Re: Apache problems
On Mon, Sep 19, 2011 at 6:37 AM, Rod Whitworth glis...@witworx.com wrote: What a pity that people don't do any searching b4 asking STFA for this list and (IIRC) find links to the PoC tool amongst other info. Yes, and this has nothing to do with OpenBSD (this time). The apache foundation has adjusted the security advisory and Apache 1.3 isn't vulnerable. https://httpd.apache.org/security/CVE-2011-3192.txt On Mon, 19 Sep 2011 04:24:19 -0600, Shane Harbour wrote: On 9/18/2011 9:42 PM, L. V. Lammert wrote: On Sun, 18 Sep 2011, Amit Kulkarni wrote: Recently there was a security issue with Apache. It was based on a perl script, search google. Maybe you are experiencing traffic and the realted problems because of that. Is there any way to find out if the version in 4.3 was susceptable to the attack? Lee I believe the Apache Foundation released that Apache 1.3 is susceptable to this attack. However, with changes made by the devs, it's possible the version in OpenBSD may not be. If you have a spare box, you could always load it up and test it. I believe there is an Apache killer perl script floating on the 'net that you could use to test with. Shane *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it. -- Mattieu Baptiste /earth is 102% full ... please delete anyone you can.
Re: Apache problems
On 19 September 2011 09:51, Mattieu Baptiste mattie...@gmail.com wrote: The apache foundation has adjusted the security advisory and Apache 1.3 isn't vulnerable. https://httpd.apache.org/security/CVE-2011-3192.txt Yes, fair enough, BUT that same advisory says *in its Apache 1.3 section*: However as explained in the background section in more detail - this attack does cause a significant and possibly unexpected load. You are advised to review your configuration in that light. and the Lee's original problem appears to be the result of an unexpected load. b+ I've got loads (I've got loads... ...of three-five error codes, error, error codes) Loads, loads (loads), then three-five error codes, (error) error codes (codes) You thought I was just running -CURRENT or 4 point 9? I'm old skool, GETs served by Apach(e), mine It's the abominable dae-mon Older H-T-T-P-D, man Stable rig for me, man Two-oh-ohs, four-oh-fours; I send small PCs and gate(way)s HTML source One-five-oh max_clients on four point three: Scratching heads, starting threads, and you answer me So control your PoC tool and keep your boxes on And I'll finish this up by upgrading soon. Four point three box, three five error code, my server VH just overloads... b+ PS: Figuring out how the Apache Foundation's declaration of non-vulnerability squares with their declaration of this performance impact is left as an exercise for the reader. PPS: Try to avoid a stack overflow via item 0) in the advisory's Mitigation section. Also, don't try to find option '3'...
Re: Apache problems
On Mon, Sep 19, 2011 at 6:57 PM, ropers rop...@gmail.com wrote: On 19 September 2011 09:51, Mattieu Baptiste mattie...@gmail.com wrote: The apache foundation has adjusted the security advisory and Apache 1.3 isn't vulnerable. https://httpd.apache.org/security/CVE-2011-3192.txt Yes, fair enough, BUT that same advisory says *in its Apache 1.3 section*: However as explained in the background section in more detail - this attack does cause a significant and possibly unexpected load. You are advised to review your configuration in that light. and the Lee's original problem appears to be the result of an unexpected load. The code involved is totally different. Look at it. The unexpected load is simply that 1.3 uses forks wheras 2.X has worker mode. The PoC launches 50 connexions at a time, which can generate load on 1.3. That's the reason of the review your configuration in that light. -- Mattieu Baptiste /earth is 102% full ... please delete anyone you can.
Re: Apache problems
On Sun, Sep 18, 2011 at 2:40 AM, L. V. Lammert l...@omnitec.net wrote: On Sun, 18 Sep 2011, Jeremie Courreges-Anglas wrote: [error] (35)Resource temporarily unavailable: fork: Unable to fork new process Isn't running 4.3 kinda cranky? Only in the past six months - pretty much bulletproof for many years. $SEARCH_ENGINE $your_error_message gives, for example, this result: http://www.mail-archive.com/misc@openbsd.org/msg36388.html Unfortunatley, that isn't the issue. It has run fine with max_clients set at 150; when this started happening, I ran it down to 64. All the others results lead to the same conclusion: your httpd process has reached its resources limits. Either your problem is due to the use of sudo apachectl (use /etc/rc.d/httpd), or you'll have to give httpd more room, by tweaking login.conf. It isn't a resource problem, however, .. B B B B :datasize=infinity:\ B B B B :maxproc=infinity:\ B B B B :openfiles-cur=128:\ B B B B :stacksize-cur=8M:\ *Something* seems to be breaking, causing Apache to 'think' it's out of resources. Eg. for amd64 limit of ~4000 processes was resolved only before couple of months/weeks (not sure about correct time). A LOT of improvements from 4.3 times regarding performance and speed of system so you will be better to try upgrade first and see if problems are still in place. B B B B Lee
Re: Apache problems
On Sun, 18 Sep 2011, Tomas Bodzar wrote: *Something* seems to be breaking, causing Apache to 'think' it's out of resources. Eg. for amd64 limit of ~4000 processes was resolved only before couple of months/weeks (not sure about correct time). A LOT of improvements from 4.3 times regarding performance and speed of system so you will be better to try upgrade first and see if problems are still in place. Hi Thomas, TFTR, but you missed the original premise - the system has been running for many years with MORE children authorized, and no resource limits have *changed*, so I don't see how it can be a resource issue. Something is borking Apache and causing it to use UP all resources in an 'unauthorized' manner, or *think* they have all bee used. Lee
Re: Apache problems
Le 18/09/2011 15:54, L. V. Lammert a icrit : Something is borking Apache and causing it to use UP all resources in an 'unauthorized' manner, or *think* they have all bee used. Could this be linked to some Apache Killer ?
Re: Apache problems
On 2011-09-18 15.54, L. V. Lammert wrote: TFTR, but you missed the original premise - the system has been running for many years with MORE children authorized, and no resource limits have *changed*, so I don't see how it can be a resource issue. Something is borking Apache and causing it to use UP all resources in an 'unauthorized' manner, or *think* they have all bee used. The error message you quoted in your OP occurs in one place in the source, and it is in connection with a fork(). When fork() fails and returns the quoted error [EAGAIN], it is because of one of the following conditions: [EAGAIN] The system-imposed limit on the total number of processes under execution would be exceeded. This limit is configuration- dependent. [EAGAIN] The limit RLIMIT_NPROC on the total number of processes under execution by the user ID would be exceeded. So, there is definitely an issue of exceeding a maximum number of processes, the question is just *which* limit are you bumping your head on, and *why*. Regards, /Benny -- internetlabbet.se / work: +46 8 551 124 80 / Words must Benny Lofgren/ mobile: +46 70 718 11 90 / be weighed, / fax:+46 8 551 124 89/not counted. /email: benny -at- internetlabbet.se
Re: Apache problems
*Something* seems to be breaking, causing Apache to 'think' it's out of resources. Eg. for amd64 limit of ~4000 processes was resolved only before couple of months/weeks (not sure about correct time). A LOT of improvements from 4.3 times regarding performance and speed of system so you will be better to try upgrade first and see if problems are still in place. Hi Thomas, TFTR, but you missed the original premise - the system has been running for many years with MORE children authorized, and no resource limits have *changed*, so I don't see how it can be a resource issue. Something is borking Apache and causing it to use UP all resources in an 'unauthorized' manner, or *think* they have all bee used. Recently there was a security issue with Apache. It was based on a perl script, search google. Maybe you are experiencing traffic and the realted problems because of that.
Re: Apache problems
On Sun, 18 Sep 2011, Denis Fondras wrote: Could this be linked to some Apache Killer ? That would make sense, is/was there any way to identify vectors of the Apache attacks? Lee
Re: Apache problems
On Sun, 18 Sep 2011, Amit Kulkarni wrote: Recently there was a security issue with Apache. It was based on a perl script, search google. Maybe you are experiencing traffic and the realted problems because of that. Is there any way to find out if the version in 4.3 was susceptable to the attack? Lee
Re: Apache problems
On 9/18/2011 9:42 PM, L. V. Lammert wrote: On Sun, 18 Sep 2011, Amit Kulkarni wrote: Recently there was a security issue with Apache. It was based on a perl script, search google. Maybe you are experiencing traffic and the realted problems because of that. Is there any way to find out if the version in 4.3 was susceptable to the attack? Lee I believe the Apache Foundation released that Apache 1.3 is susceptable to this attack. However, with changes made by the devs, it's possible the version in OpenBSD may not be. If you have a spare box, you could always load it up and test it. I believe there is an Apache killer perl script floating on the 'net that you could use to test with. Shane
Re: Apache problems
What a pity that people don't do any searching b4 asking STFA for this list and (IIRC) find links to the PoC tool amongst other info. On Mon, 19 Sep 2011 04:24:19 -0600, Shane Harbour wrote: On 9/18/2011 9:42 PM, L. V. Lammert wrote: On Sun, 18 Sep 2011, Amit Kulkarni wrote: Recently there was a security issue with Apache. It was based on a perl script, search google. Maybe you are experiencing traffic and the realted problems because of that. Is there any way to find out if the version in 4.3 was susceptable to the attack? Lee I believe the Apache Foundation released that Apache 1.3 is susceptable to this attack. However, with changes made by the devs, it's possible the version in OpenBSD may not be. If you have a spare box, you could always load it up and test it. I believe there is an Apache killer perl script floating on the 'net that you could use to test with. Shane *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: Apache problems
On 9/18/2011 10:37 PM, Rod Whitworth wrote: What a pity that people don't do any searching b4 asking STFA for this list and (IIRC) find links to the PoC tool amongst other info. On Mon, 19 Sep 2011 04:24:19 -0600, Shane Harbour wrote: On 9/18/2011 9:42 PM, L. V. Lammert wrote: On Sun, 18 Sep 2011, Amit Kulkarni wrote: Recently there was a security issue with Apache. It was based on a perl script, search google. Maybe you are experiencing traffic and the realted problems because of that. Is there any way to find out if the version in 4.3 was susceptable to the attack? Lee I believe the Apache Foundation released that Apache 1.3 is susceptable to this attack. However, with changes made by the devs, it's possible the version in OpenBSD may not be. If you have a spare box, you could always load it up and test it. I believe there is an Apache killer perl script floating on the 'net that you could use to test with. Shane *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it. My apologies for generating noise and not remembering this had been previously discussed/answered. Next time I'll pay more attention and STFA :) Shane
Apache problems
We have an older server (4.3) that is getting cranky - two or three times a week Apache just 'stops', and the only issue I can find is in the common error log (i.e. not one of the VHs), which shows unable to fork: [error] (35)Resource temporarily unavailable: fork: Unable to fork new process It *may* be related to cronolog, as it seems to happen when one of the VHs looses track of it's log connection. Has anyone experienced a random problem like this? Any thought on how to isolate the problem? Lee
Re: Apache problems
Le samedi 17 septembre 2011 C 04:15:18, L. V. Lammert a C)crit : We have an older server (4.3) that is getting cranky - two or three times a week Apache just 'stops', and the only issue I can find is in the common error log (i.e. not one of the VHs), which shows unable to fork: [error] (35)Resource temporarily unavailable: fork: Unable to fork new process Isn't running 4.3 kinda cranky? It *may* be related to cronolog, as it seems to happen when one of the VHs looses track of it's log connection. Didn't know about cronolog. Anyway... $SEARCH_ENGINE $your_error_message gives, for example, this result: http://www.mail-archive.com/misc@openbsd.org/msg36388.html All the others results lead to the same conclusion: your httpd process has reached its resources limits. Either your problem is due to the use of sudo apachectl (use /etc/rc.d/httpd), or you'll have to give httpd more room, by tweaking login.conf.
Re: Apache problems
On Sun, 18 Sep 2011, Jeremie Courreges-Anglas wrote: [error] (35)Resource temporarily unavailable: fork: Unable to fork new process Isn't running 4.3 kinda cranky? Only in the past six months - pretty much bulletproof for many years. $SEARCH_ENGINE $your_error_message gives, for example, this result: http://www.mail-archive.com/misc@openbsd.org/msg36388.html Unfortunatley, that isn't the issue. It has run fine with max_clients set at 150; when this started happening, I ran it down to 64. All the others results lead to the same conclusion: your httpd process has reached its resources limits. Either your problem is due to the use of sudo apachectl (use /etc/rc.d/httpd), or you'll have to give httpd more room, by tweaking login.conf. It isn't a resource problem, however, .. :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=128:\ :stacksize-cur=8M:\ *Something* seems to be breaking, causing Apache to 'think' it's out of resources. Lee
Re: Apache problems
[...] Unfortunatley, that isn't the issue. It has run fine with max_clients set at 150; when this started happening, I ran it down to 64. [...] Thanks for pointing this out. Do you have any other minor detail, before I decide I definitely can't help? It isn't a resource problem, however, .. :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=128:\ :stacksize-cur=8M:\ [...] Oops, httpd is running in the daemon class by default, right. Anyway, maxproc=infinity doesn't mean that the number of processes that can be ran on your system is unlimited (see sysctl kern.maxproc). Does cronolog launch a huge number of processes? Is your box loaded?