Re: [us...@httpd] Rotating logs
There are other ways to rotate Apache logs, too. For example, on my FreeBSD systems, there is something called newsyslog present at the operating system level. There is a file named /etc/newsyslog.conf that has the following lines on my system (I edited the file and added these lines): # logfilename [owner:group]mode count size when flags [/pid_file] [sig_num] /var/log/httpd-access.log 644 101000 * J /var/run/httpd.pid30 /var/log/httpd-error.log644 101000 * J /var/run/httpd.pid30 The signal 30 on FreeBSD is SIGUSR1. SIGUSR1 is what you send to Apache to close the current log and start a new one, or something like that. SIGUSR1 is probably a different number on your Linux system. Anyhow, the entries above in newsyslog on my system make everything work perfectly. Logs are rotated, archived, and removed after there are too many archived logs. I prefer rotating logs with newsyslog.
Re: [us...@httpd] configure apache to parse php
> According to the php manual, apache should be configured to parse php, e.g.: > > > SetHandler application/x-httpd-php > > Apparently this should be part of the addtype directive. I don't > understand which file I am to edit and add the code shown above. Can > somebody help please? In my opinion the preferred way to build PHP is with APACHE "Build Apache module" set to on. If you installed Apache from ports, you want to edit for example /usr/local/etc/apache22/httpd.conf . Relevant lines in httpd.conf that configure PHP are, if you are configuring the Apache module. LoadModule php5_modulelibexec/apache22/libphp5.so DirectoryIndex index.html index.php AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps php_value include_path .:/usr/local/share/pear:/some/dir/to/php_includes php_value display_errors On - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] slowloris mitigation
> Posted to users@ (as well as dev@) in case anyone wants to > report experiences - good or bad - on using it. I have tried using various Apache modules to address possibilities of Slowloris attacks. Finally, after not being satisfied with what existing modules had to offer, I ended up using operating system firewall rules to limit the number of concurrent TCP connections from any given IP address. The firewall solution (using OpenBSD Packet Filter) was not perfect either, because connections in a FIN_WAIT_2 state are counted towards the "open connection number", and they linger for about a minute. What I really wanted was a limit on the number of established TCP connections from any single IP address. The problem I had with existing Apache modules (I forget which ones exactly I tried) is that they forked a child process for incoming connections, and then only after forking did they close the connection under certain conditions. What I really wanted was the ability to _not_ fork a child process for an incoming TCP connection from an IP address if there already exist N number of established TCP connections from that IP address. Perhaps due to the limitations of Apache's architecture (??) it's not possible to control whether a TCP connection causes a fork (??) via custom module. Since Apache forks always, regardless of what the anti-loris modules did afterwards, the max children in Apache can be reached quickly and that would cause a denial of service until the children would be freed up. Is it possible to write a module that prevents a fork altogether as described? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Preventing DoS attacks from single client host
> > You using iptables? What rules did you end up using to accomplish this? > Using OpenBSD's Packet Filter. It's not perfect; I have to set the connection limit quite high (at 36) because the connection state stays in the firewall for about a minute even during the FIN_WAIT_2 stage. Here are my rules from pf.conf: set optimization aggressive ext_if = "em0" # This will allow Slowloris attack from localhost, but that's OK. pass in on $ext_if proto tcp from any to any port = http flags S/SA \ synproxy state (source-track rule, max-src-conn 36, if-bound) - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Preventing DoS attacks from single client host
> Isn't it diffcult to configure it based on Ip because: > > 1. Ip could be of proxy server > 2. Ip could be of ISP > > Would that lead into good requests being denied? Sometimes, yes, but mostly, no. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Preventing DoS attacks from single client host
Guys, I think I'll just add Operating System wide firewall rules to disallow more than N number of concurrent TCP connections to port 80 from a single IP address. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Preventing DoS attacks from single client host
On Sat, Apr 3, 2010 at 9:09 PM, Nerius Landys wrote: >> if (ip_count > conf->limit) { >> ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "Rejected, >> too many connections in READ state from %s", c->remote_ip); >> return OK; >> } else { >> return DECLINED; >> } I'd like to modify mod_antiloris to force a socket close and/or a child process death when the condition is detected. The plain-vanilla mod_antoloris is not effective enough for my taste (I can still DoS a server pretty damn well with my program). Should I ask on the dev mailing list for them to help me with some module APIs? I tried to figure out how to force a connection close, but I could not find it. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Preventing DoS attacks from single client host
> if (ip_count > conf->limit) { > ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "Rejected, > too many connections in READ state from %s", c->remote_ip); > return OK; > } else { > return DECLINED; > } I figured out what OK and DECLINED mean. In httpd.h: #define DECLINED -1 /**< Module declines to handle */ #define DONE -2 /**< Module has served the response completely * - it's safe to die() with no more output */ #define OK 0/**< Module has handled this stage. */ In other words, by returning OK it's telling Apache that we're pretty much done processing the request. DECLINED means we didn't do anything and some other module must handle this request. I tried changing OK to DONE in the mod_antiloris code, thinking it may close the connection and kill the child process sooner. However, regardless of returning OK or DONE when ip_count is greater than conf->limit, the 80 child processes (corresponding to MaxClients 80) linger on my system during the attack. I can still DoS attack my webserver from a single client. Is there any way to prevent even forking a child process if the TCP connection comes from an IP address for which there are already a certain number of child processes? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Preventing DoS attacks from single client host
> This is called 'slow loris' attack. That'll give you something to Google for > :) Thank you so much for the help guys. I did Google "slowloris" and I did indeed find much information. In fact, the program I wrote from scratch does the exact attack described on the slowloris Wikipedia page. Anyhow, I hunted down a custom Apache module called mod_antiloris. This module limits the number of SERVER_BUSY_READ state connections from a single IP address. The default limit is 5 (I will turn mine up to 10 or more when I get it to work). I compiled and installed mod_antiloris. I then tried bombarding my httpd server with the same program that took it down earlier. The behavior was slightly better, but the site still came down for a good few seconds (more than I'm comfortable with). I did also see messages in my httpd error log that indicated that mod_antiloris was indeed doing something. However, I got suspicious when I got the message "server reached MaxClients setting, consider raising the MaxClients setting" in my error log during the attack that I initiated. We were still reaching the maximum 80 clients even with mod_antiloris enabled? And my website was still being brought down during the attack? So, I decided to consule to source code of mod_antiloris. The full source code is here at this temporary link: http://porky.nerius.com/temp/mod_antiloris.c This is version 0.4 of mod_antiloris. If you don't mind looking closely at the source code, go to pre_connection(), at the end of that function: if (ip_count > conf->limit) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "Rejected, too many connections in READ state from %s", c->remote_ip); return OK; } else { return DECLINED; } Apparently, we're returning what seems to be OK if ip_count is greater thyan conf->limit (which in my case is 5). And we return DECLINED (whatever that means) otherwise. Hrm. This seems backwards. First of all, how does my webserver even _work_ with this logic being backwards? If I think about it slightly longer, one possible scenario that would explain why the website is still working is as follows. The first 5 connections from a client come in, and are denied. Somehow they linger somewhere and SERVER_BUSY_READ is still counted towards ip_count for these 5 denied connections. Then the 6th connection comes in, and is logged and accepted. Wow, can this code be so broken? I installed this code directly from a FreeBSD port, and FreeBSD ports are not supposed to be broken as bad as this. Do you think just switching the "OK" with "DECLINED" in the source code would fix the problem? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Preventing DoS attacks from single client host
Hi guys. I'm in the process of writing some custom server code that uses TCP sockets. This is totally unrelated to Apache and the HTTP protocol (but please read on, I'll get there). I have quite a bit of experience writing server code that communicates with UDP, but I've had relatively little experience with TCP. One of my big concerns whenever I write server code is the possibility of flooding the service with requests (DoS attack). I started thinking about TCP and what would happen when a typical service such as httpd was flooded with many almost idle TCP connections. I happen to run a couple of dedicated server boxes in a data center that host a few amateur websites (amateur in the sense that it's a hobby and it is in no way making me a profit). I starting thinking about how Apache would handle a connection flood attack. So I wrote a computer program that tries to flood a service with TCP connections. The program does the following. It first determines what data to send to a server (array of bytes), and where to send it to (sendTo hostname and sendTo port). In my case for purposes of running this test, the data to send is specified as an HTTP request that I assembled by hand (well actually I intercepted an actual HTTP request and modified it slightly). Another parameter the program takes is now many simultaneous TCP connections to open to the sendTo host. The program creates that many threads, and each thread creates a socket to the sendTo host. Each thread starts sending the data at a very low speed. It sends some small number of bytes after random amounts of sleep/delay time, and keeps sending the data until all data is sent. It then reads socket input until the end of the input arrives (using "Connection: close" in my HTTP request). So what I did was run my program with 100 threads (100 simultaneous TCP connections) that connected to my Apache httpd server. The program sent a few hundered bytes worth of HTTP headers in each connection during a timespan of about one minute. The httpd server that I sent this data to is configured with "MaxClients 80", and it's using a pretty standard configuration that comes with apache22 from ports on FreeBSD. I believe it's using mpm_prefork_module because I get a separate process showing up in top for each request that is serviced (in my test case I got 80 or so processes showing up in top). So, when I run the 100 thread program against my max-80-clients server, and each of the 100 threads takes over one minute to send the complete HTTP request header, my Apache httpd server becomes unavailable to other incoming connections. In other words, it's a DoS attack originating from a single client host. I'm wondering what methods are preferred for preventing this sort of attack. I'm wondering this for two reasons: 1) I want to secure my websites and 2) I want to learn techniques that address this issue because I'm writing my own TCP-oriented server software. I have read this page: http://httpd.apache.org/docs/trunk/misc/security_tips.html It seems that the best suggestion learned there is to configure a system-wide firewall which limits the number of concurrent TCP connections from a single IP address to port 80. Is this indeed a good strategy to follow? If so, what is a good number of maximum TCP connections to allow concurrently from a single IP address to port 80? I know this depends on things such as my website, but I really just want to get a ballpark figure and reasons for that figure. I'm also wondering if there exist any other good strategies for dealing with a DoS attack as described above, coming from a single host. I do have the cband_module enabled for one of my virtual hosts. I'm using the cband module for a particular website to limit the number of concurrent connections from one IP address to 1. Because of this, it seems that I cannot place anything more than a simple HTML page on that virtual host (if I add images to a page for example, downloading them will fail). That's OK, because that particular website is only doing a very CPU-intensive number-crunching activity for clients that connect. I am hosting images that go on that page on a different virtual host that does not have cband activated. I noticed that the cband module takes effect at a rather higher level than just at the lowest level TCP connection. It does not work quite the way I would expect it to work (there are some race conditions which allow multiple CPU-crunching requests to be processed from the same IP address concurrently on my website). Your thoughts are very much appreciated. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd