RE: [users@httpd] Aw: Re: [users@httpd] Apache in under attack. [EXT]

[James Smith <js5@xxxxxxxxxxxx>]

That shows you only have 2 incoming requests. How many lines if you remove the TIME_WAIT

Try: netstat -n | grep ':80 ' | wc

This may show lots of short requests happening over time

But to be honest the host important thing you need to do is strip down the list of modules you are using - that is what is causing you problems - the apache processes are so large you are causing the server to swap - 

If you are permanently using a lot of swap then that slows down your processes and can cause your request to back up (a bit like a traffic jam)

You should only really have about 20-30 modules running.

-----Original Message-----
From: Jason Long <hack3rcon@xxxxxxxxx.INVALID> 
Sent: 12 January 2021 11:14
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  Aw: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

# netstat -n | grep ':80 ' | grep -v TIME_WAIT
tcp6       0      0 X.X.X.X:80        X.X.X.X:16126      FIN_WAIT2  
tcp6       0      0 X.X.X.X:80        X.X.X.X:64595      FIN_WAIT2 






On Tuesday, January 12, 2021, 02:20:00 PM GMT+3:30, James Smith <js5@xxxxxxxxxxxx> wrote: 





If you want incoming traffic you can do:

netstat -n | grep ':443 ' | grep -v TIME_WAIT

The incoming IP should be the 2nd address

(or ':80 ' if you aren't doing SSL)

Remove the grep -v TIME_WAIT to see all connections {and recent connections}

-----Original Message-----
From: Jason Long <hack3rcon@xxxxxxxxx.INVALID> 
Sent: 12 January 2021 10:33
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  Aw: Re: [users@httpd] Apache in under attack. [EXT]

Output is:

1688 323400 80850   0 /usr/sbin/httpd -DFOREGROUND
 6384 517620 129405   0 /usr/sbin/httpd -DFOREGROUND
1163280 3898288 974572  63 /usr/sbin/httpd -DFOREGROUND
1250040 3912624 978156  64 /usr/sbin/httpd -DFOREGROUND
1299300 3986396 996599  84 /usr/sbin/httpd -DFOREGROUND
1367304 4012976 1003244  74 /usr/sbin/httpd -DFOREGROUND

How can I see the IP addresses and their incoming traffic?






On Tuesday, January 12, 2021, 01:49:21 PM GMT+3:30, James Smith <js5@xxxxxxxxxxxx> wrote: 





Another thing to look at is to restart the apache process and see memory usage. You can either use top. Or you can use a cron job which emails you the output of:

ps -e -o rsz,vsz,sz,cp,cmd | grep apache2 | grep -v grep | sort -k 1 -n

to see if you start or if it grows gradually

-----Original Message-----
From: Jason Long <hack3rcon@xxxxxxxxx.INVALID> 
Sent: 12 January 2021 10:01
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  Aw: Re: [users@httpd] Apache in under attack. [EXT]

I did below rule, but not worked:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset







On Tuesday, January 12, 2021, 01:15:40 PM GMT+3:30, Florian Schwalm <flo@xxxxxxxxxxxx> wrote: 






It can be done with iptables or take a look at fail2ban:
https://urldefense.proofpoint.com/v2/url?u=https-3A__security.stackexchange.com_q_35773_213194&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=I9F0cXVKI5lNIkmNjSJUj4c7qqr061vJX88jzcMLpvA&s=_jkuSoCIH2P5CqYmZuedFXUmuuq3Uf5PkIKE5nk_B3o&e= 

Am 12.01.21, 10:26 schrieb Jason Long <hack3rcon@xxxxxxxxx.INVALID>:
>  Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP sending many request then it automatically blocked. 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith <js5@xxxxxxxxxxxx> wrote: 
> 
> 
> 
> 
> 
> Jason, 
> 
> I would also query why your process are ~ 1G resident that seems quite large for apache. 
> 
> What modules do you have enabled  - even with mod_perl embedded I would not want them to go about 500-800M depending on the site of your box. 
> 
> I know Apache is very good at grabbing memory for each process - but it doesn't tend to hand it back - and just keeps it (just in case) 
> 
> It looks like you either have a memory leak - or the code is collecting too much data before squirting it out 
> 
> There are other setups that you may want to look at if you have large dynamic requests and a lot of small static request (images/css/js) where you run two web servers - one serving static content and proxying back to dynamic content. 
> 
> James 
> 
> -----Original Message----- 
> From: James Smith <js5@xxxxxxxxxxxx> 
> Sent: 12 January 2021 09:09 
> To: users@xxxxxxxxxxxxxxxx 
> Subject: RE:  Apache in under attack. [EXT] 
> 
> Put a firewall rule into block whatever that first IP address is then. 
> 
> Something like: 
> 
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='X.X.X.X' reject" 
> 
> If you are seeing a current attack then you can tweak Charles' command line to: 
> 
> tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> or I often use cut instead of awk.. 
> 
> tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head 
> 
> -----Original Message----- 
> From: Jason Long <hack3rcon@xxxxxxxxx.INVALID> 
> Sent: 12 January 2021 08:53 
> To: users@xxxxxxxxxxxxxxxx 
> Subject: Re:  Apache in under attack. [EXT] 
> 
> It show me: 
> 
> 13180 X.X.X.X 
>    1127 X.X.X.X 
>     346 X.X.X.X 
>     294 X.X.X.X 
>     241 X.X.X.X 
>     169 X.X.X.X 
>     168 X.X.X.X 
>     157 X.X.X.X 
>     155 X.X.X.X 
>     153 X.X.X.X 
> 
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@xxxxxxxxxxxxxxx.invalid> wrote: 
> 
> 
> 
> 
> 
> Run this against your log file in bash shell 
> 
> cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head 
> 
> This will show you most frequent IPs, sorted in descending order. Block as needed 
> 
> On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@xxxxxxxxx.INVALID> wrote: 
> 
>     Can you help me? 
>     
>     
>     
>     
>     
>     
>     On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@xxxxxxxxx> wrote: 
>     
>     
>     
>     
>     
>     Concentrate on just one... 
>     
>     On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote: 
>     > It is a lot of IP addresses !!! 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@xxxxxxxxx> wrote: 
>     > 
>     > 
>     > 
>     > 
>     > 
>     > How to find pattern: 
>     > Look at log. 
>     > Find bad things that are similar. 
>     > 
>     > Then: 
>     > Block bad things from reaching web server. 
>     > 
>     > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote: 
>     >> How to find pattern? 
>     >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e= 
>     >> 
>     >> 
>     >> 
>     >> 
>     >> 
>     >> 
>     >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@xxxxxxxxx> wrote: 
>     >> 
>     >> 
>     >> 
>     >> 
>     >> 
>     >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins. 
>     >> 
>     >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote: 
>     >>> I used a rule like: 
>     >>> 
>     >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"' 
>     >>> 
>     >>> But not matter. 
>     >>> 
>     >>> 
>     >>> 
>     >>> 
>     >>> 
>     >>> 
>     >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@xxxxxxxxx> wrote: 
>     >>> 
>     >>> 
>     >>> 
>     >>> 
>     >>> 
>     >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests. 
>     >>> 
>     >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote: 
>     >>>> Hello, 
>     >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request? 
>     >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e= 
>     >>>> Any idea to solve it? 
>     >>>> 
>     >>>> 
>     >>>> Thank you. 
>     >>>> 
>     >>>> --------------------------------------------------------------------- 
>     >>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
>     >>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
>     >>>> 
>     >>>> 
>     >>> 
>     >>> 
>     >>> -- 
>     >>> [ ]'s 
>     >>> 
>     >>> Filipe Cifali Stangler 
>     >>> 
>     >>> 
>     >>> --------------------------------------------------------------------- 
>     >>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
>     >>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
>     >>> 
>     >>> 
>     >> 
>     >> 
>     >> -- 
>     >> [ ]'s 
>     >> 
>     >> Filipe Cifali Stangler 
> 
>     >> 
>     >> 
>     >> --------------------------------------------------------------------- 
>     >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
>     >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
>     >> 
>     >> 
>     > 
>     > 
>     > --------------------------------------------------------------------- 
>     > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
>     > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
>     > 
>     > 
>     
>     
>     --------------------------------------------------------------------- 
>     To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
>     For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
>     
>     
> 
> 
> --------------------------------------------------------------------- 
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
> 
> --------------------------------------------------------------------- 
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
> 
> 
> 
> 
> -- 
> The Wellcome Sanger Institute is operated by Genome Research  Limited, a charity registered in England with number 1021457 and a  company registered in England with number 2742969, whose registered  office is 215 Euston Road, London, NW1 2BE.B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [  X  ܚX KK[XZ[ 
> \ \  ][  X  ܚX P 
> \X K ܙ B  ܈Y][ۘ[  [X[ K[XZ[ 
> \ \  Z[ 
> \X K ܙ B 
> 
> 
> 
> 
> -- 
> The Wellcome Sanger Institute is operated by Genome Research 
> Limited, a charity registered in England with number 1021457 and a 
> company registered in England with number 2742969, whose registered 
> office is 215 Euston Road, London, NW1 2BE. 


> --------------------------------------------------------------------- 
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
> 
> --------------------------------------------------------------------- 
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
> 
> 
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx