Re: [users@httpd] Possible virus via httpd server
Interestinglet us know what you find. Sent from my iPhone > On Jan 4, 2016, at 9:06 PM, Michael D. Berger <m.d.ber...@ieee.org> wrote: > > I don't think index.html was changed, but I only took a quick look. > I have it backed up in a tgz file, so when the Linux box comes back up > (maybe tomorrow), I'll take a closer look > > It is also possible that there was something wrong with httpd.config . > It is quite complex, with numerous RewriteRule, etc. However, even > when I commented out ALL the virtual hosts, the problem persisted. > But if I left a simple vhost and put a RewiteRule that (for reasons that I > don't > know) it didn't like, then it returned a failure. When I put it back > together, > I'll build up httpd.config slowly. > > Thanks, > Mike. > -- > Michael D. Berger > m.d.ber...@ieee.org > http://www.rosemike.net/ > > > From: Michael D. Wood [mailto:m...@itsecuritypros.org] > Sent: Monday, January 04, 2016 20:27 > To: users@httpd.apache.org > Subject: Re: [users@httpd] Possible virus via httpd server > > Was the index.html file modified in anyway? Did it call the executable? Any > rewrites or any other files added to the path index.html resided? > > Sent from my iPhone > >> On Jan 4, 2016, at 8:21 PM, Michael D. Berger <m.d.ber...@ieee.org> wrote: >> >> It was not overwritten. If you looked on the server, it was just fine. >> But an executable was delivered instead. In any case, it is gone >> with the wind -- DBAN is now running on the server. Hopefully, >> the reinstallation will work better. >> >> Mike. >> >> -- >> Michael D. Berger >> m.d.ber...@ieee.org >> http://www.rosemike.net/ >> >> >> >> From: Dino B. [mailto:mypascal2...@gmail.com] >> Sent: Monday, January 04, 2016 19:36 >> To: users@httpd.apache.org >> Subject: RE: [users@httpd] Possible virus via httpd server >> >> Hmmm, index. Html is just default page??? Strange that that it got >> overwritten by some executable >> >> -- >> Dino Buljubasic >> >> -- >> Dino Buljubasic >> Cell 604 441 3560 >> >> Please pardon my brevity - sent from my mobile device. Please excuse any >> typos. >> >>> On Jan 4, 2016 12:38, "Michael D. Berger" <m.d.ber...@ieee.org> wrote: >>> Following your suggestion, I made use of my daily backups to install >>> the httpd.conf from two days ago, when all was well. The problem was >>> the same. I tried sublitting a file to sophos, but I would have to >>> join, and I am not ready for that. See also my next email. >>> >>> Still heading toward DBAN. >>> >>> Thanks, >>> Mike. >>> >>> -- >>> Michael D. Berger >>> m.d.ber...@ieee.org >>> http://www.rosemike.net/ >>> >>> >>> > -Original Message- >>> > From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk] >>> > Sent: Monday, January 04, 2016 11:25 >>> > To: users@httpd.apache.org >>> > Subject: Re: [users@httpd] Possible virus via httpd server >>> > >>> > Hi Mike. >>> > >>> > You might like to send this to sophos for analysis: >>> > >>> > https://www.sophos.com/en-us/support/knowledgebase/11490.aspx >>> > >>> > As index.html is the default page if nothing else is >>> > configured, has your httpd.conf file been modified to server >>> > this binary file instead of index.html? >>> > >>> > HTH, >>> > >>> > Keith Roberts >>> > >>> > On 4 Jan 2016, at 16:18, Michael D. Berger >>> > <m.d.ber...@ieee.org> wrote: >>> > >>> > > Warning: This message contains unverified links which may >>> > not be safe. You should only click links if you are sure >>> > they are from a trusted source. >>> > > Examining with Lemmy (A Windows version of VI), it looks >>> > like a binary file. >>> > > Size is 181.4 KB. >>> > > I am considering my favorite virus remover: DBAN, but it would take >>> > > several days work to recover from that. >>> > > >>> > > Mike. >>> > > -- >>> > > Michael D. Berger >>> > > m.d.ber...@ieee.org >>> > > http://www.rosemike.net/ >>> > > >>> > > >>> > >>
Re: [users@httpd] Possible virus via httpd server
Was the index.html file modified in anyway? Did it call the executable? Any rewrites or any other files added to the path index.html resided? Sent from my iPhone > On Jan 4, 2016, at 8:21 PM, Michael D. Bergerwrote: > > It was not overwritten. If you looked on the server, it was just fine. > But an executable was delivered instead. In any case, it is gone > with the wind -- DBAN is now running on the server. Hopefully, > the reinstallation will work better. > > Mike. > > -- > Michael D. Berger > m.d.ber...@ieee.org > http://www.rosemike.net/ > > > > From: Dino B. [mailto:mypascal2...@gmail.com] > Sent: Monday, January 04, 2016 19:36 > To: users@httpd.apache.org > Subject: RE: [users@httpd] Possible virus via httpd server > > Hmmm, index. Html is just default page??? Strange that that it got > overwritten by some executable > > -- > Dino Buljubasic > > -- > Dino Buljubasic > Cell 604 441 3560 > > Please pardon my brevity - sent from my mobile device. Please excuse any > typos. > >> On Jan 4, 2016 12:38, "Michael D. Berger" wrote: >> Following your suggestion, I made use of my daily backups to install >> the httpd.conf from two days ago, when all was well. The problem was >> the same. I tried sublitting a file to sophos, but I would have to >> join, and I am not ready for that. See also my next email. >> >> Still heading toward DBAN. >> >> Thanks, >> Mike. >> >> -- >> Michael D. Berger >> m.d.ber...@ieee.org >> http://www.rosemike.net/ >> >> >> > -Original Message- >> > From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk] >> > Sent: Monday, January 04, 2016 11:25 >> > To: users@httpd.apache.org >> > Subject: Re: [users@httpd] Possible virus via httpd server >> > >> > Hi Mike. >> > >> > You might like to send this to sophos for analysis: >> > >> > https://www.sophos.com/en-us/support/knowledgebase/11490.aspx >> > >> > As index.html is the default page if nothing else is >> > configured, has your httpd.conf file been modified to server >> > this binary file instead of index.html? >> > >> > HTH, >> > >> > Keith Roberts >> > >> > On 4 Jan 2016, at 16:18, Michael D. Berger >> > wrote: >> > >> > > Warning: This message contains unverified links which may >> > not be safe. You should only click links if you are sure >> > they are from a trusted source. >> > > Examining with Lemmy (A Windows version of VI), it looks >> > like a binary file. >> > > Size is 181.4 KB. >> > > I am considering my favorite virus remover: DBAN, but it would take >> > > several days work to recover from that. >> > > >> > > Mike. >> > > -- >> > > Michael D. Berger >> > > m.d.ber...@ieee.org >> > > http://www.rosemike.net/ >> > > >> > > >> > >> -Original Message- >> > >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk] >> > >> Sent: Monday, January 04, 2016 05:03 >> > >> To: users@httpd.apache.org >> > >> Subject: RE: [users@httpd] Possible virus via httpd server >> > >> >> > >> Well, what do you see if you examine the file in a text editor? >> > >> >> > >>> -Original Message- >> > >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org] >> > >>> Sent: 04 January 2016 05:03 >> > >>> To: Apache-Users >> > >>> Subject: [users@httpd] Possible virus via httpd server >> > >>> >> > >>> Using my WinXP Firefox client to access my previously >> > working httpd >> > >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my >> > >>> index.html . Do you think I have a virus on my Linux box? I did >> > >>> notice that my iptables is not as tight as it should be. >> > >>> >> > >>> -- >> > >>> Michael D. Berger >> > >>> m.d.ber...@ieee.org >> > >>> http://www.rosemike.net/ >> > >>> >> > >>> >> > >>> >> > >>> >> > >> >> > - >> > >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> > >>> For additional commands, e-mail: users-h...@httpd.apache.org >> > >>> >> > >>> >> > >> >> > - >> > >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> > >> For additional commands, e-mail: users-h...@httpd.apache.org >> > >> >> > > >> > > >> > > >> > - >> > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> > > For additional commands, e-mail: users-h...@httpd.apache.org >> > > >> > >> > >> > - >> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> > For additional commands, e-mail: users-h...@httpd.apache.org >> > >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: apache service interruption
You could potentially deny legitimate users access. I limit so many connections per second per source IP. If I knew I were getting a ton of traffic from a University I would have to adjust it accordingly. The setting in pfsense is Maximum new connections / per second(s) - that's per IP. My site I wouldn't say is pegged with University traffic sharing the same IP. I'm just giving you examples and tailor to your needs. If you get a bunch of traffic from a shared IP, obviously, this would not be the best way to go. I try to mitigate using rate limiting. I don't like to wait for the traffic to pass to Apache and have to configure a module to fix it. Apache should be handling web requests, not having to deal with tons of traffic (bruteforce/DoS). I try to handle that stuff before it even gets passed to Apache. From the Cisco side you could implement ACL's and rate limiting. http://www.debian-administration.org/articles/187 On 08/02/2013 01:49 AM, Grant wrote: Truthfully, I've always limited connections from the source IP via a firewall before the traffic is even passed to apache. Do you do this only when under DoS attack or all the time? Won't you potentially prevent legitimate users from making a single connection if they're connecting with a shared IP from a university campus (for example)? How is this accomplished with iptables? - Grant Two different things come to mind. Kingcope found an Apache byterange vulnerability and the PoC code he wrote for it exhausts the resources on a server running Apache. Only 1 instance of his perl script had to be ran. LOIC is another that could possible DoS your server from one source. What IP address was hitting your box when this happened? I'd rather not post the IP if that's OK. I did notice my access_log entries were out of chronological order for the IP address in question. Does that indicate a Slowloris attack? Maybe it's just the result of the server bogging down in response to so many requests in a short amount of time. So I'm sure I understand, a regular browser or unsophisticated script shouldn't be able to interrupt apache service by simply requesting a large number of pages in a short amount of time? If not, how does apache prevent that from happening? - Grant You wouldn't keep a syn proxy rule enabled all the time; only under a DoS attack. You could also implement ModSecurity. ModSecurity looks good and I think it works with nginx as well as apache. Is everyone who isn't running OSSEC HIDS or ModSecurity vulnerable to a single client requesting too many pages and interrupting the service? - Grant Also, you should be able to limit simultaneous client connections with your firewall and pass the traffic in a syn proxy state. There are numerous ways to achieve this. Is that the best way to go besides OSSEC HIDS? I can imagine that sort of thing could cause problems. - Grant You can always compile from source ;) What version of Apache are you running? On 07/29/2013 02:59 AM, Grant wrote: Was it just an IP exhausting the apache service with too many connections? What do you see in the access logs? I use OSSEC HIDS on my apache servers to mitigate this. In the access log I see the same IP made many requests during the service interruption and I think that exhausted the apache service. It looks like there isn't a Gentoo ebuild for OSSEC HIDS. Is there another way to prevent this sort of thing? - Grant My server has 4GB RAM and uses nginx as a reverse proxy to apache. A little while ago my website became inaccessible for about 30 minutes. I checked my munin graphs and it looks like apache processes spiked to about 29 during this time which is many times greater than usual. I have MaxClients at 30 and the error log verifies that MaxClients was not reached. The strange part is system disk latency shows a spike during the interruption which is only very slightly greater than other spikes which did not interrupt service. System CPU, memory, and swap usage don't show anything interesting at all. Does this make sense to anyone? Should I decrease MaxClients? - Grant I've looked over my access_log and I can see there is a particular IP which was making many requests during the interruption. Since munin does not show there was an excessive amount of memory or CPU usage, lowering MaxClients won't help? - Grant - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: apache service interruption
Truthfully, I've always limited connections from the source IP via a firewall before the traffic is even passed to apache. On 08/01/2013 04:39 AM, Grant wrote: Two different things come to mind. Kingcope found an Apache byterange vulnerability and the PoC code he wrote for it exhausts the resources on a server running Apache. Only 1 instance of his perl script had to be ran. LOIC is another that could possible DoS your server from one source. What IP address was hitting your box when this happened? I'd rather not post the IP if that's OK. I did notice my access_log entries were out of chronological order for the IP address in question. Does that indicate a Slowloris attack? Maybe it's just the result of the server bogging down in response to so many requests in a short amount of time. So I'm sure I understand, a regular browser or unsophisticated script shouldn't be able to interrupt apache service by simply requesting a large number of pages in a short amount of time? If not, how does apache prevent that from happening? - Grant You wouldn't keep a syn proxy rule enabled all the time; only under a DoS attack. You could also implement ModSecurity. ModSecurity looks good and I think it works with nginx as well as apache. Is everyone who isn't running OSSEC HIDS or ModSecurity vulnerable to a single client requesting too many pages and interrupting the service? - Grant Also, you should be able to limit simultaneous client connections with your firewall and pass the traffic in a syn proxy state. There are numerous ways to achieve this. Is that the best way to go besides OSSEC HIDS? I can imagine that sort of thing could cause problems. - Grant You can always compile from source ;) What version of Apache are you running? On 07/29/2013 02:59 AM, Grant wrote: Was it just an IP exhausting the apache service with too many connections? What do you see in the access logs? I use OSSEC HIDS on my apache servers to mitigate this. In the access log I see the same IP made many requests during the service interruption and I think that exhausted the apache service. It looks like there isn't a Gentoo ebuild for OSSEC HIDS. Is there another way to prevent this sort of thing? - Grant My server has 4GB RAM and uses nginx as a reverse proxy to apache. A little while ago my website became inaccessible for about 30 minutes. I checked my munin graphs and it looks like apache processes spiked to about 29 during this time which is many times greater than usual. I have MaxClients at 30 and the error log verifies that MaxClients was not reached. The strange part is system disk latency shows a spike during the interruption which is only very slightly greater than other spikes which did not interrupt service. System CPU, memory, and swap usage don't show anything interesting at all. Does this make sense to anyone? Should I decrease MaxClients? - Grant I've looked over my access_log and I can see there is a particular IP which was making many requests during the interruption. Since munin does not show there was an excessive amount of memory or CPU usage, lowering MaxClients won't help? - Grant - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] substituting proxy
Burp Suite will do exactly this. http://portswigger.net/burp/ On 07/31/2013 06:04 AM, Robin Becker wrote: Not sure if I am using the right terminology, but I want to create a forward proxy that will allow me to substitute locally controlled content for some of the requests eg a specific remote javascript file (which I wish to debug). My normal approach would be to save all html using a browser, but this site is very dynamic with ajax etc and I am unable to save a decent replica. I imagine this can be done using a proxy setup with some specific requests being diverted to a local web server, but I'm not exactly sure how that should be done. I can set up a forward proxy easliy enough, but don't know how to get mod_rewrite or whatever to interfere with the proxy. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: apache service interruption
Two different things come to mind. Kingcope found an Apache byterange vulnerability and the PoC code he wrote for it exhausts the resources on a server running Apache. Only 1 instance of his perl script had to be ran. LOIC is another that could possible DoS your server from one source. What IP address was hitting your box when this happened? On 07/30/2013 02:25 AM, Grant wrote: You wouldn't keep a syn proxy rule enabled all the time; only under a DoS attack. You could also implement ModSecurity. ModSecurity looks good and I think it works with nginx as well as apache. Is everyone who isn't running OSSEC HIDS or ModSecurity vulnerable to a single client requesting too many pages and interrupting the service? - Grant Also, you should be able to limit simultaneous client connections with your firewall and pass the traffic in a syn proxy state. There are numerous ways to achieve this. Is that the best way to go besides OSSEC HIDS? I can imagine that sort of thing could cause problems. - Grant You can always compile from source ;) What version of Apache are you running? On 07/29/2013 02:59 AM, Grant wrote: Was it just an IP exhausting the apache service with too many connections? What do you see in the access logs? I use OSSEC HIDS on my apache servers to mitigate this. In the access log I see the same IP made many requests during the service interruption and I think that exhausted the apache service. It looks like there isn't a Gentoo ebuild for OSSEC HIDS. Is there another way to prevent this sort of thing? - Grant My server has 4GB RAM and uses nginx as a reverse proxy to apache. A little while ago my website became inaccessible for about 30 minutes. I checked my munin graphs and it looks like apache processes spiked to about 29 during this time which is many times greater than usual. I have MaxClients at 30 and the error log verifies that MaxClients was not reached. The strange part is system disk latency shows a spike during the interruption which is only very slightly greater than other spikes which did not interrupt service. System CPU, memory, and swap usage don't show anything interesting at all. Does this make sense to anyone? Should I decrease MaxClients? - Grant I've looked over my access_log and I can see there is a particular IP which was making many requests during the interruption. Since munin does not show there was an excessive amount of memory or CPU usage, lowering MaxClients won't help? - Grant - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: apache service interruption
You can always compile from source ;) What version of Apache are you running? On 07/29/2013 02:59 AM, Grant wrote: Was it just an IP exhausting the apache service with too many connections? What do you see in the access logs? I use OSSEC HIDS on my apache servers to mitigate this. In the access log I see the same IP made many requests during the service interruption and I think that exhausted the apache service. It looks like there isn't a Gentoo ebuild for OSSEC HIDS. Is there another way to prevent this sort of thing? - Grant My server has 4GB RAM and uses nginx as a reverse proxy to apache. A little while ago my website became inaccessible for about 30 minutes. I checked my munin graphs and it looks like apache processes spiked to about 29 during this time which is many times greater than usual. I have MaxClients at 30 and the error log verifies that MaxClients was not reached. The strange part is system disk latency shows a spike during the interruption which is only very slightly greater than other spikes which did not interrupt service. System CPU, memory, and swap usage don't show anything interesting at all. Does this make sense to anyone? Should I decrease MaxClients? - Grant I've looked over my access_log and I can see there is a particular IP which was making many requests during the interruption. Since munin does not show there was an excessive amount of memory or CPU usage, lowering MaxClients won't help? - Grant - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL config - HTTPS not working
The only reason I asked was because I had done this before and had the virtualhost created for port 443 but forgot to a2ensite on the virtualhost. On 07/29/2013 02:59 AM, Yuvapriya s wrote: Yes.. I have configured Vhosts for port 443.. On Fri, Jul 26, 2013 at 2:56 PM, Michael D. Wood m...@itsecuritypros.org wrote: Do you have a virtual host configured for the site SSL/443? On 07/26/2013 05:15 AM, Yuvapriya s wrote: Hi We had done split deployment of apache and tomcat and we are trying to configure ssl on apache. Modified the httpd_ssl.conf file and uncommented the lines to include mod_ssl.so and the conf file in httpd.conf and restarted apache. Now we are getting below errors while loading the url https:/BOE/CMC - HTTP 403 Forbidden Error https:/BOE/BI - HTTP 404 Not Found Where as using http works fine for the same url When checked on the logs, found the below error messages. [client ::1] Directory index forbidden by Options directive: G:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/BOE/CMC/ [client ::1] File does not exist: G:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/BOE/BI Could you please help on what needs to be done to resolve the same? Thanks
Re: [users@httpd] Re: apache service interruption
Also, you should be able to limit simultaneous client connections with your firewall and pass the traffic in a syn proxy state. There are numerous ways to achieve this. On 07/29/2013 03:18 AM, Michael D. Wood wrote: You can always compile from source ;) What version of Apache are you running? On 07/29/2013 02:59 AM, Grant wrote: Was it just an IP exhausting the apache service with too many connections? What do you see in the access logs? I use OSSEC HIDS on my apache servers to mitigate this. In the access log I see the same IP made many requests during the service interruption and I think that exhausted the apache service. It looks like there isn't a Gentoo ebuild for OSSEC HIDS. Is there another way to prevent this sort of thing? - Grant My server has 4GB RAM and uses nginx as a reverse proxy to apache. A little while ago my website became inaccessible for about 30 minutes. I checked my munin graphs and it looks like apache processes spiked to about 29 during this time which is many times greater than usual. I have MaxClients at 30 and the error log verifies that MaxClients was not reached. The strange part is system disk latency shows a spike during the interruption which is only very slightly greater than other spikes which did not interrupt service. System CPU, memory, and swap usage don't show anything interesting at all. Does this make sense to anyone? Should I decrease MaxClients? - Grant I've looked over my access_log and I can see there is a particular IP which was making many requests during the interruption. Since munin does not show there was an excessive amount of memory or CPU usage, lowering MaxClients won't help? - Grant - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: apache service interruption
You wouldn't keep a syn proxy rule enabled all the time; only under a DoS attack. You could also implement ModSecurity. On 07/29/2013 02:07 PM, Grant wrote: Also, you should be able to limit simultaneous client connections with your firewall and pass the traffic in a syn proxy state. There are numerous ways to achieve this. Is that the best way to go besides OSSEC HIDS? I can imagine that sort of thing could cause problems. - Grant You can always compile from source ;) What version of Apache are you running? On 07/29/2013 02:59 AM, Grant wrote: Was it just an IP exhausting the apache service with too many connections? What do you see in the access logs? I use OSSEC HIDS on my apache servers to mitigate this. In the access log I see the same IP made many requests during the service interruption and I think that exhausted the apache service. It looks like there isn't a Gentoo ebuild for OSSEC HIDS. Is there another way to prevent this sort of thing? - Grant My server has 4GB RAM and uses nginx as a reverse proxy to apache. A little while ago my website became inaccessible for about 30 minutes. I checked my munin graphs and it looks like apache processes spiked to about 29 during this time which is many times greater than usual. I have MaxClients at 30 and the error log verifies that MaxClients was not reached. The strange part is system disk latency shows a spike during the interruption which is only very slightly greater than other spikes which did not interrupt service. System CPU, memory, and swap usage don't show anything interesting at all. Does this make sense to anyone? Should I decrease MaxClients? - Grant I've looked over my access_log and I can see there is a particular IP which was making many requests during the interruption. Since munin does not show there was an excessive amount of memory or CPU usage, lowering MaxClients won't help? - Grant - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: apache service interruption
Was it just an IP exhausting the apache service with too many connections? What do you see in the access logs? I use OSSEC HIDS on my apache servers to mitigate this. -- Sent from my mobile device Michael D. Wood www.itsecuritypros.org Grant emailgr...@gmail.com wrote: My server has 4GB RAM and uses nginx as a reverse proxy to apache. A little while ago my website became inaccessible for about 30 minutes. I checked my munin graphs and it looks like apache processes spiked to about 29 during this time which is many times greater than usual. I have MaxClients at 30 and the error log verifies that MaxClients was not reached. The strange part is system disk latency shows a spike during the interruption which is only very slightly greater than other spikes which did not interrupt service. System CPU, memory, and swap usage don't show anything interesting at all. Does this make sense to anyone? Should I decrease MaxClients? - Grant I've looked over my access_log and I can see there is a particular IP which was making many requests during the interruption. Since munin does not show there was an excessive amount of memory or CPU usage, lowering MaxClients won't help? - Grant - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL config - HTTPS not working
Do you have a virtual host configured for the site SSL/443? On 07/26/2013 05:15 AM, Yuvapriya s wrote: Hi We had done split deployment of apache and tomcat and we are trying to configure ssl on apache. Modified the httpd_ssl.conf file and uncommented the lines to include mod_ssl.so and the conf file in httpd.conf and restarted apache. Now we are getting below errors while loading the url https:/BOE/CMC - HTTP 403 Forbidden Error https:/BOE/BI - HTTP 404 Not Found Where as using http works fine for the same url When checked on the logs, found the below error messages. [client ::1] Directory index forbidden by Options directive: G:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/BOE/CMC/ [client ::1] File does not exist: G:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/BOE/BI Could you please help on what needs to be done to resolve the same? Thanks
Re: [users@httpd] Router change issue
The new wireless router is configured the same way as your old router was? As in, the same network configuration and I'm assuming the server you have Apache running on has a static ip in the same network? Not much that has to change - port forward to your server running Apache. What are you getting when trying to access the site? Connection timed out, just doesn't connect at all? On 07/24/2013 05:02 PM, James Coyle wrote: I installed a new wireless router last night from Comcast. Previously I had been using an Apple Airport Extreme as a router along with a regular cable modem. I have duplicated the IP scheme on this new router and have opened up the appropriate port so that Apache can serve up my web site, but so far I have had no luck in getting the pages to display. As I said, I've confirmed that the correct port for my web hop via DYNDns is open (port 8102) and it is mapped to my internal IP address. I have not changed my Apache config file or anything else. The only thing I can think of here is that Apache is confused by the change in hardware since both the Airport Extreme and the new Comcast wireless router are/were using the same 10.0.0.x range of addresses. My old Airport is now in bridge mode and is not acting as a router. I am reluctant to call Comcast, first of all because they are Comcast, and secondly because they are now pushing a higher level of paid support that I'm not interested in. I'd appreciate any help anyone could provide. Thanks.