from:"Michael D. Wood"

Re: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Michael D. Wood

Interestinglet us know what you find.

Sent from my iPhone

> On Jan 4, 2016, at 9:06 PM, Michael D. Berger <m.d.ber...@ieee.org> wrote:
> 
> I don't think index.html was changed, but I only took a quick look.
> I have it backed up in a tgz file, so when the Linux box comes back up
> (maybe tomorrow), I'll take a closer look
>  
> It is also possible that there was something wrong with httpd.config .
> It is quite complex, with numerous RewriteRule, etc.  However, even
> when I commented out ALL the virtual hosts, the problem persisted.
> But if I left a simple vhost and put a RewiteRule that (for reasons that I 
> don't
> know) it didn't like, then it returned a failure.  When I put it back 
> together,
> I'll build up httpd.config slowly.
>  
> Thanks,
> Mike.
> --
> Michael D. Berger
> m.d.ber...@ieee.org
> http://www.rosemike.net/
>  
> 
> From: Michael D. Wood [mailto:m...@itsecuritypros.org] 
> Sent: Monday, January 04, 2016 20:27
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Possible virus via httpd server
> 
> Was the index.html file modified in anyway?  Did it call the executable?  Any 
> rewrites or any other files added to the path index.html resided?
> 
> Sent from my iPhone
> 
>> On Jan 4, 2016, at 8:21 PM, Michael D. Berger <m.d.ber...@ieee.org> wrote:
>> 
>> It was not overwritten.  If you looked on the server, it was just fine.
>> But an executable was delivered instead.  In any case, it is gone
>> with the wind -- DBAN is now running on the server. Hopefully,
>> the reinstallation will work better.
>>  
>> Mike.
>>  
>> --
>> Michael D. Berger
>> m.d.ber...@ieee.org
>> http://www.rosemike.net/
>>  
>>  
>> 
>> From: Dino B. [mailto:mypascal2...@gmail.com] 
>> Sent: Monday, January 04, 2016 19:36
>> To: users@httpd.apache.org
>> Subject: RE: [users@httpd] Possible virus via httpd server
>> 
>> Hmmm, index. Html is just default page???  Strange that that it got 
>> overwritten by some executable
>> 
>> --
>> Dino Buljubasic
>> 
>> --
>> Dino Buljubasic
>> Cell 604 441 3560
>> 
>> Please pardon my brevity - sent from my mobile device.  Please excuse any 
>> typos.
>> 
>>> On Jan 4, 2016 12:38, "Michael D. Berger" <m.d.ber...@ieee.org> wrote:
>>> Following your suggestion, I made use of my daily backups to install
>>> the httpd.conf from two days ago, when all was well. The problem was
>>> the same.  I tried sublitting a file to sophos, but I would have to
>>> join, and I am not ready for that.  See also my next email.
>>> 
>>> Still heading toward DBAN.
>>> 
>>> Thanks,
>>> Mike.
>>> 
>>> --
>>> Michael D. Berger
>>> m.d.ber...@ieee.org
>>> http://www.rosemike.net/
>>> 
>>> 
>>> > -Original Message-
>>> > From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk]
>>> > Sent: Monday, January 04, 2016 11:25
>>> > To: users@httpd.apache.org
>>> > Subject: Re: [users@httpd] Possible virus via httpd server
>>> >
>>> > Hi Mike.
>>> >
>>> > You might like to send this to sophos for analysis:
>>> >
>>> > https://www.sophos.com/en-us/support/knowledgebase/11490.aspx
>>> >
>>> > As index.html is the default page if nothing else is
>>> > configured, has your httpd.conf file been modified to server
>>> > this binary file instead of index.html?
>>> >
>>> > HTH,
>>> >
>>> > Keith Roberts
>>> >
>>> > On 4 Jan 2016, at 16:18, Michael D. Berger
>>> > <m.d.ber...@ieee.org> wrote:
>>> >
>>> > > Warning: This message contains unverified links which may
>>> > not be safe.  You should only click links if you are sure
>>> > they are from a trusted source.
>>> > > Examining with Lemmy (A Windows version of VI), it looks
>>> > like a binary file.
>>> > > Size is 181.4 KB.
>>> > > I am considering my favorite virus remover: DBAN, but it would take
>>> > > several days work to recover from that.
>>> > >
>>> > > Mike.
>>> > > --
>>> > > Michael D. Berger
>>> > > m.d.ber...@ieee.org
>>> > > http://www.rosemike.net/
>>> > >
>>> > >
>>> > >>

Re: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Michael D. Wood

Was the index.html file modified in anyway?  Did it call the executable?  Any 
rewrites or any other files added to the path index.html resided?

Sent from my iPhone

> On Jan 4, 2016, at 8:21 PM, Michael D. Berger  wrote:
> 
> It was not overwritten.  If you looked on the server, it was just fine.
> But an executable was delivered instead.  In any case, it  is gone
> with the wind -- DBAN is now running on the server. Hopefully,
> the reinstallation will work better.
>  
> Mike.
>  
> --
> Michael D. Berger
> m.d.ber...@ieee.org
> http://www.rosemike.net/
>  
>  
> 
> From: Dino B. [mailto:mypascal2...@gmail.com] 
> Sent: Monday, January 04, 2016 19:36
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Possible virus via httpd server
> 
> Hmmm, index. Html is just default page???  Strange that that it got 
> overwritten by some executable
> 
> --
> Dino Buljubasic
> 
> --
> Dino Buljubasic
> Cell 604 441 3560
> 
> Please pardon my brevity - sent from my mobile device.  Please excuse any 
> typos.
> 
>> On Jan 4, 2016 12:38, "Michael D. Berger"  wrote:
>> Following your suggestion, I made use of my daily backups to install
>> the httpd.conf from two days ago, when all was well. The problem was
>> the same.  I tried sublitting a file to sophos, but I would have to
>> join, and I am not ready for that.  See also my next  email.
>> 
>> Still heading toward DBAN.
>> 
>> Thanks,
>> Mike.
>> 
>> --
>> Michael D. Berger
>> m.d.ber...@ieee.org
>> http://www.rosemike.net/
>> 
>> 
>> > -Original Message-
>> > From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk]
>> > Sent: Monday, January 04, 2016 11:25
>> > To: users@httpd.apache.org
>> > Subject: Re: [users@httpd] Possible virus via httpd server
>> >
>> > Hi Mike.
>> >
>> > You might like to send this to sophos for analysis:
>> >
>> > https://www.sophos.com/en-us/support/knowledgebase/11490.aspx
>> >
>> > As index.html is the default page if nothing else is
>> > configured, has your httpd.conf file been modified to server
>> > this binary file instead of index.html?
>> >
>> > HTH,
>> >
>> > Keith Roberts
>> >
>> > On 4 Jan 2016, at 16:18, Michael D. Berger
>> >  wrote:
>> >
>> > > Warning: This message contains unverified links which may
>> > not be safe.  You should only click links if you are sure
>> > they are from a trusted source.
>> > > Examining with Lemmy (A Windows version of VI), it looks
>> > like a binary file.
>> > > Size is 181.4 KB.
>> > > I am considering my favorite virus remover: DBAN, but it would take
>> > > several days work to recover from that.
>> > >
>> > > Mike.
>> > > --
>> > > Michael D. Berger
>> > > m.d.ber...@ieee.org
>> > > http://www.rosemike.net/
>> > >
>> > >
>> > >> -Original Message-
>> > >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
>> > >> Sent: Monday, January 04, 2016 05:03
>> > >> To: users@httpd.apache.org
>> > >> Subject: RE: [users@httpd] Possible virus via httpd server
>> > >>
>> > >> Well, what do you see if you examine the file in a text editor?
>> > >>
>> > >>> -Original Message-
>> > >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
>> > >>> Sent: 04 January 2016 05:03
>> > >>> To: Apache-Users
>> > >>> Subject: [users@httpd] Possible virus via httpd server
>> > >>>
>> > >>> Using my WinXP Firefox client to access my previously
>> > working httpd
>> > >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my
>> > >>> index.html .  Do you think I have a virus on my Linux box?  I did
>> > >>> notice that my iptables is not as tight as it should be.
>> > >>>
>> > >>> --
>> > >>> Michael D. Berger
>> > >>> m.d.ber...@ieee.org
>> > >>> http://www.rosemike.net/
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>
>> > -
>> > >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > >>> For additional commands, e-mail: users-h...@httpd.apache.org
>> > >>>
>> > >>>
>> > >>
>> > -
>> > >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > >> For additional commands, e-mail: users-h...@httpd.apache.org
>> > >>
>> > >
>> > >
>> > >
>> > -
>> > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > > For additional commands, e-mail: users-h...@httpd.apache.org
>> > >
>> >
>> >
>> > -
>> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > For additional commands, e-mail: users-h...@httpd.apache.org
>> >
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: apache service interruption

2013-08-02 Thread Michael D. Wood

You could potentially deny legitimate users access.  I limit so many 
connections per second per source IP.  If I knew I were getting a ton of 
traffic from a University I would have to adjust it accordingly.


The setting in pfsense is Maximum new connections / per second(s) - 
that's per IP.  My site I wouldn't say is pegged with University traffic 
sharing the same IP.  I'm just giving you examples and tailor to your 
needs.  If you get a bunch of traffic from a shared IP, obviously, this 
would not be the best way to go.  I try to mitigate using rate limiting.


I don't like to wait for the traffic to pass to Apache and have to 
configure a module to fix it.  Apache should be handling web requests, 
not having to deal with tons of traffic (bruteforce/DoS).  I try to 
handle that stuff before it even gets passed to Apache.


From the Cisco side you could implement ACL's and rate limiting.

http://www.debian-administration.org/articles/187

On 08/02/2013 01:49 AM, Grant wrote:

Truthfully, I've always limited connections from the source IP via a
firewall before the traffic is even passed to apache.


Do you do this only when under DoS attack or all the time?

Won't you potentially prevent legitimate users from making a single
connection if they're connecting with a shared IP from a university
campus (for example)?

How is this accomplished with iptables?

- Grant


Two different things come to mind.  Kingcope found an Apache 
byterange
vulnerability and the PoC code he wrote for it exhausts the 
resources on

a
server running Apache.  Only 1 instance of his perl script had to 
be ran.
LOIC is another that could possible DoS your server from one 
source. What

IP address was hitting your box when this happened?



I'd rather not post the IP if that's OK.  I did notice my 
access_log

entries were out of chronological order for the IP address in
question.  Does that indicate a Slowloris attack?  Maybe it's just 
the
result of the server bogging down in response to so many requests 
in a

short amount of time.

So I'm sure I understand, a regular browser or unsophisticated 
script
shouldn't be able to interrupt apache service by simply requesting 
a

large number of pages in a short amount of time?  If not, how does
apache prevent that from happening?

- Grant


You wouldn't keep a syn proxy rule enabled all the time; only 
under a

DoS
attack.  You could also implement ModSecurity.




ModSecurity looks good and I think it works with nginx as well as
apache.  Is everyone who isn't running OSSEC HIDS or ModSecurity
vulnerable to a single client requesting too many pages and
interrupting the service?

- Grant


Also, you should be able to limit simultaneous client 
connections

with
your
firewall and pass the traffic in a syn proxy state. There are
numerous
ways
to achieve this.





Is that the best way to go besides OSSEC HIDS?  I can imagine 
that

sort of thing could cause problems.

- Grant



You can always compile from source ;)
What version of Apache are you running?

On 07/29/2013 02:59 AM, Grant wrote:





Was it just an IP exhausting the apache service with too 
many
connections?  What do you see in the access logs?  I use 
OSSEC

HIDS
on
my
apache servers to mitigate this.






In the access log I see the same IP made many requests 
during the
service interruption and I think that exhausted the apache 
service.
It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  
Is there

another way to prevent this sort of thing?

- Grant


My server has 4GB RAM and uses nginx as a reverse proxy 
to

apache.
A
little while ago my website became inaccessible for about 
30

minutes.
I checked my munin graphs and it looks like apache 
processes

spiked
to
about 29 during this time which is many times greater 
than

usual.
I
have MaxClients at 30 and the error log verifies that 
MaxClients

was
not reached.  The strange part is system disk latency 
shows a

spike
during the interruption which is only very slightly 
greater than

other
spikes which did not interrupt service.  System CPU, 
memory, and

swap
usage don't show anything interesting at all.

Does this make sense to anyone?  Should I decrease 
MaxClients?


- Grant






I've looked over my access_log and I can see there is a
particular
IP
which was making many requests during the interruption.  
Since

munin
does not show there was an excessive amount of memory or 
CPU

usage,
lowering MaxClients won't help?

- Grant


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: apache service interruption

2013-08-01 Thread Michael D. Wood

Truthfully, I've always limited connections from the source IP via a 
firewall before the traffic is even passed to apache.


On 08/01/2013 04:39 AM, Grant wrote:
Two different things come to mind.  Kingcope found an Apache 
byterange
vulnerability and the PoC code he wrote for it exhausts the 
resources on a
server running Apache.  Only 1 instance of his perl script had to be 
ran.
LOIC is another that could possible DoS your server from one source. 
What

IP address was hitting your box when this happened?


I'd rather not post the IP if that's OK.  I did notice my access_log
entries were out of chronological order for the IP address in
question.  Does that indicate a Slowloris attack?  Maybe it's just 
the
result of the server bogging down in response to so many requests in 
a

short amount of time.

So I'm sure I understand, a regular browser or unsophisticated script
shouldn't be able to interrupt apache service by simply requesting a
large number of pages in a short amount of time?  If not, how does
apache prevent that from happening?

- Grant


You wouldn't keep a syn proxy rule enabled all the time; only 
under a DoS

attack.  You could also implement ModSecurity.



ModSecurity looks good and I think it works with nginx as well as
apache.  Is everyone who isn't running OSSEC HIDS or ModSecurity
vulnerable to a single client requesting too many pages and
interrupting the service?

- Grant


Also, you should be able to limit simultaneous client 
connections with

your
firewall and pass the traffic in a syn proxy state. There are 
numerous

ways
to achieve this.




Is that the best way to go besides OSSEC HIDS?  I can imagine 
that

sort of thing could cause problems.

- Grant



You can always compile from source ;)
What version of Apache are you running?

On 07/29/2013 02:59 AM, Grant wrote:




Was it just an IP exhausting the apache service with too many
connections?  What do you see in the access logs?  I use 
OSSEC HIDS

on
my
apache servers to mitigate this.





In the access log I see the same IP made many requests during 
the
service interruption and I think that exhausted the apache 
service.
It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  Is 
there

another way to prevent this sort of thing?

- Grant


My server has 4GB RAM and uses nginx as a reverse proxy to 
apache.

A
little while ago my website became inaccessible for about 
30

minutes.
I checked my munin graphs and it looks like apache 
processes

spiked
to
about 29 during this time which is many times greater than 
usual.

I
have MaxClients at 30 and the error log verifies that 
MaxClients

was
not reached.  The strange part is system disk latency shows 
a

spike
during the interruption which is only very slightly greater 
than

other
spikes which did not interrupt service.  System CPU, 
memory, and

swap
usage don't show anything interesting at all.

Does this make sense to anyone?  Should I decrease 
MaxClients?


- Grant





I've looked over my access_log and I can see there is a 
particular

IP
which was making many requests during the interruption.  
Since

munin
does not show there was an excessive amount of memory or CPU 
usage,

lowering MaxClients won't help?

- Grant


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] substituting proxy

2013-07-31 Thread Michael D. Wood


Burp Suite will do exactly this.

http://portswigger.net/burp/

On 07/31/2013 06:04 AM, Robin Becker wrote:

Not sure if I am using the right terminology, but I want to create a
forward proxy that will allow me to substitute locally controlled
content for some of the requests eg a specific remote javascript file
(which I wish to debug).

My normal approach would be to save all html using a browser, but
this site is very dynamic with ajax etc and I am unable to save a
decent replica.

I imagine this can be done using a proxy setup with some specific
requests being diverted to a local web server, but I'm not exactly
sure how that should be done. I can set up a forward proxy easliy
enough, but don't know how to get mod_rewrite or whatever to 
interfere

with the proxy.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: apache service interruption

2013-07-30 Thread Michael D. Wood

Two different things come to mind.  Kingcope found an Apache byterange 
vulnerability and the PoC code he wrote for it exhausts the resources on 
a server running Apache.  Only 1 instance of his perl script had to be 
ran.  LOIC is another that could possible DoS your server from one 
source.  What IP address was hitting your box when this happened?


On 07/30/2013 02:25 AM, Grant wrote:
You wouldn't keep a syn proxy rule enabled all the time; only under 
a DoS

attack.  You could also implement ModSecurity.


ModSecurity looks good and I think it works with nginx as well as
apache.  Is everyone who isn't running OSSEC HIDS or ModSecurity
vulnerable to a single client requesting too many pages and
interrupting the service?

- Grant


Also, you should be able to limit simultaneous client connections 
with

your
firewall and pass the traffic in a syn proxy state. There are 
numerous

ways
to achieve this.



Is that the best way to go besides OSSEC HIDS?  I can imagine that
sort of thing could cause problems.

- Grant



You can always compile from source ;)
What version of Apache are you running?

On 07/29/2013 02:59 AM, Grant wrote:



Was it just an IP exhausting the apache service with too many
connections?  What do you see in the access logs?  I use OSSEC 
HIDS on

my
apache servers to mitigate this.




In the access log I see the same IP made many requests during 
the
service interruption and I think that exhausted the apache 
service.
It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  Is 
there

another way to prevent this sort of thing?

- Grant


My server has 4GB RAM and uses nginx as a reverse proxy to 
apache. A

little while ago my website became inaccessible for about 30
minutes.
I checked my munin graphs and it looks like apache processes 
spiked

to
about 29 during this time which is many times greater than 
usual. I
have MaxClients at 30 and the error log verifies that 
MaxClients was
not reached.  The strange part is system disk latency shows a 
spike
during the interruption which is only very slightly greater 
than

other
spikes which did not interrupt service.  System CPU, memory, 
and

swap
usage don't show anything interesting at all.

Does this make sense to anyone?  Should I decrease 
MaxClients?


- Grant




I've looked over my access_log and I can see there is a 
particular IP
which was making many requests during the interruption.  Since 
munin
does not show there was an excessive amount of memory or CPU 
usage,

lowering MaxClients won't help?

- Grant


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: apache service interruption

2013-07-29 Thread Michael D. Wood


You can always compile from source ;)
What version of Apache are you running?

On 07/29/2013 02:59 AM, Grant wrote:
Was it just an IP exhausting the apache service with too many 
connections?  What do you see in the access logs?  I use OSSEC HIDS on 
my apache servers to mitigate this.


In the access log I see the same IP made many requests during the
service interruption and I think that exhausted the apache service.
It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  Is there
another way to prevent this sort of thing?

- Grant


My server has 4GB RAM and uses nginx as a reverse proxy to apache. 
A
little while ago my website became inaccessible for about 30 
minutes.
I checked my munin graphs and it looks like apache processes 
spiked to
about 29 during this time which is many times greater than usual.  
I
have MaxClients at 30 and the error log verifies that MaxClients 
was
not reached.  The strange part is system disk latency shows a 
spike
during the interruption which is only very slightly greater than 
other
spikes which did not interrupt service.  System CPU, memory, and 
swap

usage don't show anything interesting at all.

Does this make sense to anyone?  Should I decrease MaxClients?

- Grant


I've looked over my access_log and I can see there is a particular 
IP

which was making many requests during the interruption.  Since munin
does not show there was an excessive amount of memory or CPU usage,
lowering MaxClients won't help?

- Grant


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL config - HTTPS not working

2013-07-29 Thread Michael D. Wood

 

The only reason I asked was because I had done this before and had
the virtualhost created for port 443 but forgot to a2ensite on the
virtualhost. 

On 07/29/2013 02:59 AM, Yuvapriya s wrote: 

 Yes.. I
have configured Vhosts for port 443..
 
 On Fri, Jul 26, 2013 at 2:56
PM, Michael D. Wood m...@itsecuritypros.org wrote:
 
 Do you have a
virtual host configured for the site SSL/443? 
 
 On 07/26/2013
05:15 AM, Yuvapriya s wrote: 
 
 Hi 
 
 We had done split
deployment of apache and tomcat and we are trying to configure ssl on
apache.
 Modified the httpd_ssl.conf file and uncommented the lines
to include mod_ssl.so and the conf file in httpd.conf and restarted
apache.
 
 Now we are getting below errors while loading the url
https:/BOE/CMC - HTTP 403 Forbidden Error
 https:/BOE/BI - HTTP 404
Not Found 
 
 Where as using http works fine for the same
url
 
 When checked on the logs, found the below error
messages.
 [client ::1] Directory index forbidden by Options
directive: G:/Program Files (x86)/Apache Software
Foundation/Apache2.2/htdocs/BOE/CMC/
 [client ::1] File does not
exist: G:/Program Files (x86)/Apache Software
Foundation/Apache2.2/htdocs/BOE/BI 
 
 Could you please help on
what needs to be done to resolve the same?
 
 Thanks

Re: [users@httpd] Re: apache service interruption

2013-07-29 Thread Michael D. Wood

Also, you should be able to limit simultaneous client connections with 
your firewall and pass the traffic in a syn proxy state. There are 
numerous ways to achieve this.


On 07/29/2013 03:18 AM, Michael D. Wood wrote:

You can always compile from source ;)
What version of Apache are you running?

On 07/29/2013 02:59 AM, Grant wrote:
Was it just an IP exhausting the apache service with too many 
connections?  What do you see in the access logs?  I use OSSEC HIDS 
on my apache servers to mitigate this.


In the access log I see the same IP made many requests during the
service interruption and I think that exhausted the apache service.
It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  Is there
another way to prevent this sort of thing?

- Grant


My server has 4GB RAM and uses nginx as a reverse proxy to 
apache. A
little while ago my website became inaccessible for about 30 
minutes.
I checked my munin graphs and it looks like apache processes 
spiked to
about 29 during this time which is many times greater than usual. 
I
have MaxClients at 30 and the error log verifies that MaxClients 
was
not reached.  The strange part is system disk latency shows a 
spike
during the interruption which is only very slightly greater than 
other
spikes which did not interrupt service.  System CPU, memory, and 
swap

usage don't show anything interesting at all.

Does this make sense to anyone?  Should I decrease MaxClients?

- Grant


I've looked over my access_log and I can see there is a particular 
IP
which was making many requests during the interruption.  Since 
munin

does not show there was an excessive amount of memory or CPU usage,
lowering MaxClients won't help?

- Grant



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: apache service interruption

2013-07-29 Thread Michael D. Wood

You wouldn't keep a syn proxy rule enabled all the time; only under a 
DoS attack.  You could also implement ModSecurity.


On 07/29/2013 02:07 PM, Grant wrote:
Also, you should be able to limit simultaneous client connections 
with your
firewall and pass the traffic in a syn proxy state. There are 
numerous ways

to achieve this.


Is that the best way to go besides OSSEC HIDS?  I can imagine that
sort of thing could cause problems.

- Grant



You can always compile from source ;)
What version of Apache are you running?

On 07/29/2013 02:59 AM, Grant wrote:


Was it just an IP exhausting the apache service with too many
connections?  What do you see in the access logs?  I use OSSEC 
HIDS on my

apache servers to mitigate this.



In the access log I see the same IP made many requests during the
service interruption and I think that exhausted the apache 
service.
It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  Is 
there

another way to prevent this sort of thing?

- Grant


My server has 4GB RAM and uses nginx as a reverse proxy to 
apache. A
little while ago my website became inaccessible for about 30 
minutes.
I checked my munin graphs and it looks like apache processes 
spiked to
about 29 during this time which is many times greater than 
usual. I
have MaxClients at 30 and the error log verifies that 
MaxClients was
not reached.  The strange part is system disk latency shows a 
spike
during the interruption which is only very slightly greater 
than other
spikes which did not interrupt service.  System CPU, memory, 
and swap

usage don't show anything interesting at all.

Does this make sense to anyone?  Should I decrease MaxClients?

- Grant



I've looked over my access_log and I can see there is a 
particular IP
which was making many requests during the interruption.  Since 
munin
does not show there was an excessive amount of memory or CPU 
usage,

lowering MaxClients won't help?

- Grant


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: apache service interruption

2013-07-27 Thread Michael D. Wood

Was it just an IP exhausting the apache service with too many connections?  
What do you see in the access logs?  I use OSSEC HIDS on my apache servers to 
mitigate this.
--
Sent from my mobile device
Michael D. Wood
www.itsecuritypros.org

Grant emailgr...@gmail.com wrote:

 My server has 4GB RAM and uses nginx as a reverse proxy to apache.  A
 little while ago my website became inaccessible for about 30 minutes.
 I checked my munin graphs and it looks like apache processes spiked to
 about 29 during this time which is many times greater than usual.  I
 have MaxClients at 30 and the error log verifies that MaxClients was
 not reached.  The strange part is system disk latency shows a spike
 during the interruption which is only very slightly greater than other
 spikes which did not interrupt service.  System CPU, memory, and swap
 usage don't show anything interesting at all.

 Does this make sense to anyone?  Should I decrease MaxClients?

 - Grant

I've looked over my access_log and I can see there is a particular IP
which was making many requests during the interruption.  Since munin
does not show there was an excessive amount of memory or CPU usage,
lowering MaxClients won't help?

- Grant

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL config - HTTPS not working

2013-07-26 Thread Michael D. Wood

 

Do you have a virtual host configured for the site SSL/443? 

On
07/26/2013 05:15 AM, Yuvapriya s wrote: 

 Hi 
 
 We had done split
deployment of apache and tomcat and we are trying to configure ssl on
apache.
 Modified the httpd_ssl.conf file and uncommented the lines to
include mod_ssl.so and the conf file in httpd.conf and restarted
apache.
 
 Now we are getting below errors while loading the url 

https:/BOE/CMC - HTTP 403 Forbidden Error
 https:/BOE/BI - HTTP 404 Not
Found 
 
 Where as using http works fine for the same url
 

When checked on the logs, found the below error messages.
 [client ::1]
Directory index forbidden by Options directive: G:/Program Files
(x86)/Apache Software Foundation/Apache2.2/htdocs/BOE/CMC/
 [client
::1] File does not exist: G:/Program Files (x86)/Apache Software
Foundation/Apache2.2/htdocs/BOE/BI 
 
 Could you please help on what
needs to be done to resolve the same?
 
 Thanks

Re: [users@httpd] Router change issue

2013-07-25 Thread Michael D. Wood

 

The new wireless router is configured the same way as your old
router was? As in, the same network configuration and I'm assuming the
server you have Apache running on has a static ip in the same network?


Not much that has to change - port forward to your server running
Apache. 

What are you getting when trying to access the site?
Connection timed out, just doesn't connect at all? 

On 07/24/2013 05:02
PM, James Coyle wrote: 

 I installed a new wireless router last night
from Comcast. Previously I had been using an Apple Airport Extreme as a
router along with a regular cable modem. I have duplicated the IP scheme
on this new router and have opened up the appropriate port so that
Apache can serve up my web site, but so far I have had no luck in
getting the pages to display. 
 
 As I said, I've confirmed that the
correct port for my web hop via DYNDns is open (port 8102) and it is
mapped to my internal IP address. I have not changed my Apache config
file or anything else. 
 
 The only thing I can think of here is that
Apache is confused by the change in hardware since both the Airport
Extreme and the new Comcast wireless router are/were using the same
10.0.0.x range of addresses. 
 
 My old Airport is now in bridge mode
and is not acting as a router. 
 
 I am reluctant to call Comcast,
first of all because they are Comcast, and secondly because they are now
pushing a higher level of paid support that I'm not interested in. I'd
appreciate any help anyone could provide. Thanks.

Re: [users@httpd] Possible virus via httpd server

Re: [users@httpd] Possible virus via httpd server

Re: [users@httpd] Re: apache service interruption

Re: [users@httpd] Re: apache service interruption

Re: [users@httpd] substituting proxy

Re: [users@httpd] Re: apache service interruption

Re: [users@httpd] Re: apache service interruption

Re: [users@httpd] SSL config - HTTPS not working

Re: [users@httpd] Re: apache service interruption

Re: [users@httpd] Re: apache service interruption

Re: [users@httpd] Re: apache service interruption

Re: [users@httpd] SSL config - HTTPS not working

Re: [users@httpd] Router change issue

13 matches

Site Navigation

Mail list logo

Footer information