I have had a public woody webserver fail twice in the last three days. I suspect some form of probing or DOS attack that freezes the Apache server (recent SSL issues?)
Symptoms: Apache stops dishing pages - no log or error messages netstat shows Apache still listening /etc/init.d/apache stop fails to kill all apache processes have to killapp apache and kill -9 some individual apache processes no cores, no messages in syslog, daemon.log or messages access log - last entry before apache freeze xxx.xxx.xxx.xxx - - [25/Sep/2002:08:56:00 +0100] "GET / HTTP/1.1" 400 377 error log - last entry before apache freeze [Wed Sep 25 08:56:00 2002] [error] [client xxx.xxx.xxx.xxx] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / netstat -leapn | grep apache tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 172124 15537/apache tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 172123 15537/apache tcp 0 0 192.168.120.20:80 xx.xx.xx.xx:25774 ESTABLISHED 33 1048158 16738/apache tcp 0 0 192.168.120.20:80 xx.xx.xx.xx:25769 ESTABLISHED 33 1048154 15537/apache unix 2 [ ] STREAM CONNECTED 1048156 15537/apache unix 2 [ ] STREAM CONNECTED 615035 16738/apache Linux 2.4.18 SMP i686 from Debian kernel source package dpkg shows the following installed: apache 1.3.26-0woody1 openssl 0.9.6c-2.woody.1 libssl0.9.6 0.9.6c-2.woody.1 libapache-mod-ssl 2.8.9-2 php4 4.1.2-5 php4-mysql 4.1.2-5 apt tells me that all this is up to date. Any clues or suggestions appreciated. TIA Jeff
