Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]

2007-05-09 Thread Olaf Greve

Hi again,

Tnx for your further recommendations. I'll take the following actions:

1) I'll report the IP addresses to Spamcop and Spamhaus (note that  
indeed it appears to be virus-driven, or operated through backdoors,  
as the server is under constant attack, coming from a variety of IP  
addresses). That way, perhaps the ISPs can at least inform the  
responsible people that they have virus infections, and need to act  
upon it.
2) I may try the hosts.allow trick, but I fear that the IP addresses  
will be very diverse, so that may not be as full-proof as I'd like.  
Probably I'll make use of captcha, or something of the likes.
3) I had already tried using Apache to block any and all access to  
the script, but from the machine itself, but I had done so by adding  
an Allow from 123.456.789.10 entry (with the real life IP address,  
instead of localhost or 127.0.0.1). This didn't do the trick, and  
I can see why. I'll try this with setting this to Allow from  
localhost or Allow from 127.0.0.1, and will the perhaps have to  
change the form action handler somewhat.


Either way: I should have enough information for now to properly act  
upon it (though I still welcome further suggestions), so thanks a lot  
again! :)


Cheers!
Olafo
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]

2007-05-08 Thread Olaf Greve

Hiya all,

Well, I promised you guys a follow-up on this, and here's what I have  
found out (first the situation and solution, and then two small  
questions)


The situation:
Firstly, I took some measures to figure out where the issues came  
from, and using Apache's server-status handler (tnx for that  
recommendation!), I noticed the script that caused Apache to choke up  
(i.e. grab an excessive amount of resources), was a PHP script that  
shows entries of photographic events that I organise from time to  
time. This didn't happen for all entries, but only for specific ones.
I then wondered why, as this script never caused trouble before, and  
while checking the server status I did already notice that the store  
comments script (allowing visitor's feedback to the entries) was  
called very often. Too often. I checked out the sizes of the comments  
files (which normally are very small plain text files, of perhaps  
some 4Kb size at most), and lo and behold: some of them were as big  
as 18Mb! The main issue then becoming that when these files were  
parsed as
text by PHP when an entry is shown, this either took a long time to  
complete, or in the worst case caused even a core dump to be  
generated by the over-excessive load on the server's resources.
Next, when checking the contents of those files, it became apparent  
that they were completely hammered with all sorts of typical  
commercial spam, referring to vi*gr* websites, etc. I think this is  
known as forum spam (or so), but my site uses custom scripts, so  
someone must have found the URL, and made use of it by manually  
figuring out the parameters and it's functionality.


The (partial) solution:
For now, I have configured the webserver so, that ANY call to this  
store comments script is forbidden, and will simply generate a  
standard server error (hopefully the spammers will signal these  
server errors, and will stop the hack attempt), while I am looking  
into a better solution (e.g. by having to type additional text (anti- 
spam challenges) when posting a comment). But then, as mentioned  
above, someone went through the trouble of figuring out how to  
manipulate my code, and hence caused me a LOT of time being wasted,  
so I want to reward them for their trouble, by punishing the  
responsible people as much as possible. Therefore, I will go through  
the Apache access log to work out the IP addresses of
the machines that were used for this, and I will report them to the  
proper anti spam authorities, such that they will be blacklisted  
Internet wide. If anyone knows of good places to do so (the more, the  
merrier), I welcome hearing about them...


The questions:
-Can anyone recommend me proper anti spam authorities to whom I can  
report the IP addresses that caused the issues on my machine?

-At present, in Apache I have added:
Location ~ store_comments_script.php
Order deny,allow
Deny from all
/Location
Can anyone tell me of a good way to only ever allow calls to this  
script coming from the proper previous script, or should this be  
handled from PHP itself?
Perhaps this question isn't very clear, but what I'm looking for is a  
way to block any and all direct calls to this script, that originate  
from anywhere but from the photography site itself.


Can anyone help me perhaps with those two thingies?

Tnx once more, and cheers!
Olafo
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]

2007-05-08 Thread Howard MITCHell Feldman

Here's what I do with spammers and others I want to keep out of my server...

I make an IP entry into my /etc/hosts.deny file of those I want to deny 
access to my server.  Then I make an entry in my /etc/hosts.allow file 
that denies access to all in my hosts.deny file.  That entry is the 
first non-commented entry in the hosts.allow file and looks like:


ALL: /etc/hosts.deny: deny

...howard

Olaf Greve wrote:

Hiya all,

Well, I promised you guys a follow-up on this, and here's what I have 
found out (first the situation and solution, and then two small 
questions)


The situation:
Firstly, I took some measures to figure out where the issues came 
from, and using Apache's server-status handler (tnx for that 
recommendation!), I noticed the script that caused Apache to choke up 
(i.e. grab an excessive amount of resources), was a PHP script that 
shows entries of photographic events that I organise from time to 
time. This didn't happen for all entries, but only for specific ones.
I then wondered why, as this script never caused trouble before, and 
while checking the server status I did already notice that the store 
comments script (allowing visitor's feedback to the entries) was 
called very often. Too often. I checked out the sizes of the comments 
files (which normally are very small plain text files, of perhaps some 
4Kb size at most), and lo and behold: some of them were as big as 
18Mb! The main issue then becoming that when these files were parsed as
text by PHP when an entry is shown, this either took a long time to 
complete, or in the worst case caused even a core dump to be generated 
by the over-excessive load on the server's resources.
Next, when checking the contents of those files, it became apparent 
that they were completely hammered with all sorts of typical 
commercial spam, referring to vi*gr* websites, etc. I think this is 
known as forum spam (or so), but my site uses custom scripts, so 
someone must have found the URL, and made use of it by manually 
figuring out the parameters and it's functionality.


The (partial) solution:
For now, I have configured the webserver so, that ANY call to this 
store comments script is forbidden, and will simply generate a 
standard server error (hopefully the spammers will signal these server 
errors, and will stop the hack attempt), while I am looking into a 
better solution (e.g. by having to type additional text (anti-spam 
challenges) when posting a comment). But then, as mentioned above, 
someone went through the trouble of figuring out how to manipulate my 
code, and hence caused me a LOT of time being wasted, so I want to 
reward them for their trouble, by punishing the responsible people 
as much as possible. Therefore, I will go through the Apache access 
log to work out the IP addresses of
the machines that were used for this, and I will report them to the 
proper anti spam authorities, such that they will be blacklisted 
Internet wide. If anyone knows of good places to do so (the more, the 
merrier), I welcome hearing about them...


The questions:
-Can anyone recommend me proper anti spam authorities to whom I can 
report the IP addresses that caused the issues on my machine?

-At present, in Apache I have added:
Location ~ store_comments_script.php
Order deny,allow
Deny from all
/Location
Can anyone tell me of a good way to only ever allow calls to this 
script coming from the proper previous script, or should this be 
handled from PHP itself?
Perhaps this question isn't very clear, but what I'm looking for is a 
way to block any and all direct calls to this script, that originate 
from anywhere but from the photography site itself.


Can anyone help me perhaps with those two thingies?

Tnx once more, and cheers!
Olafo
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-amd64
To unsubscribe, send any mail to [EMAIL PROTECTED]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]

2007-05-08 Thread Chuck Swiger

On May 8, 2007, at 5:51 AM, Olaf Greve wrote:
[ ... ]
-Can anyone recommend me proper anti spam authorities to whom I can  
report the IP addresses that caused the issues on my machine?


Try doing a WHOIS lookup on the IP address, and send a report  
containing sample httpd-access log lines or the message-board spam to  
the abuse contacts, if listed.  In some cases, WHOIS does not return  
useful info-- in which case, doing a traceroute and noting the ISP  
used for the last few hops will probably do.



-At present, in Apache I have added:
Location ~ store_comments_script.php
Order deny,allow
Deny from all
/Location
Can anyone tell me of a good way to only ever allow calls to this  
script coming from the proper previous script, or should this be  
handled from PHP itself?  Perhaps this question isn't very clear,  
but what I'm looking for is a way to block any and all direct calls  
to this script, that originate from anywhere but from the  
photography site itself.


Add something like Allow from localhost to the Location block  
quoted above?


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]

2007-05-08 Thread Gary Palmer
On Tue, May 08, 2007 at 02:51:45PM +0200, Olaf Greve wrote:
 
 The questions:
 -Can anyone recommend me proper anti spam authorities to whom I can  
 report the IP addresses that caused the issues on my machine?

99.99% of the hits will be from zombie PCs which have one or
more virus infections.  Reporting them might get the ISP to get their
customer to clean up their PC, but I doubt it.  You can try.

 -At present, in Apache I have added:
 Location ~ store_comments_script.php
 Order deny,allow
 Deny from all
 /Location
 Can anyone tell me of a good way to only ever allow calls to this  
 script coming from the proper previous script, or should this be  
 handled from PHP itself?
 Perhaps this question isn't very clear, but what I'm looking for is a  
 way to block any and all direct calls to this script, that originate  
 from anywhere but from the photography site itself.
 
 Can anyone help me perhaps with those two thingies?

You cannot assume the referrer header is truthful.  The only way to try
to do this is to have a hidden form field on the photography site with
a randomly generate number in it.  The number should also be stored in the
session.  If the number in the session does not match the number in the
hidden form field, refuse the post.  

If you want to be really nasty, randomise the hidden field name also.

But basically you need to start researching PHP security - none 
of these issues are new and are addressed in a variety of books and
online documents.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved]

2007-05-08 Thread Ray
On Tuesday 08 May 2007 1:57 pm, Gary Palmer wrote:
 On Tue, May 08, 2007 at 02:51:45PM +0200, Olaf Greve wrote:
  The questions:
  -Can anyone recommend me proper anti spam authorities to whom I can
  report the IP addresses that caused the issues on my machine?

 99.99% of the hits will be from zombie PCs which have one or
 more virus infections.  Reporting them might get the ISP to get their
 customer to clean up their PC, but I doubt it.  You can try.

  -At present, in Apache I have added:
  Location ~ store_comments_script.php
  Order deny,allow
  Deny from all
  /Location
  Can anyone tell me of a good way to only ever allow calls to this
  script coming from the proper previous script, or should this be
  handled from PHP itself?
  Perhaps this question isn't very clear, but what I'm looking for is a
  way to block any and all direct calls to this script, that originate
  from anywhere but from the photography site itself.
 
  Can anyone help me perhaps with those two thingies?

 You cannot assume the referrer header is truthful.  The only way to try
 to do this is to have a hidden form field on the photography site with
 a randomly generate number in it.  The number should also be stored in the
 session.  If the number in the session does not match the number in the
 hidden form field, refuse the post.

 If you want to be really nasty, randomise the hidden field name also.
and if you're ultra paranoid, encrypt the number in the session.
Ray


 But basically you need to start researching PHP security - none
 of these issues are new and are addressed in a variety of books and
 online documents.
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-07 Thread Ivan Voras

Olaf Greve wrote:

O.k., I'll check this out, and will let you guys know how I get along 
with it, and if indeed the script is at fault, or whether it is due to 
some PHP/Apache issue.


If you've rebuilt PHP with modules, there's a slight chance that the 
order of loaded modules (in extensions.ini) breaks something. Use Google 
for more information on that.




signature.asc
Description: OpenPGP digital signature


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread Ivan Voras

Olaf Greve wrote:


  PID USERNAMEPRI NICE   SIZERES STATETIME   WCPUCPU 
COMMAND
91459 www 1240   141M 15136K RUN  0:02  5.52%  5.52% 
httpd
91352 www 1190   139M 12596K select   0:14  3.61%  3.61% 
httpd


The size of apache processes is telling me you're using PHP or some 
other heavy apache module. If so, you can switch to using PHP as FastCGI 
responder via mod_fcgid. The benefits are that you'll get only a few 
number of large php-cgi processes (configurable, usually around 10), and 
the rest will be lighter httpd processes for serving static content.


BUT, if something else changed when you switched to the new apache (e.g. 
PHP version, your web applications), it may not be apache's fault.




signature.asc
Description: OpenPGP digital signature


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread Olaf Greve

Hi Ivan and Dan (and the lists),

The size of apache processes is telling me you're using PHP or some  
other heavy apache module.


Indeed I am (I forgot to mention this). It is PHP 4.4.6, and it is  
set up as an Apache module.


 If so, you can switch to using PHP as FastCGI responder via  
mod_fcgid. The benefits are that you'll get only a few number of
 large php-cgi processes (configurable, usually around 10), and the  
rest will be lighter httpd processes for serving static

 content.

Will that not have some other downsides? I remember that previously  
when running PHP on the CGI, that e.g. a lot of debugging power got  
lost, as each and every error would simply either return a blank  
page, or simply an internal servor error 500 or so Is that also  
the case with FastCGI?


BUT, if something else changed when you switched to the new apache  
(e.g. PHP version, your web applications), it may not be

apache's fault.

The PHP version got upgraded from 4.4.0 to 4.4.6 too, but none of the  
actual application scripts changed.


BTW: At times what one sees happening is that 2 of the httpd daemons  
quickly go up to (each, or in turn) about 50% (or 70% if it can grab  
that much), then stays quite a while at that, and then goes back to a  
more reasonable amount.
At other times, there are around 10+ httpd processes that each  
consume around 5% of the CPU, with a lot more of them using around  
0-1% of the CPU (perhaps defunct already?). Dunno. Apache + PHP is  
lightning fast, but... at the expense of the CPU being pulled close  
to 100% all to easily...


Then, regarding Dan's sendmail configuration suggestion: tnx! I just  
put that in place and will monitor sendmail's behaviour today, to see  
how it performs during heavy server load.


I'll let you guys know how I get on with this...

Meanwhile: I'm still open for suggestions as to how to best make  
Apache behave less selfishly.


Cheers!
Olafo
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread Ivan Voras

Olaf Greve wrote:

Will that not have some other downsides? I remember that previously when 
running PHP on the CGI, that e.g. a lot of debugging power got lost, as 
each and every error would simply either return a blank page, or simply 
an internal servor error 500 or so Is that also the case with 
FastCGI?


Yes, in case of critical / setup errors (i.e. ones that happen between 
apache and php) you'll get that kind of message. Normal PHP and Apache 
error messages and warnings are not affected.


 BUT, if something else changed when you switched to the new apache 
(e.g. PHP version, your web applications), it may not be

 apache's fault.

The PHP version got upgraded from 4.4.0 to 4.4.6 too, but none of the 
actual application scripts changed.


BTW: At times what one sees happening is that 2 of the httpd daemons 
quickly go up to (each, or in turn) about 50% (or 70% if it can grab 
that much), then stays quite a while at that, and then goes back to a 
more reasonable amount.


You'll have to correlate this with HTTP requests apache receives - maybe 
there's a PHP script that's unusually CPU intensive.



Meanwhile: I'm still open for suggestions as to how to best make Apache 
behave less selfishly.


You may try playing with login.conf(5) (see resource limits), but do 
it on a spare machine first :)


Also, you may try scaling down the number of processes Apache is allowed 
to create (at the possible expense that some clients get an error 
message instead of a page).


Still, if the performance was OK before you switched to Apache2, my bet 
would be that something changed in PHP or your scripts, not in Apache.




signature.asc
Description: OpenPGP digital signature


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread Olaf Greve

Hi again,

Hmmm, the load is very high right now, and again mail is not comming  
through. This time, it seems the queue runner is blocking matters.


When checking /var/log/maillog, there are entries for the RX daemon  
having received messages, but also there is this entry:


May  4 12:29:38 servername sm-msp-queue[96724]: runqueue: Skipping  
queue run -- load average too high


Can anyone tell me in which sendmail configuration file or option  
this should be changed (if possible)?


Note: perhaps this can be achieved by the sm-queue daemon options. In  
rc.conf, I have the following settings for sendmail:


mta_start_script=/etc/rc.sendmail # Script to start your chosen  
MTA, called by /etc/rc.

# Settings for /etc/rc.sendmail:
#sendmail_enable=NO   # Run the sendmail inbound  
daemon (YES/NO).
sendmail_enable=YES   # Run the sendmail inbound  
daemon (YES/NO). - (OJG: CHANGED 18-12-2004)
sendmail_flags=-L sm-mta -bd -q30m# Flags to sendmail (as a  
server)

sendmail_rx_enable=YES# Start the RX daemon
sendmail_rx_flags=-C/etc/mail/sendmail-rx.cf -L sm-mta-rx -bd -qp #  
Flags to sendmail (RX part - OJG)

sendmail_tx_enable=YES# Start the TX daemon
sendmail_tx_flags=-L sm-mta-tx -bd -q15m # Flags to sendmail (TX  
part - OJG)
#sendmail_submit_enable=YES   # Start a localhost-only MTA  
for mail submission
sendmail_submit_enable=NO # Start a localhost-only MTA  
for mail submission - (OJG: CHANGED 18-12-2004)
sendmail_submit_flags=-L sm-mta -bd -q30m - 
ODaemonPortOptions=Addr=localhost # Flags for localhost-only MTA

sendmail_outbound_enable=YES  # Dequeue stuck mail (YES/NO).
#sendmail_outbound_enable=NO  # Dequeue stuck mail  
(YES/NO). - (OJG: CHANGED 18-12-2004)
sendmail_outbound_flags=-L sm-queue -q30m # Flags to sendmail  
(outbound only)
sendmail_msp_queue_enable=YES # Dequeue stuck clientmqueue  
mail (YES/NO).

#sendmail_msp_queue_flags=-L sm-msp-queue -Ac -q30m
sendmail_msp_queue_flags=-Ac -L sm-msp-queue -q10m  # Flags for  
sendmail_msp_queue daemon.


Any ideas, anyone?

Cheers!
Olafo

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread Olaf Greve

Hi again,

This time a question from the Apache side of this issue:

You'll have to correlate this with HTTP requests apache receives -  
maybe there's a PHP script that's unusually CPU

intensive.

Is there any (easy) way to do this in conjunction with specific PIDs  
of stressed httpd instances?
Of course I can take a look at the httpd-access log file, but at  
present it doesn't log the PIDs (which can perhaps be changed by  
changing the log format), but is there an easier way to  
inspect (from the prompt) what a specific httpd instance is doing/ 
serving?


Cheers!
Olafo

PS: This morning (and some of the other past few days as well) I took  
a closer look to the server loads, and it looks like during the  
better part of the morning the load is virtually 0%, and around  
midday (or slighlty before?), all of a sudden Apache starts going  
crazy and receives very heavy load. I wonder if this can perhaps be  
some DOS attack, and hence I'd like to see what each of the stressed  
daemon instances is doing exactly...

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread [LoN]Kamikaze
Olaf Greve wrote:
 PS: This morning (and some of the other past few days as well) I took a
 closer look to the server loads, and it looks like during the better
 part of the morning the load is virtually 0%, and around midday (or
 slighlty before?), all of a sudden Apache starts going crazy and
 receives very heavy load. I wonder if this can perhaps be some DOS
 attack, and hence I'd like to see what each of the stressed daemon
 instances is doing exactly...

It might as well be a search engine spider.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread Olaf Greve

Hi,

It might as well be a search engine spider.


Perhaps it is... By just tailing the httpd-access.log file a few  
times over the past 10 minutes or so, at least I already just came  
across:


74.6.70.45 - - [04/May/2007:13:12:34 +0200] GET /olympus/tope/ 
tope_show_entry.php?event=13pic=1 HTTP/1.0 200 3209 - Mozilla/ 
5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/ 
slurp)

[...]
66.249.66.176 - - [04/May/2007:13:15:46 +0200] GET /olympus/tope/ 
tope_show_entry.php?pic=22event=7 HTTP/1.1 200 3792 - Mozilla/ 
5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
65.55.210.7 - - [04/May/2007:13:15:52 +0200] GET /clomid HTTP/1.0  
404 345 - msnbot/1.0 (+http://search.msn.com/msnbot.htm)


So, there ya go: it looks like Yahoo!, Google AND MSNsearch are  
battering my server pretty much all at once (though I don't see too  
many traces of either of them, so perhaps they're not all too hard on  
the machine)...

Hmmm, perhaps time for a robots.txt file.

Then, doing just some more tailing on the access log shows that the  
actual load is spread over several sites, with about 4 of the top  
sites being called from a variety of browsers from all sorts of IP  
addresses. Another assumption then becomes that perhaps as soon as  
the USA wakes up, the sites simply get a lot of real visitors too,  
hence causing a (legit) high load...


Still, this is precisely why I'd like to see which scripts are  
causing heavy load, such that I can perhaps better tune them.


Cheers,
Olafo


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread Koos van den Hout
Quoting Olaf Greve who wrote on Fri 2007-05-04 at 00:15:

 2-How can I inspect exactly what each httpd instance is doing (i.e.  
 which request it is serving)?

Enable mod_status or compile it in and enable server-status in the config
(usually commented-out in the httpd.conf file) and view the resulting
status url. It will show you something quite like:

   Srv PID Acc M CPU SS Req Conn Child Slot Host VHost Request  
   0-17 18003 0/542/16066 _ 18.38 5 0 0.0 5.44 174.47 87.249.97.178 
   idefix.net GET /server-status HTTP/1.0   
   1-17 19911 0/492/16087 _ 18.95 193 0 0.0 4.38 182.34 137.242.1.50
   www.camp-wireless.org GET /images/tile.jpg HTTP/1.1  

which will help you correlate PID with vhost and url being visited.

   Koos

-- 
Koos van den Hout Homepage: http://idefix.net/~koos/
Fax: +31-30-2817051 PGP keyid DSS/1024 0xF0D7C263 or RSA/1024 0xCA845CB5
Webprojects:  Camp Wirelesshttp://www.camp-wireless.org/
  The Virtual Bookcase   http://www.virtualbookcase.com/


signature.asc
Description: Digital signature


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread Gary Palmer
On Fri, May 04, 2007 at 12:55:16PM +0200, Olaf Greve wrote:
 Hi again,
 
 This time a question from the Apache side of this issue:
 
 You'll have to correlate this with HTTP requests apache receives -  
 maybe there's a PHP script that's unusually CPU
 intensive.
 
 Is there any (easy) way to do this in conjunction with specific PIDs  
 of stressed httpd instances?
 Of course I can take a look at the httpd-access log file, but at  
 present it doesn't log the PIDs (which can perhaps be changed by  
 changing the log format), but is there an easier way to  
 inspect (from the prompt) what a specific httpd instance is doing/ 
 serving?

Investigate the Apache server-status handler (assuming its still there in
2.2).  If you also enable the ExtendedStatus output from server-status,
it includes a table that shows the daemon PID, number of accesses for that
PID, current state, CPU usage, time to process the current request, 
client IP, virtual host and the first line of the HTTP request which
shows GET/POST and file.  Assuming thats still the same in Apache 2.2,
that should help you identify whats hammering your server. (I only have
Apache 2.0 to play around with here)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-04 Thread Olaf Greve

Hi,

Investigate the Apache server-status handler (assuming its still  
there in
2.2).  If you also enable the ExtendedStatus output from server- 
status,


I just enabled it like that, as well as the server-info handler. This  
is indeed what I was looking for, and it directly identified the  
culprit, being one of the (PHP) scripts I use on one of my  
photography sites.
I don't know exactly what is going on yet (i.e. when I call the  
script, on some of the pictures it works fine, and on some others it  
seems to be blocking forever, and doesn't seem to serve anything, but  
rather it seems to get stuck)...

I suspect the picture resizing code may be at fault...

O.k., I'll check this out, and will let you guys know how I get along  
with it, and if indeed the script is at fault, or whether it is due  
to some PHP/Apache issue.


Cheers!
Olafo
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-03 Thread Dan Nelson
In the last episode (May 04), Olaf Greve said:
  Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and
  ever since, I noticed that it is acting in such a way that it often
  is VERY greedy with my server's resources. Quite often, when running
  top, a list that is as the one that appears at the bottom of this
  e-mail is shown: indeed pretty much solely httpd instances, that for
  extended periods of time almost continously pull the CPU to close to
  100%, and that also consume a lot of the memory resources... 
  Strangely enough, at other times the CPU load is just slightly above
  0%, say 0.4% or so...
 
  Apart from the fact that it doesn't feel right to see the CPU for
  substantial amounts of time, almost constantly close to 100%, there
  is a further issue, being that sendmail rejects connections when the
  server load is (too) high. This is very annoying, as e-mail is also
  a crucial part of the server's functionality, and I don't want
  sendmail to reject connections, each and every time that Apache goes
  berserk.
 
  Now, the machine in question, is an AMD-64 machine, and it runs the
  AMD-64 version of FreeBSD (5.4-release) with a custom kernel.
  Surely, Apache can be reconfigured such that it doesn't behave so
  selfishly, and leaves a decent amount of resources for other stuff
  (such as sendmail) on the machine too.
 
  What I'm basically trying to find out is:
  1-Is this normal, or can this perhaps be some (brute force) hack attempt, 
  where something is pounding Apache heavily, trying to find/exploit some 
  security risk?
  2-How can I inspect exactly what each httpd instance is doing (i.e. which 
  request it is serving)?
  3-How to best configure Apache 2.2.4 such that it will never use more than a 
  specific amount of the system's resources (e.g. a CPU usage limit of 75%, 
  and a memory limit of say 1GB)? It would be my guess that the amount of 
  MaxClients should be lowered, but is that sufficient (note: current 
  httpd-mpm.conf settings apper at the end of this e-mail, and indicate an 
  amount of 150), and will that not somehow (all too) negatively affect the 
  way Apache handles requests?
  4-How to perhaps tell sendmail to be a bit more selfish, and stop it from 
  rejecting connections for extended periods of time? (note: we all know just 
  how much fun it can be to configure Sendmail :P so for now I've only 
  included (a shortened version of the) RX daemon config file, and hope 
  someone can give me a good pointer for this - or tell me where else to 
  look).
  5-When sendmail rejects (incoming) connections, does mail actually get lost, 
  or will it (always) be handled later, when the server is less occupied?

I can't help you with Apache, but it's easy to tell sendmail to ignore
system load and deliver mail no matter what:

http://www.sendmail.org/m4/tweaking_config.html#confQUEUE_LA

Change these lines in your .mc file:

  dnl define(`confDELAY_LA,8)
  dnl define(`confREFUSE_LA', 12)

to 

  define(`confQUEUE_LA', 999)
  define(`confDELAY_LA', 999)
  define(`confREFUSE_LA', 999)
  
They are more useful on a system that's only handling email, so if
someone starts sending evil attachments that chew up CPU time being
virus or spam-scanned, the server will just start throttling mail
delivery.  If the load isn't being caused by mail delivery, it's better
to bump it wayy up.

-- 
Dan Nelson
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


RE: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-03 Thread Wood, Russell

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:owner-freebsd-
 [EMAIL PROTECTED] On Behalf Of Olaf Greve
 Sent: Friday, 4 May 2007 6:16 AM
 To: freebsd-questions@freebsd.org; [EMAIL PROTECTED]
 Subject: How to make Apache (2.2.4) less greedy, or Sendmail less
polite?
 
 Hi,
 
 Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and
 ever since, I noticed that it is acting in such a way that it often
 is VERY greedy with my server's resources.
 Quite often, when running top, a list that is as the one that
 appears at the bottom of this e-mail is shown: indeed pretty much
 solely httpd instances, that for extended periods of time almost
 continously pull the CPU to close to 100%, and that also consume a
 lot of the memory resources... Strangely enough, at other times the
 CPU load is just slightly above 0%, say 0.4% or so...
 
 Apart from the fact that it doesn't feel right to see the CPU for
 substantial amounts of time, almost constantly close to 100%, there
 is a further issue, being that sendmail rejects connections when the
 server load is (too) high. This is very annoying, as e-mail is also a
 crucial part of the server's functionality, and I don't want sendmail
 to reject connections, each and every time that Apache goes berserk.



DISCLAIMER:
Disclaimer.  This e-mail is private and confidential. If you are not the 
intended recipient, please advise us by return e-mail immediately, and delete 
the e-mail and any attachments without using or disclosing the contents in any 
way. The views expressed in this e-mail are those of the author, and do not 
represent those of this company unless this is clearly indicated. You should 
scan this e-mail and any attachments for viruses. This company accepts no 
liability for any direct or indirect damage or loss resulting from the use of 
any attachments to this e-mail.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


RE: How to make Apache (2.2.4) less greedy, or Sendmail less polite?

2007-05-03 Thread Wood, Russell

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:owner-freebsd-
 [EMAIL PROTECTED] On Behalf Of Olaf Greve
 Sent: Friday, 4 May 2007 6:16 AM
 To: freebsd-questions@freebsd.org; [EMAIL PROTECTED]
 Subject: How to make Apache (2.2.4) less greedy, or Sendmail less
polite?
 
 Hi,
 
 Recently I upgraded my Apache 1.3.33 webserver to Apache 2.2.4, and
 ever since, I noticed that it is acting in such a way that it often
 is VERY greedy with my server's resources.
 Quite often, when running top, a list that is as the one that
 appears at the bottom of this e-mail is shown: indeed pretty much
 solely httpd instances, that for extended periods of time almost
 continously pull the CPU to close to 100%, and that also consume a
 lot of the memory resources... Strangely enough, at other times the
 CPU load is just slightly above 0%, say 0.4% or so...
 
 Apart from the fact that it doesn't feel right to see the CPU for
 substantial amounts of time, almost constantly close to 100%, there
 is a further issue, being that sendmail rejects connections when the
 server load is (too) high. This is very annoying, as e-mail is also a
 crucial part of the server's functionality, and I don't want sendmail
 to reject connections, each and every time that Apache goes berserk.

Is there any reason you are using Apache over another HTTP Daemon?

Personally, I think Apache has gone down hill with regard to gluttony so
I stopped using it a while ago. My preference is now Lighttpd.

NB: Sorry about previous post. Outlook went crazy.

- Russell


DISCLAIMER:
Disclaimer.  This e-mail is private and confidential. If you are not the 
intended recipient, please advise us by return e-mail immediately, and delete 
the e-mail and any attachments without using or disclosing the contents in any 
way. The views expressed in this e-mail are those of the author, and do not 
represent those of this company unless this is clearly indicated. You should 
scan this e-mail and any attachments for viruses. This company accepts no 
liability for any direct or indirect damage or loss resulting from the use of 
any attachments to this e-mail.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]