httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruben Safir <mrbrk...@panix.com>
Subject Re: [users@httpd] Apache 2.4 DoS?
Date Fri, 10 Nov 2017 22:52:38 GMT
On 11/10/2017 12:41 PM, Douglas Duckworth wrote:
> Hi
> 
> I am running old PHP under Apache httpd-2.4.
> 
> During a typical day:
> 
> Server load: 0.03 0.03 0.05
> Total accesses: 16028 - Total Traffic: 1.4 GB
> CPU Usage: u20.92 s1.24 cu.01 cs.23 - .00163% CPU load
> .0116 requests/sec - 1104 B/second - 92.7 kB/request
> 2 requests currently being processed, 8 idle workers
> 
> Though, ever few weeks, we see sudden increase in workers who never seem to
> retire:
> 
> [Fri Nov 10 02:43:20.019924 2017] [mpm_prefork:error] [pid 13584] AH00161:
> server reached MaxRequestWorkers setting, consider raising the
> MaxRequestWorkers setting
> 
> user@server[/var/www]$ ps aux | grep [h]ttpd | wc -l
> 257
> 
> It's my belief that this occurs due to malicious activity involving our old
> PHP sites, given this version has multiple known denial of service
> vulnerabilities, however the only thing I see in logs, during the time when
> workers were spawned, are light spider and bot activity.
> 
> We are running mod_security, mod_evasive, and mod_reqtimeout.
> 
> apachectl -t -D DUMP_MODULES | grep -e timeout -e security -e evasive
> 
> reqtimeout_module (shared)
> security2_module (shared)
> evasive20_module (shared)
> 
> httpd.conf:
> 
> MaxKeepAliveRequests 50
> KeepAlive On
> Timeout 30
> KeepAliveTimeout 10
> 
> <IfModule reqtimeout_module>
>   RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
> </IfModule>
> 
> <IfModule mpm_prefork_module>
>    StartServers        5
>    MinSpareServers     2
>    MaxSpareServers 10
>    MaxRequestWorkers 128
>    MaxRequestsPerChild 50
>    MaxRequestWorkers 100
> </IfModule>
> 
> modsecurity.conf:
> 
> SecRuleEngine on
> 
> mod_evasive.conf:
> 
> DOSPageCount        50
> DOSSiteCount       100
> DOSPageInterval     1
> DOSSiteInterval     1
> 
> php.ini:
> 
> max_execution_time = 10
> max_input_time = 10
> memory_limit = 32M
> error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
> log_errors = On
> 
> I set MaxRequestWorkers to 100 though it seems that threshold was passed
> meanwhile the server's no longer serving data, as the failover's now
> active, but these httpd workers *refuse to die*!
> 
> If my VirtualHosts were under DoS, in a manner that exploits PHP, then
> would I even be able to detect them in the logs?
> 
> Based upon my limited experience, I should be protected against both "slow"
> and "fast" DoS though of course not DDoS.  Greatly appreciate the insight
> and assistance.  We plan on replacing our old PHP sites but until then I
> want to do what I can to ensure this stops happening other than bringing up
> the failover.
> 
> Thanks,
> 
> Douglas Duckworth, MSc, LFCS
> HPC System Administrator
> Scientific Computing Unit
> Physiology and Biophysics
> Weill Cornell Medicine
> E: doug@med.cornell.edu
> O: 212-746-6305 <(212)%20746-6305>
> F: 212-746-8690 <(212)%20746-8690>
> 


Did you try the PHP mailing list?

That version of PHP is like Swiss cheese and you are not going to be
able to avoid a complete rebuild of the server which should be chrooted,
or in a readonly file system, and analysis is of minimal value, if not
counter productive.


Ruben Safir. MS Comp Sci (Computational Evolutionary Biology), BS Pharm RPh
NYLXS Chief Technologist
Free Software Education and Advocacy since 1997
E: ruben@mrbrklyn.com
O: 718-715-1771
-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message