Re: Apache in under attack.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You should look at adding the %D and %T format strings to your httpd
access log configuration so that you can capture the amount of time
spent in delivery of a resource.


> Date: Thursday, January 14, 2021 11:48:55 +0000
> From: Jason Long <hack3rcon@xxxxxxxxx.INVALID>
>
> Server have 4 CPU cores and 6GB of RAM.
> I pasted Apache configuration. In your opinion, which parts of
> servers must be examine?
> 
> 
> On Wednesday, January 13, 2021, 08:30:58 PM GMT+3:30, @lbutlr
> <kremels@xxxxxxxxx> wrote: 
> 
> 
>> On 12 Jan 2021, at 01:52, Jason Long <hack3rcon@xxxxxxxxx.INVALID>
>> wrote:
>> 
>> It show me:
>> 
>> 13180 X.X.X.X
>>     1127 X.X.X.X 
>>     346 X.X.X.X 
>>     294 X.X.X.X 
>>     241 X.X.X.X 
>>     169 X.X.X.X 
>>     168 X.X.X.X
>>     157 X.X.X.X
>>     155 X.X.X.X
>>     153 X.X.X.X
> 
> Your server would not be getting bogged down by that few
> connections unless your hardware is very weak or you are hosting
> something insane.
> 
> I have a very lightly used web server that gets more than 40K hits
> a day running on a Celeron machine with a whole 4GB of RAM and my
> load average is in the 1.2 range consistently.
> 
> I wonder if there is not some configuration error.
> 
> Also, the URLs shown in your logs starting with /tag/ followed by a
> long series of hex digits, do those look like valid URLs for your
> server?
> 
> Do a dig -x on the IP that is hitting you 13,000 times and see
> where it is. You can try firewalling it, but if it's not some
> misconfigured server, the DOS will simply move to another IP.
> 
>> https://paste.ubuntu.com/p/PsxM8yPXPQ/
> 
> I haven't run F2B in quite a while, but is that a list of IPs that
> you are whitelisiing or does [Protect] mean "Protect FROM"?
> 
> But if 13,000 queries are crippling your web server, I think your
> real problem lies elsewhere than the 13,000 hits.
> 
> (You are loading almost double the modules that I am, by the way.
> It seems like an lot. Do you know why each of those modules is
> enabled?)

------------ End Original Message ------------



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux