> You wouldn't keep a syn proxy rule enabled all the time; only under a DoS > attack. You could also implement ModSecurity. ModSecurity looks good and I think it works with nginx as well as apache. Is everyone who isn't running OSSEC HIDS or ModSecurity vulnerable to a single client requesting too many pages and interrupting the service? - Grant >>> Also, you should be able to limit simultaneous client connections with >>> your >>> firewall and pass the traffic in a syn proxy state. There are numerous >>> ways >>> to achieve this. >> >> >> Is that the best way to go besides OSSEC HIDS? I can imagine that >> sort of thing could cause problems. >> >> - Grant >> >> >>>> You can always compile from source ;) >>>> What version of Apache are you running? >>>> >>>> On 07/29/2013 02:59 AM, Grant wrote: >>>>>> >>>>>> >>>>>> Was it just an IP exhausting the apache service with too many >>>>>> connections? What do you see in the access logs? I use OSSEC HIDS on >>>>>> my >>>>>> apache servers to mitigate this. >>>>> >>>>> >>>>> >>>>> In the access log I see the same IP made many requests during the >>>>> service interruption and I think that exhausted the apache service. >>>>> It looks like there isn't a Gentoo ebuild for OSSEC HIDS. Is there >>>>> another way to prevent this sort of thing? >>>>> >>>>> - Grant >>>>> >>>>> >>>>>>>> My server has 4GB RAM and uses nginx as a reverse proxy to apache. A >>>>>>>> little while ago my website became inaccessible for about 30 >>>>>>>> minutes. >>>>>>>> I checked my munin graphs and it looks like apache processes spiked >>>>>>>> to >>>>>>>> about 29 during this time which is many times greater than usual. I >>>>>>>> have MaxClients at 30 and the error log verifies that MaxClients was >>>>>>>> not reached. The strange part is system disk latency shows a spike >>>>>>>> during the interruption which is only very slightly greater than >>>>>>>> other >>>>>>>> spikes which did not interrupt service. System CPU, memory, and >>>>>>>> swap >>>>>>>> usage don't show anything interesting at all. >>>>>>>> >>>>>>>> Does this make sense to anyone? Should I decrease MaxClients? >>>>>>>> >>>>>>>> - Grant >>>>>>> >>>>>>> >>>>>>> >>>>>>> I've looked over my access_log and I can see there is a particular IP >>>>>>> which was making many requests during the interruption. Since munin >>>>>>> does not show there was an excessive amount of memory or CPU usage, >>>>>>> lowering MaxClients won't help? >>>>>>> >>>>>>> - Grant --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|