Rick, Tony, thanks
it lasted maybe 1 hour
server had about 151 processes using, and, it seemed to stop at 151, after
every restart:
ps aux|grep apache|wc -l
(currently, 14)
I was trying to identify IPs with netstat but didn't succeed
netstat -lpn|grep :80 |awk '{print $5}'|sort
(I picked both commands off a url dealing with apache dos)
I tried to install mod_evasive from nuclearelephant, but, having probs
installing, seems I missing somethinging
On Wed, October 3, 2007 9:13 am, Tony Sceats wrote:
> You should definitely check the logs to see what's being looked at..
> depending upon what it is and who it is there's a variety of things you
> can do - eg change images to a lower res, or put a forbidden rule into
> your htaccess files for the page being requested, or firewall off
> offending IPs (better the further upstream, but even an iptables rule to
> drop packets could do you good)
I found the culprit web site, judging by increase in log file size:
-rw-r--r-- 1 root root 234316 Oct 3 04:02 2007-10-02-access.rog
-rw-r--r-- 1 root root 4083316 Oct 3 10:04 2007-10-03-access.log
> as far as config goes, you could change the number of spare processes and
> maximum threads/process spawned at any one time, turn keepalives on (or
> off, depending upon the access pattern), turn timeouts down, change the
> loglevel down, make sure reverse lookups on hostnames are turned off
---
Timeout 300
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 20
StartServers 8
MaxClients 150
MaxRequestsPerChild 1000
---
> of course if it is legitimate load, look into load balancers and reverse
> proxies, or both!
>
> On 10/3/07, Rick Welykochy <[EMAIL PROTECTED]> wrote:
>
>>
>> Voytek Eymont wrote:
>>
>>
>>> I noticed my web server was kind off slow, and, saw this, is this
>>> some sort of dos attack ?
>>
>> If you are using Apache, there is an Apache Status module that
>> lets you see what is currently executing inside the server.
>>
>> Also, tail the web logs (access_log or whatever) to see who is
>> accessing what.
>>
>>> how to control ?
>>
>> I am no expert, but if you are getting DDoS'd there ain't much
>> to do besides ride it out or change your IP.
>>
>>
>> cheer rickw
--
Voytek
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
