The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache has reached the MaxClients

Discussion in 'EasyApache' started by Big Kahuna, Oct 20, 2002.

  1. Big Kahuna

    Big Kahuna Member

    Joined:
    Oct 20, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I am a total hosting rookie who has a server and contract support to keep it running right. When I get an error message email -- I am told by my contract support help it is nothing to worry about. I can buy the nothing to worry about -- but I would like to learn why the server thinks something is wrong. I am a complete beginner on web servers -- but learn quickly.

    One of the emails I have been receiveing lately reads:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    IMPORTANT: Do not ignore this email.
    Apache has reached the MaxClients
    limit. cPanel has increased the MaxClients limit to 170 (10 higher).

    You may wish to suspend the user with the largest access log as they
    are generally the person using up all of the avalible connections. However, your should
    have your system admin verify this first.

    Top 3 Largest access logs
    ====================================
    525672 /usr/local/apache/domlogs/moparstyle.net
    148328 /usr/local/apache/domlogs/daveschultz.com
    125500 /usr/local/apache/domlogs/moparstyle.com
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Can I get an explaination of why this email is being sent.

    Thank You
     
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    It is not major but should still not be ignored.

    See http://forums.cpanel.net/read.php?TID=5324
     
  3. Big Kahuna

    Big Kahuna Member

    Joined:
    Oct 20, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I appreciate the help -- but when I click that link I get a message telling that I'm already loged in.

    the address changes to http://216.118.116.105/member.php?action=login&redirect=/read.php?TID=5324

    BK
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Change the ip to forums.cpanel.net or vise versa.
     
  5. Big Kahuna

    Big Kahuna Member

    Joined:
    Oct 20, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    OK -- I played around with the address and found the links at http://216.118.116.105/read.php?TID=5324 -- don't ask me why it won't work when I click the link in the above post -- but it doesn't.

    My server is has very little traffic from the sites. I have one medium size board and about 15 small web sites. It was suggested in the other thread that there might be a worm at work -- is that the case and what can I do?
     
  6. ozzi4648

    ozzi4648 Guest

    [quote:17c84be963][i:17c84be963]Originally posted by Big Kahuna[/i:17c84be963]

    I am a total hosting rookie who has a server and contract support to keep it running right. When I get an error message email -- I am told by my contract support help it is nothing to worry about. I can buy the nothing to worry about -- but I would like to learn why the server thinks something is wrong. I am a complete beginner on web servers -- but learn quickly.

    One of the emails I have been receiveing lately reads:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    IMPORTANT: Do not ignore this email.
    Apache has reached the MaxClients
    limit. cPanel has increased the MaxClients limit to 170 (10 higher).

    You may wish to suspend the user with the largest access log as they
    are generally the person using up all of the avalible connections. However, your should
    have your system admin verify this first.

    Top 3 Largest access logs
    ====================================
    525672 /usr/local/apache/domlogs/moparstyle.net
    148328 /usr/local/apache/domlogs/daveschultz.com
    125500 /usr/local/apache/domlogs/moparstyle.com
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Can I get an explaination of why this email is being sent.

    Thank You[/quote:17c84be963]

    So this is your server but somebody is maintaining it for you?

    Check your httpd.conf file

    pico -w /etc/httpd/conf/httpd.conf and look for the MAX CLIENTS directive. Its probably set to something like 150. Set it to 256, save and restart apache /etc/rc.d/init.d/httpd restart

    Next, if you have lots of users on that box and lots of open mysql sessions running this is possibly your problem. Open up your /etc/my.cnf file and tell me whats in there.

    If you need help PM me!
     
  7. Big Kahuna

    Big Kahuna Member

    Joined:
    Oct 20, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Ozzie thanx for the help.

    Here's my situation, I'm a web master with about 15 (and counting) sites I designed, which I also host. I made a deal with the people that use to host me to maintain my leased server because I was too frustrated with overworked discount servers down as much as up (that is an exageration). I really only know how to set up accounts in WHM (but I want to learn and this is my first step in trying to be more pro-active in leaning) -- but know nothing about configuration. I have left that to the guy who I pay a monthly fee to maintain the server. He maintains about five of his own servers (visits this board) knows what he is doing -- but explains every &Do not Ignore& email I get as &Don't worry about it.& Like I say I have decided to be more proactive with learning what is happening -- but I just assume have this guy watch my server.

    I will suggest to him to raise the number of MAX CLIENTS to 256 -- but I do not know how to open up mu/etc/my.cnf file and tell you whats in there.

    What I can tell you is that there is a total of 7 Mysql databases for the entire server -- period. One is a fairly active vbulletin message board www.moparstyle.net, 2 are pretty muuch inactive guestbooks (the ones found in Cpanel), 3 inactive Red Lantern (provided by Cpanel) message boards, and a relatively inactive Chat Room (may see 15 people at one time about once a week).

    Does that help?
     
  8. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Could be a DOS... Read This

    Check your access logs also. I have found that I am being bombarded (Probably a DOS) from certain IPs that cause my processes to increase to nearly 200 while viewing them in TOP. This causes my server to reach MaxClients very quickly, in a matter of about 1-2 minutes. Thus, the server stops serving new http requests until the attack is stopped.

    CHECK FOR EVIDENCE OF A DOS

    vi /usr/local/apache/logs/access_log

    Go to the end of the logs and look for any entries that look like this....

    140.131.6.54 - - [20/Oct/2002:20:24:47 -0400] &-& 408 -
    140.131.6.54 - - [20/Oct/2002:20:24:47 -0400] &-& 408 -
    140.131.6.54 - - [20/Oct/2002:20:24:50 -0400] &-& 408 -
    140.131.6.54 - - [20/Oct/2002:20:24:51 -0400] &-& 408 -

    As you can see from the log entries above, in the space of 4 seconds, the IP connected to our server and received a 408 error. This opens 1 http process and apparently stays open for about a minute or so. Thus, it is quite easy to reach your max clients if you are being DOS'd like this.

    If you want to know a fix for this, can nullroute the ip's that are attacking your server. All you have to do is type this at the shell prompt, replacing 211.211.55.55 with the ip address that is hitting your server.
    ---------- START

    /sbin/route add -host 211.211.55.55 reject

    ----------- END

    NOTE: REPLACE 211.211.55.55 WITH THE OFFENDING IP.

    This will kill all incoming and outgoing connections from that IP until you reboot the server. However, if you reboot the server, the null route is gone.

    If you would like to save the null route after rebooting to protect you in the future, just add the command to /etc/rc.d/rc.local and it will re-execute them when the server comes back online.

    If you are being dos'd like this, you should check your logs continually as the offending party will change the IP from time to time.
     
  9. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Thanks for the info, we just did a check and found tons of addresses doing just that.
     
  10. Big Kahuna

    Big Kahuna Member

    Joined:
    Oct 20, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    It all makes sense know. It looks like I do have hackers taking a shot to get in, are unsuccessful -- but are using a lot of Max Clients trying. I'll watch the IP addresses and they are regular -- I'll have the server ignore them.

    Thank you
     
  11. Tom Pyles

    Tom Pyles Well-Known Member

    Joined:
    Apr 26, 2002
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Glad I came across this post....I'm finding a lot of these also and increasing. When tracing the IP's they seem to trace to some universities (Getting a ton of them that trace back to Minnesota State Universty)
     
  12. Big Kahuna

    Big Kahuna Member

    Joined:
    Oct 20, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I think what might have happened is:

    I had 5 of my customer's XMB boards hacked into and trashed. It looks like King of the Hackers published a way to destroy these boards -- and it may be why so many were chosing my server(from the search engine hits on XMB boards). They appear to have gone away in the last couple of days. I was told tens of thousands of these boards were trashed in the last week.

    BTW -- the XMB (free versio of vBuletin) boards that my customers use are from the Cpanel. XMB claims that version is the older version of 1.6 (suggesting cPanel update to a newer one) that includes the Indexlog.log and three lines in Index.php that allows this hacking. Is it possible for Cpanel to update to the newer version of 1.6 (1.8 isn't released yet and they pulled 1.7) to save the Host the headaches of customer support from restoring from daily and weekly backups, making the fixes and having customer have all of their member's change all of their passwords? Even the support telling them what to do is a headache. Since XMB is an option of Cpanel, many customers use it. I would like to see it stay (because of the auto-installion of MySql) but the updated version would help.
     
  13. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    how to protect against this type of attack?

    Would it be possible to reject the attacker's IP address if it connects to your server more than x times in y sec?

    Have a daemon run in the background maybe?

    Anyone any idea how to do this?
     
  14. mikerayner

    mikerayner Well-Known Member

    Joined:
    Apr 10, 2002
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    We have solved our problem by using another thread click on the link
    http://forums.cpanel.net/read.php?TID=5583&page=1

    also

    http://forums.cpanel.net/read.php?TID=5583&page=2#24310
     
Loading...

Share This Page