Output is: 1688 323400 80850 0 /usr/sbin/httpd -DFOREGROUND 6384 517620 129405 0 /usr/sbin/httpd -DFOREGROUND 1163280 3898288 974572 63 /usr/sbin/httpd -DFOREGROUND 1250040 3912624 978156 64 /usr/sbin/httpd -DFOREGROUND 1299300 3986396 996599 84 /usr/sbin/httpd -DFOREGROUND 1367304 4012976 1003244 74 /usr/sbin/httpd -DFOREGROUND
How can I see the IP addresses and their incoming traffic? On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith <j...@sanger.ac.uk> wrote: Another thing to look at is to restart the apache process and see memory usage. You can either use top. Or you can use a cron job which emails you the output of: ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n to see if you start or if it grows gradually -----Original Message----- From: Jason Long <hack3r...@yahoo.com.INVALID> Sent: 12 January 2021 10:01 To: users@httpd.apache.org Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT] I did below rule, but not worked: # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm <f...@flo-films.de> wrote: It can be done with iptables or take a look at fail2ban: https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA&s=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o&e= Am 12.01.21, 10:26 schrieb Jason Long <hack3r...@yahoo.com.INVALID>: > Thank you, but "Firewalld" or "iptables" can't do it automatically? When an >IP sending many request then it automatically blocked. > > > > > > > On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith > <j...@sanger.ac.uk> wrote: > > > > > > Jason, > > I would also query why your process are ~ 1G resident that seems quite large > for apache. > > What modules do you have enabled - even with mod_perl embedded I would not > want them to go about 500-800M depending on the site of your box. > > I know Apache is very good at grabbing memory for each process - but it > doesn't tend to hand it back - and just keeps it (just in case) > > It looks like you either have a memory leak - or the code is collecting too > much data before squirting it out > > There are other setups that you may want to look at if you have large dynamic > requests and a lot of small static request (images/css/js) where you run two > web servers - one serving static content and proxying back to dynamic > content. > > James > > -----Original Message----- > From: James Smith <j...@sanger.ac.uk> > Sent: 12 January 2021 09:09 > To: users@httpd.apache.org > Subject: RE: [users@httpd] Apache in under attack. [EXT] > > Put a firewall rule into block whatever that first IP address is then. > > Something like: > > firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source > address='X.X.X.X' reject" > > If you are seeing a current attack then you can tweak Charles' command line > to: > > tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head > > or I often use cut instead of awk.. > > tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head > > -----Original Message----- > From: Jason Long <hack3r...@yahoo.com.INVALID> > Sent: 12 January 2021 08:53 > To: users@httpd.apache.org > Subject: Re: [users@httpd] Apache in under attack. [EXT] > > It show me: > > 13180 X.X.X.X > 1127 X.X.X.X > 346 X.X.X.X > 294 X.X.X.X > 241 X.X.X.X > 169 X.X.X.X > 168 X.X.X.X > 157 X.X.X.X > 155 X.X.X.X > 153 X.X.X.X > > > > > > > > > On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles > <char...@beachcamera.com.invalid> wrote: > > > > > > Run this against your log file in bash shell > > cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head > > This will show you most frequent IPs, sorted in descending order. Block as > needed > > On 1/11/21, 7:11 PM, "Jason Long" <hack3r...@yahoo.com.INVALID> wrote: > > Can you help me? > > > > > > > On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino > <n...@folino.us> wrote: > > > > > > Concentrate on just one... > > On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3r...@yahoo.com.invalid> > wrote: > > It is a lot of IP addresses !!! > > > > > > > > > > > > > > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino > <n...@folino.us> wrote: > > > > > > > > > > > > How to find pattern: > > Look at log. > > Find bad things that are similar. > > > > Then: > > Block bad things from reaching web server. > > > > On Mon, Jan 11, 2021 at 6:49 PM Jason Long > <hack3r...@yahoo.com.invalid> wrote: > >> How to find pattern? > >> Log show me: > https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e= > > >> > >> > >> > >> > >> > >> > >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali > <cifali.fil...@gmail.com> wrote: > >> > >> > >> > >> > >> > >> Yeah it's probably not going to matter if you don't know what's > attacking you before setting up the rules, you need to find the patterns, > either the attack target or the attackers origins. > >> > >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long > <hack3r...@yahoo.com.invalid> wrote: > >>> I used a rule like: > >>> > >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port > port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" > level="warning" limit value="100/s"' > >>> > >>> But not matter. > >>> > >>> > >>> > >>> > >>> > >>> > >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali > <cifali.fil...@gmail.com> wrote: > >>> > >>> > >>> > >>> > >>> > >>> You need to investigate your logs and find common patterns there, > also there are different tools to handle small and big workloads like you > could use iptables/nftables to block based on patterns and number of > requests. > >>> > >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long > <hack3r...@yahoo.com.invalid> wrote: > >>>> Hello, > >>>> On a CentOS web server with Apache, someone make a lot of request > and it make slowing server. when I disable "httpd" service then problem > solve. How can I find who made a lot of request? > >>>> > [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e= > > >>>> Any idea to solve it? > >>>> > >>>> > >>>> Thank you. > >>>> > >>>> > --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > >>>> For additional commands, e-mail: users-h...@httpd.apache.org > >>>> > >>>> > >>> > >>> > >>> -- > >>> [ ]'s > >>> > >>> Filipe Cifali Stangler > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > >>> For additional commands, e-mail: users-h...@httpd.apache.org > >>> > >>> > >> > >> > >> -- > >> [ ]'s > >> > >> Filipe Cifali Stangler > > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > >> For additional commands, e-mail: users-h...@httpd.apache.org > >> > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > -- > The Wellcome Sanger Institute is operated by Genome Research Limited, a > charity registered in England with number 1021457 and a company registered > in England with number 2742969, whose registered office is 215 Euston Road, > London, NW1 2BE.B > KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [ X > ܚX KK[XZ[ > \ \ ][ X ܚX P > \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ > \ \ Z[ > \X K ܙ B > > > > > -- > The Wellcome Sanger Institute is operated by Genome Research > Limited, a charity registered in England with number 1021457 and a > company registered in England with number 2742969, whose registered > office is 215 Euston Road, London, NW1 2BE. > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org