http faild in 10 secconds

[garse]

Hi guys.

Problem with httpd.
It doesn't starts or fails after 10 secconds from starting.
In my opinion there is dos attack on port 80

I have try mod_sequrity and mod_evasive but it doesn't helps.

this appairs at the and of the apache eror log file
04:04:08 2006] [notice] caught SIGTERM, shutting down

please help me to solve the problem.

George

 

[OCX]

do you have a firewall on your box?

if not..would be a good idea..


OCX

 

[tweakservers]

tried running nestats on your server to check if there are bunch of connections on the port 80. Install firewall such as APF to block the IP or you may manually drop it using iptables rules.

 

[AndyReed]

In my opinion there is dos attack on port 80

What makes you say that your server is under DoS attack? What command did you use to reach that opinion?
If you are under heavy DoS/DDoS attack, none of the system based firewalls including APF and BFD will stop it. You'll have to have a hardware based firewall and I suggest you contact your DC and ask them.

I have try mod_sequrity and mod_evasive but it doesn't helps.

It depends on the rules and directives you use for these applications.

this appairs at the and of the apache eror log file
04:04:08 2006] [notice] caught SIGTERM, shutting down

How about the errors before this one? What are they?

 

[garse]

Hello.
Here is the list of ip addresses generated by netstat;

[email protected] [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
71 85.114.225.137
32 85.114.253.147
30 213.200.24.18
21 85.114.246.205
20 212.72.155.150
20 212.72.154.211
14 212.72.153.123
13 85.114.229.119
12 85.114.252.233
12 85.114.247.31
12 213.157.216.238
11 85.114.224.159
11 213.157.207.131
9 85.117.53.200
9 85.117.52.157
9 85.114.225.233
8 85.117.42.219
8 85.114.248.9
8 85.114.224.207
7 85.117.52.33
7 62.168.163.95
7 213.184.224.3
6 85.117.43.199
6 85.114.251.159
6 213.157.216.218
5 88.210.198.179
5 85.21.19.110

I have tryed to deny some ip-s via APF but new hosts are comming.
APF antidos doesnt helps.

This is the end of the error log

[Sun Jun 4 15:25:07 2006] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Sun Jun 4 15:28:49 2006] [notice] caught SIGTERM, shutting down
[Sun Jun 4 15:29:07 2006] [notice] mod_security/1.9.1 configured
[Sun Jun 4 15:29:07 2006] [notice] Apache/1.3.36 (Unix) PHP/5.1.4 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 configured -- resuming normal operations
[Sun Jun 4 15:29:07 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Sun Jun 4 15:29:07 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Sun Jun 4 15:29:22 2006] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Sun Jun 4 15:34:17 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:17 2006] [error] [client 85.117.52.193] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:17 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 65.160.238.180] File does not exist: /home/inter/public_html/404.shtml
[Sun Jun 4 15:34:19 2006] [error] [client 88.210.204.127] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:19 2006] [error] [client 88.210.204.127] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:24 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:41 2006] [error] [client 85.117.39.82] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:38:01 2006] [notice] caught SIGTERM, shutting down


and this is an access log

85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
212.58.120.18 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
212.58.120.18 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
212.58.120.18 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.21.19.110 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -

 

[thehostinghut]

There is a software solution that will block ip's when they have a certain amount of connections.

http://projects.medialayer.com/ddos.html

This may not be a 100% fix but if you are wanting to ban those ip automaticly this will do it for you. I have installed it and it does work. It will even send you an email when it does block and ip address.

I think you need APF installed for it to work though.

I hope this helps you.

Tracy

 

[thehostinghut]

After looking at the config file it will ban them in IPtables also so APF is not a needed thing.

Thanks,

Tracy

 

[garse]

thanks

There is a software solution that will block ip's when they have a certain amount of connections.

http://projects.medialayer.com/ddos.html

This may not be a 100% fix but if you are wanting to ban those ip automaticly this will do it for you. I have installed it and it does work. It will even send you an email when it does block and ip address.

I think you need APF installed for it to work though.

I hope this helps you.

Tracy

Thanks, It helps well.