The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache Crashing

Discussion in 'Security' started by dimitrifrom31, Jul 1, 2015.

  1. dimitrifrom31

    dimitrifrom31 Registered

    Joined:
    Jul 1, 2015
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Root Administrator
    Hi,

    Recently one of the websites I host has been under attacks that are taking down apache (only way to restore it is to restart apache service manually or wait for chkservd to restart it).

    The error log is filled with such entries (I only masked the website domain):

    [Wed Jul 01 19:02:15.347188 2015] [:error] [pid 117592] [client 89.77.130.57] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "317"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "masked.domain.com"] [uri "/"] [unique_id "VZQdFyW7MpMAActY9xkAAAAC"]


    I installed ModSecurity after the attacks started however it does not seem to do much against them. I see no cpu/memory abnormal usage, apache just stops working, everything else is fine.

    Is there anything I can do to fix this permanently ?
    For the time being I suspended the attacked website but this is not a real solution and if this happens on other websites I need to be able to block the attacks so they do not affect apache.


    Thank you.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If you are sure the traffic is bad (not all requests missing a user agent are bad, just a lot of them are) then perhaps configure CSF with LF_MODSEC so that repeat offenders have their IP addresses blocked.
     
  3. dimitrifrom31

    dimitrifrom31 Registered

    Joined:
    Jul 1, 2015
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Root Administrator
    Most of the traffic seems to be bad as I had about 300 errors per IP within minutes. I configured CSF with LF_MODSEC and will see how it goes but so far no more apache crashes for the past 12 hours, thanks.
     
    tido123 likes this.
  4. dimitrifrom31

    dimitrifrom31 Registered

    Joined:
    Jul 1, 2015
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Root Administrator
    I spoke too soon, attacks started again. Now I am seeing a lot of similar entries in my error_log:

    [Fri Jul 03 22:39:12.855250 2015] [proxy_http:error] [pid 1030800] (104)Connection reset by peer: [client 37.47.40.210:15085] AH01095: prefetch request body failed to 127.0.0.1:2082 (127.0.0.1) from 37.47.40.210 ()


    Despite the involved IP's being listed multiple times they are not added to temp/perm bans and I cannot figure out why.
    Do you know what setting I should look for or enable to get Ips involved in this kind of error banned ?

    Thank you
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you considered consulting with your data center to see if this is something they can address at the network level or through a hardware firewall?

    Thank you.
     
  6. dimitrifrom31

    dimitrifrom31 Registered

    Joined:
    Jul 1, 2015
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Root Administrator
    Actually I figured out that increasing max clients fixed my issue. Nothing in apache logs (nothing I saw/found at least) was pointing me to that direction but after trying a lot of tweaks that one did the trick.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page