On 11/10/2017 12:41 PM, Douglas Duckworth wrote: > Hi > > I am running old PHP under Apache httpd-2.4. > > During a typical day: > > Server load: 0.03 0.03 0.05 > Total accesses: 16028 - Total Traffic: 1.4 GB > CPU Usage: u20.92 s1.24 cu.01 cs.23 - .00163% CPU load > .0116 requests/sec - 1104 B/second - 92.7 kB/request > 2 requests currently being processed, 8 idle workers > > Though, ever few weeks, we see sudden increase in workers who never seem to > retire: > > [Fri Nov 10 02:43:20.019924 2017] [mpm_prefork:error] [pid 13584] AH00161: > server reached MaxRequestWorkers setting, consider raising the > MaxRequestWorkers setting > > user@server[/var/www]$ ps aux | grep [h]ttpd | wc -l > 257 > > It's my belief that this occurs due to malicious activity involving our old > PHP sites, given this version has multiple known denial of service > vulnerabilities, however the only thing I see in logs, during the time when > workers were spawned, are light spider and bot activity. > > We are running mod_security, mod_evasive, and mod_reqtimeout. > > apachectl -t -D DUMP_MODULES | grep -e timeout -e security -e evasive > > reqtimeout_module (shared) > security2_module (shared) > evasive20_module (shared) > > httpd.conf: > > MaxKeepAliveRequests 50 > KeepAlive On > Timeout 30 > KeepAliveTimeout 10 > > <IfModule reqtimeout_module> > RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 > </IfModule> > > <IfModule mpm_prefork_module> > StartServers 5 > MinSpareServers 2 > MaxSpareServers 10 > MaxRequestWorkers 128 > MaxRequestsPerChild 50 > MaxRequestWorkers 100 > </IfModule> > > modsecurity.conf: > > SecRuleEngine on > > mod_evasive.conf: > > DOSPageCount 50 > DOSSiteCount 100 > DOSPageInterval 1 > DOSSiteInterval 1 > > php.ini: > > max_execution_time = 10 > max_input_time = 10 > memory_limit = 32M > error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT > log_errors = On > > I set MaxRequestWorkers to 100 though it seems that threshold was passed > meanwhile the server's no longer serving data, as the failover's now > active, but these httpd workers *refuse to die*! > > If my VirtualHosts were under DoS, in a manner that exploits PHP, then > would I even be able to detect them in the logs? > > Based upon my limited experience, I should be protected against both "slow" > and "fast" DoS though of course not DDoS. Greatly appreciate the insight > and assistance. We plan on replacing our old PHP sites but until then I > want to do what I can to ensure this stops happening other than bringing up > the failover. > > Thanks, > > Douglas Duckworth, MSc, LFCS > HPC System Administrator > Scientific Computing Unit > Physiology and Biophysics > Weill Cornell Medicine > E: doug@xxxxxxxxxxxxxxx > O: 212-746-6305 <(212)%20746-6305> > F: 212-746-8690 <(212)%20746-8690> > Did you try the PHP mailing list? That version of PHP is like Swiss cheese and you are not going to be able to avoid a complete rebuild of the server which should be chrooted, or in a readonly file system, and analysis is of minimal value, if not counter productive. Ruben Safir. MS Comp Sci (Computational Evolutionary Biology), BS Pharm RPh NYLXS Chief Technologist Free Software Education and Advocacy since 1997 E: ruben@xxxxxxxxxxxx O: 718-715-1771 -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|