  
>>> wrote:
 Hello,
 On a CentOS web server with Apache, someone make a lot of request and it 
 make slowing server. when I disable "httpd" service then problem solve. 
 How can I find who made a lot of request?
 [url]https://imgur.com/O33g3ql[/url]
 Any idea to solve it?
 
 
 Thank you.
 
 -
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org
 
 
>>> 
>>> 
>>> -- 
>>> [ ]'s
>>> 
>>> Filipe Cifali Stangler
>>> 
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>> 
>>> 
>> 
>> 
>> -- 
>> [ ]'s
>> 
>> Filipe Cifali Stangler
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Nick Folino]

Concentrate on just one...

On Mon, Jan 11, 2021 at 7:02 PM Jason Long 
wrote:

> It is a lot of IP addresses !!!
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <
> n...@folino.us> wrote:
>
>
>
>
>
> How to find pattern:
> Look at log.
> Find bad things that are similar.
>
> Then:
> Block bad things from reaching web server.
>
> On Mon, Jan 11, 2021 at 6:49 PM Jason Long 
> wrote:
> > How to find pattern?
> > Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
> >
> >
> >
> >
> >
> >
> > On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <
> cifali.fil...@gmail.com> wrote:
> >
> >
> >
> >
> >
> > Yeah it's probably not going to matter if you don't know what's
> attacking you before setting up the rules, you need to find the patterns,
> either the attack target or the attackers origins.
> >
> > On Mon, Jan 11, 2021 at 8:26 PM Jason Long 
> wrote:
> >> I used a rule like:
> >>
> >> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port
> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit"
> level="warning" limit value="100/s"'
> >>
> >> But not matter.
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <
> cifali.fil...@gmail.com> wrote:
> >>
> >>
> >>
> >>
> >>
> >> You need to investigate your logs and find common patterns there, also
> there are different tools to handle small and big workloads like you could
> use iptables/nftables to block based on patterns and number of requests.
> >>
> >> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
> wrote:
> >>> Hello,
> >>> On a CentOS web server with Apache, someone make a lot of request and
> it make slowing server. when I disable "httpd" service then problem solve.
> How can I find who made a lot of request?
> >>> [url]https://imgur.com/O33g3ql[/url]
> >>> Any idea to solve it?
> >>>
> >>>
> >>> Thank you.
> >>>
> >>> -
> >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >>> For additional commands, e-mail: users-h...@httpd.apache.org
> >>>
> >>>
> >>
> >>
> >> --
> >> [ ]'s
> >>
> >> Filipe Cifali Stangler
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >>
> >
> >
> > --
> > [ ]'s
> >
> > Filipe Cifali Stangler
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache in under attack.

[Jason Long]

It is a lot of IP addresses !!!






On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino 
 wrote: 





How to find pattern:
Look at log.
Find bad things that are similar.

Then:
Block bad things from reaching web server.

On Mon, Jan 11, 2021 at 6:49 PM Jason Long  wrote:
> How to find pattern?
> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
>  wrote: 
> 
> 
> 
> 
> 
> Yeah it's probably not going to matter if you don't know what's attacking you 
> before setting up the rules, you need to find the patterns, either the attack 
> target or the attackers origins. 
> 
> On Mon, Jan 11, 2021 at 8:26 PM Jason Long  
> wrote:
>> I used a rule like:
>> 
>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
>> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
>> level="warning" limit value="100/s"'
>> 
>> But not matter.
>> 
>> 
>> 
>> 
>> 
>> 
>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
>>  wrote: 
>> 
>> 
>> 
>> 
>> 
>> You need to investigate your logs and find common patterns there, also there 
>> are different tools to handle small and big workloads like you could use 
>> iptables/nftables to block based on patterns and number of requests. 
>> 
>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long  
>> wrote:
>>> Hello,
>>> On a CentOS web server with Apache, someone make a lot of request and it 
>>> make slowing server. when I disable "httpd" service then problem solve. How 
>>> can I find who made a lot of request?
>>> [url]https://imgur.com/O33g3ql[/url]
>>> Any idea to solve it?
>>> 
>>> 
>>> Thank you.
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>> 
>>> 
>> 
>> 
>> -- 
>> [ ]'s
>> 
>> Filipe Cifali Stangler
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
>> 
> 
> 
> -- 
> [ ]'s
> 
> Filipe Cifali Stangler
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Nick Folino]

How to find pattern:
Look at log.
Find bad things that are similar.

Then:
Block bad things from reaching web server.

On Mon, Jan 11, 2021 at 6:49 PM Jason Long 
wrote:

> How to find pattern?
> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <
> cifali.fil...@gmail.com> wrote:
>
>
>
>
>
> Yeah it's probably not going to matter if you don't know what's attacking
> you before setting up the rules, you need to find the patterns, either the
> attack target or the attackers origins.
>
> On Mon, Jan 11, 2021 at 8:26 PM Jason Long 
> wrote:
> > I used a rule like:
> >
> > # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port
> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit"
> level="warning" limit value="100/s"'
> >
> > But not matter.
> >
> >
> >
> >
> >
> >
> > On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <
> cifali.fil...@gmail.com> wrote:
> >
> >
> >
> >
> >
> > You need to investigate your logs and find common patterns there, also
> there are different tools to handle small and big workloads like you could
> use iptables/nftables to block based on patterns and number of requests.
> >
> > On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
> wrote:
> >> Hello,
> >> On a CentOS web server with Apache, someone make a lot of request and
> it make slowing server. when I disable "httpd" service then problem solve.
> How can I find who made a lot of request?
> >> [url]https://imgur.com/O33g3ql[/url]
> >> Any idea to solve it?
> >>
> >>
> >> Thank you.
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >>
> >
> >
> > --
> > [ ]'s
> >
> > Filipe Cifali Stangler
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache in under attack.

[Jason Long]

How to find pattern?
Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/






On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali 
 wrote: 





Yeah it's probably not going to matter if you don't know what's attacking you 
before setting up the rules, you need to find the patterns, either the attack 
target or the attackers origins. 

On Mon, Jan 11, 2021 at 8:26 PM Jason Long  wrote:
> I used a rule like:
> 
> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port 
> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
> level="warning" limit value="100/s"'
> 
> But not matter.
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
>  wrote: 
> 
> 
> 
> 
> 
> You need to investigate your logs and find common patterns there, also there 
> are different tools to handle small and big workloads like you could use 
> iptables/nftables to block based on patterns and number of requests. 
> 
> On Mon, Jan 11, 2021 at 8:06 PM Jason Long  
> wrote:
>> Hello,
>> On a CentOS web server with Apache, someone make a lot of request and it 
>> make slowing server. when I disable "httpd" service then problem solve. How 
>> can I find who made a lot of request?
>> [url]https://imgur.com/O33g3ql[/url]
>> Any idea to solve it?
>> 
>> 
>> Thank you.
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
>> 
> 
> 
> -- 
> [ ]'s
> 
> Filipe Cifali Stangler
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-- 
[ ]'s

Filipe Cifali Stangler


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Filipe Cifali]

Yeah it's probably not going to matter if you don't know what's attacking
you before setting up the rules, you need to find the patterns, either the
attack target or the attackers origins.

On Mon, Jan 11, 2021 at 8:26 PM Jason Long 
wrote:

> I used a rule like:
>
> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port
> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit"
> level="warning" limit value="100/s"'
>
> But not matter.
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <
> cifali.fil...@gmail.com> wrote:
>
>
>
>
>
> You need to investigate your logs and find common patterns there, also
> there are different tools to handle small and big workloads like you could
> use iptables/nftables to block based on patterns and number of requests.
>
> On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
> wrote:
> > Hello,
> > On a CentOS web server with Apache, someone make a lot of request and it
> make slowing server. when I disable "httpd" service then problem solve. How
> can I find who made a lot of request?
> > [url]https://imgur.com/O33g3ql[/url]
> > Any idea to solve it?
> >
> >
> > Thank you.
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 
[ ]'s

Filipe Cifali Stangler

Re: [users@httpd] Apache in under attack.

[Jason Long]

I used a rule like:

# firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" 
protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" 
level="warning" limit value="100/s"'

But not matter.






On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali 
 wrote: 





You need to investigate your logs and find common patterns there, also there 
are different tools to handle small and big workloads like you could use 
iptables/nftables to block based on patterns and number of requests. 

On Mon, Jan 11, 2021 at 8:06 PM Jason Long  wrote:
> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it make 
> slowing server. when I disable "httpd" service then problem solve. How can I 
> find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?
> 
> 
> Thank you.
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-- 
[ ]'s

Filipe Cifali Stangler


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Jason Long]

Thank you.
I see a lot of request in "/var/log/httpd/access_log".






On Tuesday, January 12, 2021, 02:46:10 AM GMT+3:30, Alain D D Williams 
 wrote: 





On Mon, Jan 11, 2021 at 11:06:33PM +, Jason Long wrote:

> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it make 
> slowing server. when I disable "httpd" service then problem solve. How can I 
> find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?


Look at the log file, probably /var/log/httpd/access_log

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache in under attack.

[Filipe Cifali]

You need to investigate your logs and find common patterns there, also
there are different tools to handle small and big workloads like you could
use iptables/nftables to block based on patterns and number of requests.

On Mon, Jan 11, 2021 at 8:06 PM Jason Long 
wrote:

> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it
> make slowing server. when I disable "httpd" service then problem solve. How
> can I find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?
>
>
> Thank you.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 
[ ]'s

Filipe Cifali Stangler

Re: [users@httpd] Apache in under attack.

[Alain D D Williams]

On Mon, Jan 11, 2021 at 11:06:33PM +, Jason Long wrote:
> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it make 
> slowing server. when I disable "httpd" service then problem solve. How can I 
> find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?

Look at the log file, probably /var/log/httpd/access_log

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org