Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]
Hi again, Tnx for your further recommendations. I'll take the following actions: 1) I'll report the IP addresses to Spamcop and Spamhaus (note that indeed it appears to be virus-driven, or operated through backdoors, as the server is under constant "attack", coming from a variety of IP addresses). That way, perhaps the ISPs can at least inform the "responsible" people that they have virus infections, and need to act upon it. 2) I may try the hosts.allow trick, but I fear that the IP addresses will be very diverse, so that may not be as full-proof as I'd like. Probably I'll make use of captcha, or something of the likes. 3) I had already tried using Apache to block any and all access to the script, but from the machine itself, but I had done so by adding an "Allow from 123.456.789.10" entry (with the real life IP address, instead of "localhost" or "127.0.0.1"). This didn't do the trick, and I can see why. I'll try this with setting this to "Allow from localhost" or "Allow from 127.0.0.1", and will the perhaps have to change the action handler somewhat. Either way: I should have enough information for now to properly act upon it (though I still welcome further suggestions), so thanks a lot again! :) Cheers! Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]
On Tuesday 08 May 2007 1:57 pm, Gary Palmer wrote: > On Tue, May 08, 2007 at 02:51:45PM +0200, Olaf Greve wrote: > > The questions: > > -Can anyone recommend me proper anti spam authorities to whom I can > > report the IP addresses that caused the issues on my machine? > > 99.99% of the hits will be from zombie PCs which have one or > more virus infections. Reporting them might get the ISP to get their > customer to clean up their PC, but I doubt it. You can try. > > > -At present, in Apache I have added: > > > > Order deny,allow > > Deny from all > > > > Can anyone tell me of a good way to only ever allow calls to this > > script coming from the proper previous script, or should this be > > handled from PHP itself? > > Perhaps this question isn't very clear, but what I'm looking for is a > > way to block any and all direct calls to this script, that originate > > from anywhere but from the photography site itself. > > > > Can anyone help me perhaps with those two thingies? > > You cannot assume the referrer header is truthful. The only way to try > to do this is to have a hidden form field on the photography site with > a randomly generate number in it. The number should also be stored in the > session. If the number in the session does not match the number in the > hidden form field, refuse the post. > > If you want to be really nasty, randomise the hidden field name also. and if you're ultra paranoid, encrypt the number in the session. Ray > > But basically you need to start researching PHP security - none > of these issues are new and are addressed in a variety of books and > online documents. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]
On Tue, May 08, 2007 at 02:51:45PM +0200, Olaf Greve wrote: > > The questions: > -Can anyone recommend me proper anti spam authorities to whom I can > report the IP addresses that caused the issues on my machine? 99.99% of the hits will be from zombie PCs which have one or more virus infections. Reporting them might get the ISP to get their customer to clean up their PC, but I doubt it. You can try. > -At present, in Apache I have added: > > Order deny,allow > Deny from all > > Can anyone tell me of a good way to only ever allow calls to this > script coming from the proper previous script, or should this be > handled from PHP itself? > Perhaps this question isn't very clear, but what I'm looking for is a > way to block any and all direct calls to this script, that originate > from anywhere but from the photography site itself. > > Can anyone help me perhaps with those two thingies? You cannot assume the referrer header is truthful. The only way to try to do this is to have a hidden form field on the photography site with a randomly generate number in it. The number should also be stored in the session. If the number in the session does not match the number in the hidden form field, refuse the post. If you want to be really nasty, randomise the hidden field name also. But basically you need to start researching PHP security - none of these issues are new and are addressed in a variety of books and online documents. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]
On May 8, 2007, at 5:51 AM, Olaf Greve wrote: [ ... ] -Can anyone recommend me proper anti spam authorities to whom I can report the IP addresses that caused the issues on my machine? Try doing a WHOIS lookup on the IP address, and send a report containing sample httpd-access log lines or the message-board spam to the abuse contacts, if listed. In some cases, WHOIS does not return useful info-- in which case, doing a traceroute and noting the ISP used for the last few hops will probably do. -At present, in Apache I have added: Order deny,allow Deny from all Can anyone tell me of a good way to only ever allow calls to this script coming from the proper previous script, or should this be handled from PHP itself? Perhaps this question isn't very clear, but what I'm looking for is a way to block any and all direct calls to this script, that originate from anywhere but from the photography site itself. Add something like "Allow from localhost" to the Location block quoted above? -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]
Here's what I do with spammers and others I want to keep out of my server... I make an IP entry into my /etc/hosts.deny file of those I want to deny access to my server. Then I make an entry in my /etc/hosts.allow file that denies access to all in my hosts.deny file. That entry is the first non-commented entry in the hosts.allow file and looks like: ALL: /etc/hosts.deny: deny ...howard Olaf Greve wrote: Hiya all, Well, I promised you guys a follow-up on this, and here's what I have found out (first the situation and solution, and then two small questions) The situation: Firstly, I took some measures to figure out where the issues came from, and using Apache's "server-status" handler (tnx for that recommendation!), I noticed the script that caused Apache to choke up (i.e. grab an excessive amount of resources), was a PHP script that shows entries of photographic events that I organise from time to time. This didn't happen for all entries, but only for specific ones. I then wondered why, as this script never caused trouble before, and while checking the server status I did already notice that the "store comments" script (allowing visitor's feedback to the entries) was called very often. Too often. I checked out the sizes of the comments files (which normally are very small plain text files, of perhaps some 4Kb size at most), and lo and behold: some of them were as big as 18Mb! The main issue then becoming that when these files were parsed as text by PHP when an entry is shown, this either took a long time to complete, or in the worst case caused even a core dump to be generated by the over-excessive load on the server's resources. Next, when checking the contents of those files, it became apparent that they were completely hammered with all sorts of typical commercial spam, referring to vi*gr* websites, etc. I think this is known as "forum spam" (or so), but my site uses custom scripts, so someone must have found the URL, and made use of it by manually figuring out the parameters and it's functionality. The (partial) "solution": For now, I have configured the webserver so, that ANY call to this "store comments" script is forbidden, and will simply generate a standard server error (hopefully the spammers will signal these server errors, and will stop the hack attempt), while I am looking into a better solution (e.g. by having to type additional text (anti-spam challenges) when posting a comment). But then, as mentioned above, someone went through the trouble of figuring out how to manipulate my code, and hence caused me a LOT of time being wasted, so I want to "reward" them for their trouble, by punishing the responsible people as much as possible. Therefore, I will go through the Apache access log to work out the IP addresses of the machines that were used for this, and I will report them to the proper anti spam authorities, such that they will be blacklisted Internet wide. If anyone knows of good places to do so (the more, the merrier), I welcome hearing about them... The questions: -Can anyone recommend me proper anti spam authorities to whom I can report the IP addresses that caused the issues on my machine? -At present, in Apache I have added: Order deny,allow Deny from all Can anyone tell me of a good way to only ever allow calls to this script coming from the proper previous script, or should this be handled from PHP itself? Perhaps this question isn't very clear, but what I'm looking for is a way to block any and all direct calls to this script, that originate from anywhere but from the photography site itself. Can anyone help me perhaps with those two thingies? Tnx once more, and cheers! Olafo ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-amd64 To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]
Hiya all, Well, I promised you guys a follow-up on this, and here's what I have found out (first the situation and solution, and then two small questions) The situation: Firstly, I took some measures to figure out where the issues came from, and using Apache's "server-status" handler (tnx for that recommendation!), I noticed the script that caused Apache to choke up (i.e. grab an excessive amount of resources), was a PHP script that shows entries of photographic events that I organise from time to time. This didn't happen for all entries, but only for specific ones. I then wondered why, as this script never caused trouble before, and while checking the server status I did already notice that the "store comments" script (allowing visitor's feedback to the entries) was called very often. Too often. I checked out the sizes of the comments files (which normally are very small plain text files, of perhaps some 4Kb size at most), and lo and behold: some of them were as big as 18Mb! The main issue then becoming that when these files were parsed as text by PHP when an entry is shown, this either took a long time to complete, or in the worst case caused even a core dump to be generated by the over-excessive load on the server's resources. Next, when checking the contents of those files, it became apparent that they were completely hammered with all sorts of typical commercial spam, referring to vi*gr* websites, etc. I think this is known as "forum spam" (or so), but my site uses custom scripts, so someone must have found the URL, and made use of it by manually figuring out the parameters and it's functionality. The (partial) "solution": For now, I have configured the webserver so, that ANY call to this "store comments" script is forbidden, and will simply generate a standard server error (hopefully the spammers will signal these server errors, and will stop the hack attempt), while I am looking into a better solution (e.g. by having to type additional text (anti- spam challenges) when posting a comment). But then, as mentioned above, someone went through the trouble of figuring out how to manipulate my code, and hence caused me a LOT of time being wasted, so I want to "reward" them for their trouble, by punishing the responsible people as much as possible. Therefore, I will go through the Apache access log to work out the IP addresses of the machines that were used for this, and I will report them to the proper anti spam authorities, such that they will be blacklisted Internet wide. If anyone knows of good places to do so (the more, the merrier), I welcome hearing about them... The questions: -Can anyone recommend me proper anti spam authorities to whom I can report the IP addresses that caused the issues on my machine? -At present, in Apache I have added: Order deny,allow Deny from all Can anyone tell me of a good way to only ever allow calls to this script coming from the proper previous script, or should this be handled from PHP itself? Perhaps this question isn't very clear, but what I'm looking for is a way to block any and all direct calls to this script, that originate from anywhere but from the photography site itself. Can anyone help me perhaps with those two thingies? Tnx once more, and cheers! Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Olaf Greve wrote: O.k., I'll check this out, and will let you guys know how I get along with it, and if indeed the script is at fault, or whether it is due to some PHP/Apache issue. If you've rebuilt PHP with modules, there's a slight chance that the order of loaded modules (in extensions.ini) breaks something. Use Google for more information on that. signature.asc Description: OpenPGP digital signature
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Hi, >Investigate the Apache server-status handler (assuming its still there in >2.2). If you also enable the ExtendedStatus output from server- status, I just enabled it like that, as well as the server-info handler. This is indeed what I was looking for, and it directly identified the culprit, being one of the (PHP) scripts I use on one of my photography sites. I don't know exactly what is going on yet (i.e. when I call the script, on some of the pictures it works fine, and on some others it seems to be blocking forever, and doesn't seem to serve anything, but rather it seems to get stuck)... I suspect the picture resizing code may be at fault... O.k., I'll check this out, and will let you guys know how I get along with it, and if indeed the script is at fault, or whether it is due to some PHP/Apache issue. Cheers! Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
On Fri, May 04, 2007 at 12:55:16PM +0200, Olaf Greve wrote: > Hi again, > > This time a question from the Apache side of this issue: > > >You'll have to correlate this with HTTP requests apache receives - > maybe there's a PHP script that's unusually CPU > >intensive. > > Is there any (easy) way to do this in conjunction with specific PIDs > of stressed httpd instances? > Of course I can take a look at the httpd-access log file, but at > present it doesn't log the PIDs (which can perhaps be changed by > changing the log format), but is there an easier way to > "inspect" (from the prompt) what a specific httpd instance is doing/ > serving? Investigate the Apache server-status handler (assuming its still there in 2.2). If you also enable the ExtendedStatus output from server-status, it includes a table that shows the daemon PID, number of accesses for that PID, current state, CPU usage, time to process the current request, client IP, virtual host and the first line of the HTTP request which shows GET/POST and file. Assuming thats still the same in Apache 2.2, that should help you identify whats hammering your server. (I only have Apache 2.0 to play around with here) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Quoting Olaf Greve who wrote on Fri 2007-05-04 at 00:15: > 2-How can I inspect exactly what each httpd instance is doing (i.e. > which request it is serving)? Enable mod_status or compile it in and enable server-status in the config (usually commented-out in the httpd.conf file) and view the resulting status url. It will show you something quite like: Srv PID Acc M CPU SS Req Conn Child Slot Host VHost Request 0-17 18003 0/542/16066 _ 18.38 5 0 0.0 5.44 174.47 87.249.97.178 idefix.net GET /server-status HTTP/1.0 1-17 19911 0/492/16087 _ 18.95 193 0 0.0 4.38 182.34 137.242.1.50 www.camp-wireless.org GET /images/tile.jpg HTTP/1.1 which will help you correlate PID with vhost and url being visited. Koos -- Koos van den Hout Homepage: http://idefix.net/~koos/ Fax: +31-30-2817051 PGP keyid DSS/1024 0xF0D7C263 or RSA/1024 0xCA845CB5 Webprojects: Camp Wirelesshttp://www.camp-wireless.org/ The Virtual Bookcase http://www.virtualbookcase.com/ signature.asc Description: Digital signature
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Hi, >It might as well be a search engine spider. Perhaps it is... By just tailing the httpd-access.log file a few times over the past 10 minutes or so, at least I already just came across: 74.6.70.45 - - [04/May/2007:13:12:34 +0200] "GET /olympus/tope/ tope_show_entry.php?event=13&pic=1 HTTP/1.0" 200 3209 "-" "Mozilla/ 5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/ slurp)" [...] 66.249.66.176 - - [04/May/2007:13:15:46 +0200] "GET /olympus/tope/ tope_show_entry.php?pic=22&event=7 HTTP/1.1" 200 3792 "-" "Mozilla/ 5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 65.55.210.7 - - [04/May/2007:13:15:52 +0200] "GET /clomid HTTP/1.0" 404 345 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)" So, there ya go: it looks like Yahoo!, Google AND MSNsearch are battering my server pretty much all at once (though I don't see too many traces of either of them, so perhaps they're not all too hard on the machine)... Hmmm, perhaps time for a "robots.txt" file. Then, doing just some more tailing on the access log shows that the actual load is spread over several sites, with about 4 of the top sites being called from a variety of browsers from all sorts of IP addresses. Another assumption then becomes that perhaps as soon as the USA "wakes up", the sites simply get a lot of real visitors too, hence causing a (legit) high load... Still, this is precisely why I'd like to see which scripts are causing heavy load, such that I can perhaps better tune them. Cheers, Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Olaf Greve wrote: > PS: This morning (and some of the other past few days as well) I took a > closer look to the server loads, and it looks like during the better > part of the morning the load is virtually 0%, and around midday (or > slighlty before?), all of a sudden Apache starts going crazy and > receives very heavy load. I wonder if this can perhaps be some DOS > attack, and hence I'd like to see what each of the stressed daemon > instances is doing exactly... It might as well be a search engine spider. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Hi again, This time a question from the Apache side of this issue: >You'll have to correlate this with HTTP requests apache receives - maybe there's a PHP script that's unusually CPU >intensive. Is there any (easy) way to do this in conjunction with specific PIDs of stressed httpd instances? Of course I can take a look at the httpd-access log file, but at present it doesn't log the PIDs (which can perhaps be changed by changing the log format), but is there an easier way to "inspect" (from the prompt) what a specific httpd instance is doing/ serving? Cheers! Olafo PS: This morning (and some of the other past few days as well) I took a closer look to the server loads, and it looks like during the better part of the morning the load is virtually 0%, and around midday (or slighlty before?), all of a sudden Apache starts going crazy and receives very heavy load. I wonder if this can perhaps be some DOS attack, and hence I'd like to see what each of the stressed daemon instances is doing exactly... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Hi again, Hmmm, the load is very high right now, and again mail is not comming through. This time, it seems the queue runner is blocking matters. When checking /var/log/maillog, there are entries for the RX daemon having received messages, but also there is this entry: May 4 12:29:38 servername sm-msp-queue[96724]: runqueue: Skipping queue run -- load average too high Can anyone tell me in which sendmail configuration file or option this should be changed (if possible)? Note: perhaps this can be achieved by the sm-queue daemon options. In rc.conf, I have the following settings for sendmail: mta_start_script="/etc/rc.sendmail" # Script to start your chosen MTA, called by /etc/rc. # Settings for /etc/rc.sendmail: #sendmail_enable="NO" # Run the sendmail inbound daemon (YES/NO). sendmail_enable="YES" # Run the sendmail inbound daemon (YES/NO). - (OJG: CHANGED 18-12-2004) sendmail_flags="-L sm-mta -bd -q30m"# Flags to sendmail (as a server) sendmail_rx_enable="YES"# Start the RX daemon sendmail_rx_flags="-C/etc/mail/sendmail-rx.cf -L sm-mta-rx -bd -qp" # Flags to sendmail (RX part - OJG) sendmail_tx_enable="YES"# Start the TX daemon sendmail_tx_flags="-L sm-mta-tx -bd -q15m" # Flags to sendmail (TX part - OJG) #sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission sendmail_submit_enable="NO" # Start a localhost-only MTA for mail submission - (OJG: CHANGED 18-12-2004) sendmail_submit_flags="-L sm-mta -bd -q30m - ODaemonPortOptions=Addr=localhost" # Flags for localhost-only MTA sendmail_outbound_enable="YES" # Dequeue stuck mail (YES/NO). #sendmail_outbound_enable="NO" # Dequeue stuck mail (YES/NO). - (OJG: CHANGED 18-12-2004) sendmail_outbound_flags="-L sm-queue -q30m" # Flags to sendmail (outbound only) sendmail_msp_queue_enable="YES" # Dequeue stuck clientmqueue mail (YES/NO). #sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m" sendmail_msp_queue_flags="-Ac -L sm-msp-queue -q10m" # Flags for sendmail_msp_queue daemon. Any ideas, anyone? Cheers! Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Olaf Greve wrote: Will that not have some other downsides? I remember that previously when running PHP on the CGI, that e.g. a lot of debugging power got lost, as each and every error would simply either return a blank page, or simply an "internal servor error 500" or so Is that also the case with FastCGI? Yes, in case of critical / setup errors (i.e. ones that happen "between" apache and php) you'll get that kind of message. Normal PHP and Apache error messages and warnings are not affected. >BUT, if something else changed when you switched to the new apache (e.g. PHP version, your web applications), it may not be >apache's fault. The PHP version got upgraded from 4.4.0 to 4.4.6 too, but none of the actual application scripts changed. BTW: At times what one sees happening is that 2 of the httpd daemons quickly go up to (each, or in turn) about 50% (or 70% if it can grab that much), then stays quite a while at that, and then goes back to a more reasonable amount. You'll have to correlate this with HTTP requests apache receives - maybe there's a PHP script that's unusually CPU intensive. Meanwhile: I'm still open for suggestions as to how to best make Apache behave less selfishly. You may try playing with login.conf(5) (see "resource limits"), but do it on a spare machine first :) Also, you may try scaling down the number of processes Apache is allowed to create (at the possible expense that some clients get an error message instead of a page). Still, if the performance was OK before you switched to Apache2, my bet would be that something changed in PHP or your scripts, not in Apache. signature.asc Description: OpenPGP digital signature
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Hi Ivan and Dan (and the lists), >The size of apache processes is telling me you're using PHP or some other heavy apache module. Indeed I am (I forgot to mention this). It is PHP 4.4.6, and it is set up as an Apache module. > If so, you can switch to using PHP as FastCGI responder via mod_fcgid. The benefits are that you'll get only a few number of > large php-cgi processes (configurable, usually around 10), and the rest will be lighter httpd processes for serving static > content. Will that not have some other downsides? I remember that previously when running PHP on the CGI, that e.g. a lot of debugging power got lost, as each and every error would simply either return a blank page, or simply an "internal servor error 500" or so Is that also the case with FastCGI? >BUT, if something else changed when you switched to the new apache (e.g. PHP version, your web applications), it may not be >apache's fault. The PHP version got upgraded from 4.4.0 to 4.4.6 too, but none of the actual application scripts changed. BTW: At times what one sees happening is that 2 of the httpd daemons quickly go up to (each, or in turn) about 50% (or 70% if it can grab that much), then stays quite a while at that, and then goes back to a more reasonable amount. At other times, there are around 10+ httpd processes that each consume around 5% of the CPU, with a lot more of them using around 0-1% of the CPU (perhaps defunct already?). Dunno. Apache + PHP is lightning fast, but... at the expense of the CPU being pulled close to 100% all to easily... Then, regarding Dan's sendmail configuration suggestion: tnx! I just put that in place and will monitor sendmail's behaviour today, to see how it performs during heavy server load. I'll let you guys know how I get on with this... Meanwhile: I'm still open for suggestions as to how to best make Apache behave less selfishly. Cheers! Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
Olaf Greve wrote: PID USERNAMEPRI NICE SIZERES STATETIME WCPUCPU COMMAND 91459 www 1240 141M 15136K RUN 0:02 5.52% 5.52% httpd 91352 www 1190 139M 12596K select 0:14 3.61% 3.61% httpd The size of apache processes is telling me you're using PHP or some other heavy apache module. If so, you can switch to using PHP as FastCGI responder via mod_fcgid. The benefits are that you'll get only a few number of large php-cgi processes (configurable, usually around 10), and the rest will be lighter httpd processes for serving static content. BUT, if something else changed when you switched to the new apache (e.g. PHP version, your web applications), it may not be apache's fault. signature.asc Description: OpenPGP digital signature
RE: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:owner-freebsd- > [EMAIL PROTECTED] On Behalf Of Olaf Greve > Sent: Friday, 4 May 2007 6:16 AM > To: freebsd-questions@freebsd.org; [EMAIL PROTECTED] > Subject: How to make Apache (2.2.4) less greedy, or Sendmail less polite? > > Hi, > > Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and > ever since, I noticed that it is acting in such a way that it often > is VERY greedy with my server's resources. > Quite often, when running "top", a list that is as the one that > appears at the bottom of this e-mail is shown: indeed pretty much > solely httpd instances, that for extended periods of time almost > continously pull the CPU to close to 100%, and that also consume a > lot of the memory resources... Strangely enough, at other times the > CPU load is just slightly above 0%, say 0.4% or so... > > Apart from the fact that it "doesn't feel right" to see the CPU for > substantial amounts of time, almost constantly close to 100%, there > is a further issue, being that sendmail rejects connections when the > server load is (too) high. This is very annoying, as e-mail is also a > crucial part of the server's functionality, and I don't want sendmail > to reject connections, each and every time that Apache goes berserk. Is there any reason you are using Apache over another HTTP Daemon? Personally, I think Apache has gone down hill with regard to gluttony so I stopped using it a while ago. My preference is now Lighttpd. NB: Sorry about previous post. Outlook went crazy. - Russell DISCLAIMER: Disclaimer. This e-mail is private and confidential. If you are not the intended recipient, please advise us by return e-mail immediately, and delete the e-mail and any attachments without using or disclosing the contents in any way. The views expressed in this e-mail are those of the author, and do not represent those of this company unless this is clearly indicated. You should scan this e-mail and any attachments for viruses. This company accepts no liability for any direct or indirect damage or loss resulting from the use of any attachments to this e-mail. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:owner-freebsd- > [EMAIL PROTECTED] On Behalf Of Olaf Greve > Sent: Friday, 4 May 2007 6:16 AM > To: freebsd-questions@freebsd.org; [EMAIL PROTECTED] > Subject: How to make Apache (2.2.4) less greedy, or Sendmail less polite? > > Hi, > > Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and > ever since, I noticed that it is acting in such a way that it often > is VERY greedy with my server's resources. > Quite often, when running "top", a list that is as the one that > appears at the bottom of this e-mail is shown: indeed pretty much > solely httpd instances, that for extended periods of time almost > continously pull the CPU to close to 100%, and that also consume a > lot of the memory resources... Strangely enough, at other times the > CPU load is just slightly above 0%, say 0.4% or so... > > Apart from the fact that it "doesn't feel right" to see the CPU for > substantial amounts of time, almost constantly close to 100%, there > is a further issue, being that sendmail rejects connections when the > server load is (too) high. This is very annoying, as e-mail is also a > crucial part of the server's functionality, and I don't want sendmail > to reject connections, each and every time that Apache goes berserk. DISCLAIMER: Disclaimer. This e-mail is private and confidential. If you are not the intended recipient, please advise us by return e-mail immediately, and delete the e-mail and any attachments without using or disclosing the contents in any way. The views expressed in this e-mail are those of the author, and do not represent those of this company unless this is clearly indicated. You should scan this e-mail and any attachments for viruses. This company accepts no liability for any direct or indirect damage or loss resulting from the use of any attachments to this e-mail. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?
In the last episode (May 04), Olaf Greve said: > Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and > ever since, I noticed that it is acting in such a way that it often > is VERY greedy with my server's resources. Quite often, when running > "top", a list that is as the one that appears at the bottom of this > e-mail is shown: indeed pretty much solely httpd instances, that for > extended periods of time almost continously pull the CPU to close to > 100%, and that also consume a lot of the memory resources... > Strangely enough, at other times the CPU load is just slightly above > 0%, say 0.4% or so... > > Apart from the fact that it "doesn't feel right" to see the CPU for > substantial amounts of time, almost constantly close to 100%, there > is a further issue, being that sendmail rejects connections when the > server load is (too) high. This is very annoying, as e-mail is also > a crucial part of the server's functionality, and I don't want > sendmail to reject connections, each and every time that Apache goes > berserk. > > Now, the machine in question, is an AMD-64 machine, and it runs the > AMD-64 version of FreeBSD (5.4-release) with a custom kernel. > Surely, Apache can be reconfigured such that it doesn't behave so > selfishly, and leaves a decent amount of resources for other stuff > (such as sendmail) on the machine too. > > What I'm basically trying to find out is: > 1-Is this normal, or can this perhaps be some (brute force) hack attempt, > where something is pounding Apache heavily, trying to find/exploit some > security risk? > 2-How can I inspect exactly what each httpd instance is doing (i.e. which > request it is serving)? > 3-How to best configure Apache 2.2.4 such that it will never use more than a > specific amount of the system's resources (e.g. a CPU usage limit of 75%, > and a memory limit of say 1GB)? It would be my guess that the amount of > "MaxClients" should be lowered, but is that sufficient (note: current > httpd-mpm.conf settings apper at the end of this e-mail, and indicate an > amount of 150), and will that not somehow (all too) negatively affect the > way Apache handles requests? > 4-How to perhaps tell sendmail to be a bit more selfish, and stop it from > rejecting connections for extended periods of time? (note: we all know just > how much "fun" it can be to configure Sendmail :P so for now I've only > included (a shortened version of the) RX daemon config file, and hope > someone can give me a good pointer for this - or tell me where else to > look). > 5-When sendmail rejects (incoming) connections, does mail actually get lost, > or will it (always) be handled later, when the server is less occupied? I can't help you with Apache, but it's easy to tell sendmail to ignore system load and deliver mail no matter what: http://www.sendmail.org/m4/tweaking_config.html#confQUEUE_LA Change these lines in your .mc file: dnl define(`confDELAY_LA,8) dnl define(`confREFUSE_LA', 12) to define(`confQUEUE_LA', 999) define(`confDELAY_LA', 999) define(`confREFUSE_LA', 999) They are more useful on a system that's only handling email, so if someone starts sending evil attachments that chew up CPU time being virus or spam-scanned, the server will just start throttling mail delivery. If the load isn't being caused by mail delivery, it's better to bump it wayy up. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"