hi, sorry, its mod_jk no jk2, my typo. All at latest versions. We tried with mod proxy too.
There is no flood of the server. Nobody is flooding us, they use some specific connections after which pool of apache workers is exhausted and blocked and we need to restart tomcat server. It is some kind of exploit but do not know how to log it to obtain details. i had put a limit on connections per client with hope that this will help but once again, it is not a flood. They open several connections that are not dropped by apache when they disconnect. This way whole pool is quickly exhausted and the server broken. i would like to help you to figure details of this attack but this is production server so it is impossible to much debugging options best, artur 2016-11-25 23:44 GMT+01:00 Niranjan Babu Bommu <niranjan.bo...@gmail.com>: > you can find who is flooding site in apache access.log and block them in > firewall. > > ex to find the IP: > > cat /var/log/apache2/access.log |cut -d' ' -f1 |sort |uniq -c|sort -gr > > > > On Fri, Nov 25, 2016 at 8:42 AM, Jaaz Portal <jaazpor...@gmail.com> wrote: > > > hi, > > we are from some weeks struggling with some Polish hackers that are > > bringing our server down. After updating apache to latest version > (2.4.23) > > and tomcat (8.0.38) available for debian systems we still cannot secure > our > > server. > > > > Today it has stopped to respond again and we needed to restart tomcat > > process to get it back alive. > > > > There is no too much clues in the logs. The apache error.log gives just > > this line: > > > > [Fri Nov 25 13:08:00.647835 2016] [mpm_event:error] [pid 13385:tid > > 1397934896385 > > 92] AH00484: server reached MaxRequestWorkers setting, consider raising > the > > MaxR > > equestWorkers setting > > > > seems that somehow tomcat, mod-jk2 or even apache is vulnerable to some > new > > exploit, as we certainly does not have such traffic that would block our > > server otherwise > > > > for now we have increased MaxRequestWorkers and we have limited number of > > connections from one client to 5 by mod_bw and limited number of > > simultaneous connections from one ip by iptables but does not know if > this > > will help > > > > best regards, > > artur > > > > > > -- > *Thanks* > *Niranjan* >
