Re: Apache problems

[Mattieu Baptiste]

On Mon, Sep 19, 2011 at 6:37 AM, Rod Whitworth glis...@witworx.com wrote:
 What a pity that people don't do any searching b4 asking

 STFA for this list and (IIRC) find links to the PoC tool amongst other
 info.

Yes, and this has nothing to do with OpenBSD (this time). The apache
foundation has adjusted the security advisory and Apache 1.3 isn't
vulnerable.

https://httpd.apache.org/security/CVE-2011-3192.txt




 On Mon, 19 Sep 2011 04:24:19 -0600, Shane Harbour wrote:

On 9/18/2011 9:42 PM, L. V. Lammert wrote:
 On Sun, 18 Sep 2011, Amit Kulkarni wrote:

 Recently there was a security issue with Apache. It was based on a
 perl script, search google. Maybe you are experiencing traffic and the
 realted problems because of that.

 Is there any way to find out if the version in 4.3 was susceptable to the
 attack?

  Lee


I believe the Apache Foundation released that Apache 1.3 is susceptable
to this attack.  However, with changes made by the devs, it's possible
the version in OpenBSD may not be.

If you have a spare box, you could always load it up and test it.  I
believe there is an Apache killer perl script floating on the 'net that
you could use to test with.

Shane


 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.

 Rod/
 ---
 This life is not the real thing.
 It is not even in Beta.
 If it was, then OpenBSD would already have a man page for it.





--
Mattieu Baptiste
/earth is 102% full ... please delete anyone you can.

Re: Apache problems

[ropers]

On 19 September 2011 09:51, Mattieu Baptiste mattie...@gmail.com wrote:
 The apache foundation has adjusted the security advisory and Apache 1.3
isn't vulnerable.

 https://httpd.apache.org/security/CVE-2011-3192.txt

Yes, fair enough, BUT that same advisory says *in its Apache 1.3 section*:

 However as explained in the background section in more detail -
 this attack does cause a significant and possibly unexpected load.
 You are advised to review your configuration in that light.

and the Lee's original problem appears to be the result of an unexpected
load.



b+ I've got loads (I've got loads...
...of three-five error codes, error, error codes)
Loads, loads (loads),
then three-five error codes, (error) error codes (codes)

You thought I was just running -CURRENT or 4 point 9?
I'm old skool, GETs served by Apach(e), mine
It's the abominable dae-mon
Older H-T-T-P-D, man
Stable rig for me, man

Two-oh-ohs, four-oh-fours;
I send small PCs and gate(way)s HTML source

One-five-oh max_clients on four point three:
Scratching heads, starting threads,
and you answer me

So control your PoC tool and keep your boxes on
And I'll finish this up by upgrading soon.

Four point three box, three five error code,
my server VH just overloads... b+



PS: Figuring out how the Apache Foundation's declaration of
non-vulnerability squares with their declaration of this performance
impact is left as an exercise for the reader.

PPS: Try to avoid a stack overflow via item 0) in the advisory's
Mitigation section.
Also, don't try to find option '3'...

Re: Apache problems

[Mattieu Baptiste]

On Mon, Sep 19, 2011 at 6:57 PM, ropers rop...@gmail.com wrote:
 On 19 September 2011 09:51, Mattieu Baptiste mattie...@gmail.com wrote:
 The apache foundation has adjusted the security advisory and Apache 1.3 
 isn't vulnerable.

 https://httpd.apache.org/security/CVE-2011-3192.txt

 Yes, fair enough, BUT that same advisory says *in its Apache 1.3 section*:

 However as explained in the background section in more detail -
 this attack does cause a significant and possibly unexpected load.
 You are advised to review your configuration in that light.

 and the Lee's original problem appears to be the result of an unexpected load.

The code involved is totally different. Look at it.
The unexpected load is simply that 1.3 uses forks wheras 2.X has
worker mode. The PoC launches 50 connexions at a time, which can
generate load on 1.3. That's the reason of the review your
configuration in that light.


-- 
Mattieu Baptiste
/earth is 102% full ... please delete anyone you can.

Re: Apache problems

[Tomas Bodzar]

On Sun, Sep 18, 2011 at 2:40 AM, L. V. Lammert l...@omnitec.net wrote:
 On Sun, 18 Sep 2011, Jeremie Courreges-Anglas wrote:

  [error] (35)Resource temporarily unavailable: fork: Unable to fork new
process

 Isn't running 4.3 kinda cranky?

 Only in the past six months - pretty much bulletproof for many years.

 $SEARCH_ENGINE $your_error_message

 gives, for example, this result:
 http://www.mail-archive.com/misc@openbsd.org/msg36388.html

 Unfortunatley, that isn't the issue. It has run fine with max_clients set
 at 150; when this started happening, I ran it down to 64.

 All the others results lead to the same conclusion: your httpd process has
 reached its resources limits. Either your problem is due to the use of
 sudo apachectl (use /etc/rc.d/httpd), or you'll have to give httpd more
room,
 by tweaking login.conf.

 It isn't a resource problem, however, ..

 B  B  B  B :datasize=infinity:\
 B  B  B  B :maxproc=infinity:\
 B  B  B  B :openfiles-cur=128:\
 B  B  B  B :stacksize-cur=8M:\

 *Something* seems to be breaking, causing Apache to 'think' it's out of
 resources.

Eg. for amd64 limit of ~4000 processes was resolved only before couple
of months/weeks (not sure about correct time). A LOT of improvements
from 4.3 times regarding performance and speed of system so you will
be better to try upgrade first and see if problems are still in place.


 B  B  B  B Lee

Re: Apache problems

[L. V. Lammert]

On Sun, 18 Sep 2011, Tomas Bodzar wrote:

  *Something* seems to be breaking, causing Apache to 'think' it's out of
  resources.

 Eg. for amd64 limit of ~4000 processes was resolved only before couple
 of months/weeks (not sure about correct time). A LOT of improvements
 from 4.3 times regarding performance and speed of system so you will
 be better to try upgrade first and see if problems are still in place.

Hi Thomas,

TFTR, but you missed the original premise - the system has been running
for many years with MORE children authorized, and no resource limits have
*changed*, so I don't see how it can be a resource issue.

Something is borking Apache and causing it to use UP all resources in an
'unauthorized' manner, or *think* they have all bee used.

Lee

Re: Apache problems

[Denis Fondras]

Le 18/09/2011 15:54, L. V. Lammert a icrit :

 Something is borking Apache and causing it to use UP all resources in an
 'unauthorized' manner, or *think* they have all bee used.


Could this be linked to some Apache Killer ?

Re: Apache problems

[Benny Lofgren]

On 2011-09-18 15.54, L. V. Lammert wrote:
 TFTR, but you missed the original premise - the system has been running
 for many years with MORE children authorized, and no resource limits have
 *changed*, so I don't see how it can be a resource issue.
 
 Something is borking Apache and causing it to use UP all resources in an
 'unauthorized' manner, or *think* they have all bee used.

The error message you quoted in your OP occurs in one place in the source,
and it is in connection with a fork(). When fork() fails and returns the
quoted error [EAGAIN], it is because of one of the following conditions:

 [EAGAIN]  The system-imposed limit on the total number of processes under
   execution would be exceeded.  This limit is configuration-
   dependent.

 [EAGAIN]  The limit RLIMIT_NPROC on the total number of processes under
   execution by the user ID would be exceeded.

So, there is definitely an issue of exceeding a maximum number of
processes, the question is just *which* limit are you bumping your head
on, and *why*.


Regards,
/Benny

-- 
internetlabbet.se / work:   +46 8 551 124 80  / Words must
Benny Lofgren/  mobile: +46 70 718 11 90 /   be weighed,
/   fax:+46 8 551 124 89/not counted.
   /email:  benny -at- internetlabbet.se

Re: Apache problems

[Amit Kulkarni]

  *Something* seems to be breaking, causing Apache to 'think' it's out of
  resources.

 Eg. for amd64 limit of ~4000 processes was resolved only before couple
 of months/weeks (not sure about correct time). A LOT of improvements
 from 4.3 times regarding performance and speed of system so you will
 be better to try upgrade first and see if problems are still in place.

 Hi Thomas,

 TFTR, but you missed the original premise - the system has been running
 for many years with MORE children authorized, and no resource limits have
 *changed*, so I don't see how it can be a resource issue.

 Something is borking Apache and causing it to use UP all resources in an
 'unauthorized' manner, or *think* they have all bee used.



Recently there was a security issue with Apache. It was based on a
perl script, search google. Maybe you are experiencing traffic and the
realted problems because of that.

Re: Apache problems

[L. V. Lammert]

On Sun, 18 Sep 2011, Denis Fondras wrote:

 Could this be linked to some Apache Killer ?

That would make sense, is/was there any way to identify vectors of the
Apache attacks?

Lee

Re: Apache problems

[L. V. Lammert]

On Sun, 18 Sep 2011, Amit Kulkarni wrote:

 Recently there was a security issue with Apache. It was based on a
 perl script, search google. Maybe you are experiencing traffic and the
 realted problems because of that.

Is there any way to find out if the version in 4.3 was susceptable to the
attack?

Lee

Re: Apache problems

[Shane Harbour]

On 9/18/2011 9:42 PM, L. V. Lammert wrote:
 On Sun, 18 Sep 2011, Amit Kulkarni wrote:
 
 Recently there was a security issue with Apache. It was based on a
 perl script, search google. Maybe you are experiencing traffic and the
 realted problems because of that.

 Is there any way to find out if the version in 4.3 was susceptable to the
 attack?
 
   Lee
 

I believe the Apache Foundation released that Apache 1.3 is susceptable
to this attack.  However, with changes made by the devs, it's possible
the version in OpenBSD may not be.

If you have a spare box, you could always load it up and test it.  I
believe there is an Apache killer perl script floating on the 'net that
you could use to test with.

Shane

Re: Apache problems

[Rod Whitworth]

What a pity that people don't do any searching b4 asking

STFA for this list and (IIRC) find links to the PoC tool amongst other
info.



On Mon, 19 Sep 2011 04:24:19 -0600, Shane Harbour wrote:

On 9/18/2011 9:42 PM, L. V. Lammert wrote:
 On Sun, 18 Sep 2011, Amit Kulkarni wrote:
 
 Recently there was a security issue with Apache. It was based on a
 perl script, search google. Maybe you are experiencing traffic and the
 realted problems because of that.

 Is there any way to find out if the version in 4.3 was susceptable to the
 attack?
 
  Lee
 

I believe the Apache Foundation released that Apache 1.3 is susceptable
to this attack.  However, with changes made by the devs, it's possible
the version in OpenBSD may not be.

If you have a spare box, you could always load it up and test it.  I
believe there is an Apache killer perl script floating on the 'net that
you could use to test with.

Shane


*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: Apache problems

[Shane Harbour]

On 9/18/2011 10:37 PM, Rod Whitworth wrote:
 What a pity that people don't do any searching b4 asking
 
 STFA for this list and (IIRC) find links to the PoC tool amongst other
 info.
 
 
 
 On Mon, 19 Sep 2011 04:24:19 -0600, Shane Harbour wrote:
 
 On 9/18/2011 9:42 PM, L. V. Lammert wrote:
 On Sun, 18 Sep 2011, Amit Kulkarni wrote:

 Recently there was a security issue with Apache. It was based on a
 perl script, search google. Maybe you are experiencing traffic and the
 realted problems because of that.

 Is there any way to find out if the version in 4.3 was susceptable to the
 attack?

 Lee


 I believe the Apache Foundation released that Apache 1.3 is susceptable
 to this attack.  However, with changes made by the devs, it's possible
 the version in OpenBSD may not be.

 If you have a spare box, you could always load it up and test it.  I
 believe there is an Apache killer perl script floating on the 'net that
 you could use to test with.

 Shane

 
 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is 
 tarpitted. The reply-to: address is provided for those who feel compelled to 
 reply off list. Thankyou.
 
 Rod/
 ---
 This life is not the real thing.
 It is not even in Beta.
 If it was, then OpenBSD would already have a man page for it.
 

My apologies for generating noise and not remembering this had been
previously discussed/answered.  Next time I'll pay more attention and
STFA :)

Shane

Apache problems

[L. V. Lammert]

We have an older server (4.3) that is getting cranky - two or three times
a week Apache just 'stops', and the only issue I can find is in the common
error log (i.e. not one of the VHs), which shows unable to fork:

[error] (35)Resource temporarily unavailable: fork: Unable to fork new process

It *may* be related to cronolog, as it seems to happen when one of the VHs
looses track of it's log connection.

Has anyone experienced a random problem like this? Any thought on how to
isolate the problem?

Lee

Re: Apache problems

[Jeremie Courreges-Anglas]

Le samedi 17 septembre 2011 C  04:15:18, L. V. Lammert a C)crit :
 We have an older server (4.3) that is getting cranky - two or three times
 a week Apache just 'stops', and the only issue I can find is in the common
 error log (i.e. not one of the VHs), which shows unable to fork:
 
 [error] (35)Resource temporarily unavailable: fork: Unable to fork new process

Isn't running 4.3 kinda cranky?

 It *may* be related to cronolog, as it seems to happen when one of the VHs
 looses track of it's log connection.

Didn't know about cronolog. Anyway...

$SEARCH_ENGINE $your_error_message

gives, for example, this result:
http://www.mail-archive.com/misc@openbsd.org/msg36388.html

All the others results lead to the same conclusion: your httpd process has
reached its resources limits. Either your problem is due to the use of
sudo apachectl (use /etc/rc.d/httpd), or you'll have to give httpd more room,
by tweaking login.conf.

Re: Apache problems

[L. V. Lammert]

On Sun, 18 Sep 2011, Jeremie Courreges-Anglas wrote:

  [error] (35)Resource temporarily unavailable: fork: Unable to fork new 
  process

 Isn't running 4.3 kinda cranky?

Only in the past six months - pretty much bulletproof for many years.

 $SEARCH_ENGINE $your_error_message

 gives, for example, this result:
 http://www.mail-archive.com/misc@openbsd.org/msg36388.html

Unfortunatley, that isn't the issue. It has run fine with max_clients set
at 150; when this started happening, I ran it down to 64.

 All the others results lead to the same conclusion: your httpd process has
 reached its resources limits. Either your problem is due to the use of
 sudo apachectl (use /etc/rc.d/httpd), or you'll have to give httpd more room,
 by tweaking login.conf.

It isn't a resource problem, however, ..

:datasize=infinity:\
:maxproc=infinity:\
:openfiles-cur=128:\
:stacksize-cur=8M:\

*Something* seems to be breaking, causing Apache to 'think' it's out of
resources.

Lee

Re: Apache problems

[Jeremie Courreges-Anglas]

[...]
 Unfortunatley, that isn't the issue. It has run fine with max_clients set
 at 150; when this started happening, I ran it down to 64.
[...]

Thanks for pointing this out. Do you have any other minor detail,
before I decide I definitely can't help?

 It isn't a resource problem, however, ..
 
 :datasize=infinity:\
 :maxproc=infinity:\
 :openfiles-cur=128:\
 :stacksize-cur=8M:\
[...]

Oops, httpd is running in the daemon class by default, right.

Anyway, maxproc=infinity doesn't mean that the number of processes
that can be ran on your system is unlimited (see sysctl kern.maxproc).
Does cronolog launch a huge number of processes? Is your box loaded?