The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

http faild in 10 secconds

Discussion in 'General Discussion' started by garse, Jun 3, 2006.

  1. garse

    garse Registered

    Joined:
    Dec 23, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi guys.

    Problem with httpd.
    It doesn't starts or fails after 10 secconds from starting.
    In my opinion there is dos attack on port 80

    I have try mod_sequrity and mod_evasive but it doesn't helps.

    this appairs at the and of the apache eror log file
    04:04:08 2006] [notice] caught SIGTERM, shutting down

    please help me to solve the problem.

    George
     
  2. OCX

    OCX Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    do you have a firewall on your box?

    if not..would be a good idea..


    OCX
     
  3. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    16
    tried running nestats on your server to check if there are bunch of connections on the port 80. Install firewall such as APF to block the IP or you may manually drop it using iptables rules.
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    What makes you say that your server is under DoS attack? What command did you use to reach that opinion?
    If you are under heavy DoS/DDoS attack, none of the system based firewalls including APF and BFD will stop it. You'll have to have a hardware based firewall and I suggest you contact your DC and ask them.

    It depends on the rules and directives you use for these applications.

    How about the errors before this one? What are they?
     
    #4 AndyReed, Jun 4, 2006
    Last edited: Jun 4, 2006
  5. garse

    garse Registered

    Joined:
    Dec 23, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hello.
    Here is the list of ip addresses generated by netstat;

    root@cPanel [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
    71 85.114.225.137
    32 85.114.253.147
    30 213.200.24.18
    21 85.114.246.205
    20 212.72.155.150
    20 212.72.154.211
    14 212.72.153.123
    13 85.114.229.119
    12 85.114.252.233
    12 85.114.247.31
    12 213.157.216.238
    11 85.114.224.159
    11 213.157.207.131
    9 85.117.53.200
    9 85.117.52.157
    9 85.114.225.233
    8 85.117.42.219
    8 85.114.248.9
    8 85.114.224.207
    7 85.117.52.33
    7 62.168.163.95
    7 213.184.224.3
    6 85.117.43.199
    6 85.114.251.159
    6 213.157.216.218
    5 88.210.198.179
    5 85.21.19.110

    I have tryed to deny some ip-s via APF but new hosts are comming.
    APF antidos doesnt helps.

    This is the end of the error log

    [Sun Jun 4 15:25:07 2006] [error] server reached MaxClients setting, consider raising the MaxClients setting
    [Sun Jun 4 15:28:49 2006] [notice] caught SIGTERM, shutting down
    [Sun Jun 4 15:29:07 2006] [notice] mod_security/1.9.1 configured
    [Sun Jun 4 15:29:07 2006] [notice] Apache/1.3.36 (Unix) PHP/5.1.4 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 configured -- resuming normal operations
    [Sun Jun 4 15:29:07 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
    [Sun Jun 4 15:29:07 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
    [Sun Jun 4 15:29:22 2006] [error] server reached MaxClients setting, consider raising the MaxClients setting
    [Sun Jun 4 15:34:17 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:17 2006] [error] [client 85.117.52.193] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:17 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:18 2006] [error] [client 65.160.238.180] File does not exist: /home/inter/public_html/404.shtml
    [Sun Jun 4 15:34:19 2006] [error] [client 88.210.204.127] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:19 2006] [error] [client 88.210.204.127] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:24 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:34:41 2006] [error] [client 85.117.39.82] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
    [Sun Jun 4 15:38:01 2006] [notice] caught SIGTERM, shutting down


    and this is an access log

    85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    212.58.120.18 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    212.58.120.18 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    212.58.120.18 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.21.19.110 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
    85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
     
    #5 garse, Jun 4, 2006
    Last edited: Jun 4, 2006
  6. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    There is a software solution that will block ip's when they have a certain amount of connections.

    http://projects.medialayer.com/ddos.html

    This may not be a 100% fix but if you are wanting to ban those ip automaticly this will do it for you. I have installed it and it does work. It will even send you an email when it does block and ip address.

    I think you need APF installed for it to work though.

    I hope this helps you.

    Tracy
     
  7. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    After looking at the config file it will ban them in IPtables also so APF is not a needed thing.

    Thanks,

    Tracy
     
  8. garse

    garse Registered

    Joined:
    Dec 23, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    thanks

    Thanks, It helps well.
     
Loading...

Share This Page