You can get the information from top - but if you want it in the command line
you run:
ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n
rsz - is the resident size - this is the amount of memory the programme is
actually reserving in memory
The output had the following type of lines:
> 1299300 3986396 996599 84 /usr/sbin/httpd -DFOREGROUND
So you can three the resident memory is approx. 1.25G....
-----Original Message-----
From: Andrea Croci <andrea.cr...@gmx.de>
Sent: 13 January 2021 09:59
To: users@httpd.apache.org
Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]
Hi James,
what was the command you used to see that apache uses ~1GB of memory? I deleted
the mail and that was a bad idea: there were some very useful commands you were
giving us here.
On 12.01.21 12:17, James Smith wrote:
> That shows you only have 2 incoming requests. How many lines if you
> remove the TIME_WAIT
>
> Try: netstat -n | grep ':80 ' | wc
>
> This may show lots of short requests happening over time
>
> But to be honest the host important thing you need to do is strip down
> the list of modules you are using - that is what is causing you
> problems - the apache processes are so large you are causing the
> server to swap -
>
> If you are permanently using a lot of swap then that slows down your
> processes and can cause your request to back up (a bit like a traffic
> jam)
>
> You should only really have about 20-30 modules running.
>
> -----Original Message-----
> From: Jason Long <hack3r...@yahoo.com.INVALID>
> Sent: 12 January 2021 11:14
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under
> attack. [EXT]
>
> It show me:
>
> # netstat -n | grep ':80 ' | grep -v TIME_WAIT
> tcp6 0 0 X.X.X.X:80 X.X.X.X:16126 FIN_WAIT2
> tcp6 0 0 X.X.X.X:80 X.X.X.X:64595 FIN_WAIT2
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith
> <j...@sanger.ac.uk> wrote:
>
>
>
>
>
> If you want incoming traffic you can do:
>
> netstat -n | grep ':443 ' | grep -v TIME_WAIT
>
> The incoming IP should be the 2nd address
>
> (or ':80 ' if you aren't doing SSL)
>
> Remove the grep -v TIME_WAIT to see all connections {and recent
> connections}
>
> -----Original Message-----
> From: Jason Long <hack3r...@yahoo.com.INVALID>
> Sent: 12 January 2021 10:33
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under
> attack. [EXT]
>
> Output is:
>
> 1688 323400 80850 0 /usr/sbin/httpd -DFOREGROUND
> 6384 517620 129405 0 /usr/sbin/httpd -DFOREGROUND
> 1163280 3898288 974572 63 /usr/sbin/httpd -DFOREGROUND
> 1250040 3912624 978156 64 /usr/sbin/httpd -DFOREGROUND
> 1299300 3986396 996599 84 /usr/sbin/httpd -DFOREGROUND
> 1367304 4012976 1003244 74 /usr/sbin/httpd -DFOREGROUND
>
> How can I see the IP addresses and their incoming traffic?
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith
> <j...@sanger.ac.uk> wrote:
>
>
>
>
>
> Another thing to look at is to restart the apache process and see memory
> usage. You can either use top. Or you can use a cron job which emails you the
> output of:
>
> ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1
> -n
>
> to see if you start or if it grows gradually
>
> -----Original Message-----
> From: Jason Long <hack3r...@yahoo.com.INVALID>
> Sent: 12 January 2021 10:01
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Aw: Re: [users@httpd] Apache in under
> attack. [EXT]
>
> I did below rule, but not worked:
> # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit
> --connlimit-above 20 -j REJECT --reject-with tcp-reset
>
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm
> <f...@flo-films.de> wrote:
>
>
>
>
>
>
> It can be done with iptables or take a look at fail2ban:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexc
> hange.com_q_35773_213194&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZF
> I0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX
> 88jzcMLpvA&s=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o&e=
>
> Am 12.01.21, 10:26 schrieb Jason Long <hack3r...@yahoo.com.INVALID>:
>> Thank you, but "Firewalld" or "iptables" can't do it automatically? When
>> an IP sending many request then it automatically blocked.
>>
>>
>>
>>
>>
>>
>> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith
>> <j...@sanger.ac.uk> wrote:
>>
>>
>>
>>
>>
>> Jason,
>>
>> I would also query why your process are ~ 1G resident that seems quite large
>> for apache.
>>
>> What modules do you have enabled - even with mod_perl embedded I would not
>> want them to go about 500-800M depending on the site of your box.
>>
>> I know Apache is very good at grabbing memory for each process - but
>> it doesn't tend to hand it back - and just keeps it (just in case)
>>
>> It looks like you either have a memory leak - or the code is
>> collecting too much data before squirting it out
>>
>> There are other setups that you may want to look at if you have large
>> dynamic requests and a lot of small static request (images/css/js) where you
>> run two web servers - one serving static content and proxying back to
>> dynamic content.
>>
>> James
>>
>> -----Original Message-----
>> From: James Smith <j...@sanger.ac.uk>
>> Sent: 12 January 2021 09:09
>> To: users@httpd.apache.org
>> Subject: RE: [users@httpd] Apache in under attack. [EXT]
>>
>> Put a firewall rule into block whatever that first IP address is then.
>>
>> Something like:
>>
>> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
>> address='X.X.X.X' reject"
>>
>> If you are seeing a current attack then you can tweak Charles' command line
>> to:
>>
>> tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr
>> | head
>>
>> or I often use cut instead of awk..
>>
>> tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr
>> | head
>>
>> -----Original Message-----
>> From: Jason Long <hack3r...@yahoo.com.INVALID>
>> Sent: 12 January 2021 08:53
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] Apache in under attack. [EXT]
>>
>> It show me:
>>
>> 13180 X.X.X.X
>> 1127 X.X.X.X
>> 346 X.X.X.X
>> 294 X.X.X.X
>> 241 X.X.X.X
>> 169 X.X.X.X
>> 168 X.X.X.X
>> 157 X.X.X.X
>> 155 X.X.X.X
>> 153 X.X.X.X
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles
>> <char...@beachcamera.com.invalid> wrote:
>>
>>
>>
>>
>>
>> Run this against your log file in bash shell
>>
>> cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head
>>
>> This will show you most frequent IPs, sorted in descending order.
>> Block as needed
>>
>> On 1/11/21, 7:11 PM, "Jason Long" <hack3r...@yahoo.com.INVALID> wrote:
>>
>> Can you help me?
>>
>>
>>
>>
>>
>>
>> On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino
>> <n...@folino.us> wrote:
>>
>>
>>
>>
>>
>> Concentrate on just one...
>>
>> On Mon, Jan 11, 2021 at 7:02 PM Jason Long
>> <hack3r...@yahoo.com.invalid> wrote:
>> > It is a lot of IP addresses !!!
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino
>> <n...@folino.us> wrote:
>> >
>> >
>> >
>> >
>> >
>> > How to find pattern:
>> > Look at log.
>> > Find bad things that are similar.
>> >
>> > Then:
>> > Block bad things from reaching web server.
>> >
>> > On Mon, Jan 11, 2021 at 6:49 PM Jason Long
>> <hack3r...@yahoo.com.invalid> wrote:
>> >> How to find pattern?
>> >> Log show me:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com
>> _p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo
>> &r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMa
>> g8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e=
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali
>> <cifali.fil...@gmail.com> wrote:
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Yeah it's probably not going to matter if you don't know what's
>> attacking you before setting up the rules, you need to find the patterns,
>> either the attack target or the attackers origins.
>> >>
>> >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long
>> <hack3r...@yahoo.com.invalid> wrote:
>> >>> I used a rule like:
>> >>>
>> >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule
>> port port="80" protocol="tcp" accept limit value="100/s" log
>> prefix="HttpsLimit" level="warning" limit value="100/s"'
>> >>>
>> >>> But not matter.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali
>> <cifali.fil...@gmail.com> wrote:
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> You need to investigate your logs and find common patterns there,
>> also there are different tools to handle small and big workloads like you
>> could use iptables/nftables to block based on patterns and number of
>> requests.
>> >>>
>> >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long
>> <hack3r...@yahoo.com.invalid> wrote:
>> >>>> Hello,
>> >>>> On a CentOS web server with Apache, someone make a lot of request
>> and it make slowing server. when I disable "httpd" service then problem
>> solve. How can I find who made a lot of request?
>> >>>>
>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O
>> 33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnq
>> Bo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnB
>> Mag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e=
>> >>>> Any idea to solve it?
>> >>>>
>> >>>>
>> >>>> Thank you.
>> >>>>
>> >>>>
>> ---------------------------------------------------------------------
>> >>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> >>>> For additional commands, e-mail:
>> users-h...@httpd.apache.org
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>> --
>> >>> [ ]'s
>> >>>
>> >>> Filipe Cifali Stangler
>> >>>
>> >>>
>> >>>
>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> >>> For additional commands, e-mail: users-h...@httpd.apache.org
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> [ ]'s
>> >>
>> >> Filipe Cifali Stangler
>>
>> >>
>> >>
>> >>
>> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> >> For additional commands, e-mail: users-h...@httpd.apache.org
>> >>
>> >>
>> >
>> >
>> >
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > For additional commands, e-mail: users-h...@httpd.apache.org
>> >
>> >
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>>
>>
>> --
>> The Wellcome Sanger Institute is operated by Genome Research
>> Limited, a charity registered in England with number 1021457 and a
>> company registered in England with number 2742969, whose registered
>> office is 215 Euston Road, London, NW1 2BE.B
>> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKC
>> B [ X ܚX KK[XZ[ \ \ ][ X ܚX P \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ \ \
>> Z[ \X K ܙ B
>>
>>
>>
>>
>> --
>> The Wellcome Sanger Institute is operated by Genome Research Limited,
>> a charity registered in England with number 1021457 and a company
>> registered in England with number 2742969, whose registered office is
>> 215 Euston Road, London, NW1 2BE.
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For
> additional commands, e-mail: users-h...@httpd.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
