To explore more in depth Johan Mörén question. Is it possible that the Jetty stop call is not logged in the *.log files?
From: ykhab...@bellsouth.net <ykhab...@bellsouth.net> Sent: Monday, April 3, 2023 12:13 PM To: 'Johan Mörén' <johan.mo...@gmail.com> Cc: 'BaseX' <basex-talk@mailman.uni-konstanz.de>; 'Christian Grün' <christian.gr...@gmail.com> Subject: RE: [basex-talk] BaseX HTTP service goes down due to Qualys Agent I don’t such call, i.e. on the port 8081, in the *.log file. From: Johan Mörén <johan.mo...@gmail.com <mailto:johan.mo...@gmail.com> > Sent: Monday, April 3, 2023 11:56 AM To: ykhab...@bellsouth.net <mailto:ykhab...@bellsouth.net> Cc: BaseX <basex-talk@mailman.uni-konstanz.de <mailto:basex-talk@mailman.uni-konstanz.de> >; Christian Grün <christian.gr...@gmail.com <mailto:christian.gr...@gmail.com> > Subject: Re: [basex-talk] BaseX HTTP service goes down due to Qualys Agent Is the agent calling the stop port? https://docs.basex.org/wiki/Options#STOPPORT On Mon, 3 Apr 2023 at 17:38, <ykhab...@bellsouth.net <mailto:ykhab...@bellsouth.net> > wrote: >> "You mentioned that the Jetty server “goes down”. What does that mean? Does >> it simply block any further requests? Do you have a 100% CPU workload?" It doesn't accept any further requests. Just launching the basexhttp.bat revives it. >> "Does Jetty stall if you disable all REST, RESTXQ, and/or WebDAV?" We never tried to disable anything. The Qualys Agent runs once every two weeks on a schedule. So, it is not easy to run on demand for testing. >> " Which BaseX services are enabled in your web.xml?" We never modified anything in the web.xml. Please see it below. <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-app_4_0.xsd"; version="4.0"> <display-name>BaseX: The XML Database and XQuery Processor</display-name> <description>HTTP Services</description> <!-- A BaseX option can be overwritten by prefixing the key with "org.basex." and specifying it in <context-param/> elements, as shown below. Check out https://docs.basex.org/wiki/Options for a list of all options. <context-param> <param-name>org.basex.restxqpath</param-name> <param-value>.</param-value> </context-param> <context-param> <param-name>org.basex.dbpath</param-name> <param-value>WEB-INF/data</param-value> </context-param> <context-param> <param-name>org.basex.repopath</param-name> <param-value>WEB-INF/repo</param-value> </context-param> <context-param> <param-name>org.basex.user</param-name> <param-value>admin</param-value> </context-param> <context-param> <param-name>org.basex.authmethod</param-name> <param-value>Digest</param-value> </context-param> <context-param> <param-name>org.basex.httplocal</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>org.basex.timeout</param-name> <param-value>5</param-value> </context-param> <context-param> <param-name>org.basex.log</param-name> <param-value>false</param-value> </context-param> --> <!-- Global session and servlet listener --> <listener> <listener-class>org.basex.http.SessionListener</listener-class> </listener> <listener> <listener-class>org.basex.http.ServletListener</listener-class> </listener> <!-- CORS in Jetty: Access-Control-Allow-Origin: * <filter> <filter-name>cross-origin</filter-name> <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class> <init-param> <param-name>allowedOrigins</param-name> <param-value>*</param-value> </init-param> </filter> <filter-mapping> <filter-name>cross-origin</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> --> <!-- RESTXQ Service (can be disabled by removing this entry) --> <servlet> <servlet-name>RESTXQ</servlet-name> <servlet-class>org.basex.http.restxq.RestXqServlet</servlet-class> <init-param> <param-name>org.basex.user</param-name> <param-value>admin</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>RESTXQ</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <!-- WebSocket Service (can be disabled by removing this entry) --> <servlet> <servlet-name>WebSocket</servlet-name> <servlet-class>org.basex.http.ws.WsServlet</servlet-class> <!-- Limits of the WebSocket connection <init-param> <param-name>maxIdleTime</param-name> <param-value>100000</param-value> </init-param> <init-param> <param-name>maxTextMessageSize</param-name> <param-value>3000</param-value> </init-param> <init-param> <param-name>maxBinaryMessageSize </param-name> <param-value>3000</param-value> </init-param> --> </servlet> <servlet-mapping> <servlet-name>WebSocket</servlet-name> <url-pattern>/ws/*</url-pattern> </servlet-mapping> <!-- REST Service (can be disabled by removing this entry) --> <servlet> <servlet-name>REST</servlet-name> <servlet-class>org.basex.http.rest.RESTServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>REST</servlet-name> <url-pattern>/rest/*</url-pattern> </servlet-mapping> <!-- WebDAV Service (can be disabled by removing this entry) --> <servlet> <servlet-name>WebDAV</servlet-name> <servlet-class>org.basex.http.webdav.WebDAVServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>WebDAV</servlet-name> <url-pattern>/webdav/*</url-pattern> </servlet-mapping> <!-- Mapping for static resources (may be restricted to a sub path) --> <servlet> <servlet-name>default</servlet-name> <init-param> <param-name>useFileMappedBuffer</param-name> <param-value>false</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>/static/*</url-pattern> </servlet-mapping> </web-app> -----Original Message----- From: Christian Grün <christian.gr...@gmail.com <mailto:christian.gr...@gmail.com> > Sent: Monday, April 3, 2023 11:27 AM To: ykhab...@bellsouth.net <mailto:ykhab...@bellsouth.net> Cc: BaseX <basex-talk@mailman.uni-konstanz.de <mailto:basex-talk@mailman.uni-konstanz.de> > Subject: Re: [basex-talk] BaseX HTTP service goes down due to Qualys Agent The logs look inconspicuous indeed. Some more questions: • You mentioned that the Jetty server “goes down”. What does that mean? Does it simply block any further requests? Do you have a 100% CPU workload? • Which BaseX services are enabled in your web.xml? Does Jetty stall if you disable all REST, RESTXQ, and/or WebDAV? Best, Christian On Mon, Apr 3, 2023 at 4:44 PM <ykhab...@bellsouth.net <mailto:ykhab...@bellsouth.net> > wrote: > > Hi Christian, > > IMO, it is just the number of requests. > I attached the .log file. > > -----Original Message----- > From: Christian Grün <christian.gr...@gmail.com > <mailto:christian.gr...@gmail.com> > > Sent: Monday, April 3, 2023 10:32 AM > To: ykhab...@bellsouth.net <mailto:ykhab...@bellsouth.net> > Cc: BaseX <basex-talk@mailman.uni-konstanz.de > <mailto:basex-talk@mailman.uni-konstanz.de> > > Subject: Re: [basex-talk] BaseX HTTP service goes down due to Qualys > Agent > > Hi Yitzhak, > > have you checked the resulting log files in the data/.logs directory? > Are there specific requests that take too much time, or is it the plain > number of incoming requests that eventually slows down the system? > > Best, > Christian > > > On Mon, Apr 3, 2023 at 4:29 PM <ykhab...@bellsouth.net > <mailto:ykhab...@bellsouth.net> > wrote: > > > > Hello, > > > > > > > > We are using BaseX 10.5 via its HTTP service in a corporate environment. > > > > > > > > We have an automated Qualys Agent that does a vulnerability scan of that > > server with the BaseX. > > > > Qualys Agent scan process includes web sites related tests such as > > Cross-Site Scripting, SQL Injection, etc. > > > > The rapid nature of the Qualys Agent requests effectively gives us a DoS > > attack on the eclipse.jetty.server. > > > > It cannot process so many requests and goes down. > > > > > > > > In the meantime, our solution is to restart BaseX HTTP service manually via > > basexhttp.bat. > > > > > > > > Question: is it possible to somehow configure the eclipse.jetty.server so > > it will be able to sustain the Qualys Agent vulnerability scan? > > > > > > > > > > > > Regards, > > Yitzhak Khabinsky > > > >
