garse

Registered
Dec 23, 2005
4
0
151
Hi guys.

Problem with httpd.
It doesn't starts or fails after 10 secconds from starting.
In my opinion there is dos attack on port 80

I have try mod_sequrity and mod_evasive but it doesn't helps.

this appairs at the and of the apache eror log file
04:04:08 2006] [notice] caught SIGTERM, shutting down

please help me to solve the problem.

George
 

OCX

Well-Known Member
Sep 20, 2003
232
0
166
do you have a firewall on your box?

if not..would be a good idea..


OCX
 

tweakservers

Well-Known Member
Mar 30, 2006
379
0
166
tried running nestats on your server to check if there are bunch of connections on the port 80. Install firewall such as APF to block the IP or you may manually drop it using iptables rules.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
garse said:
In my opinion there is dos attack on port 80
What makes you say that your server is under DoS attack? What command did you use to reach that opinion?
If you are under heavy DoS/DDoS attack, none of the system based firewalls including APF and BFD will stop it. You'll have to have a hardware based firewall and I suggest you contact your DC and ask them.

I have try mod_sequrity and mod_evasive but it doesn't helps.
It depends on the rules and directives you use for these applications.

this appairs at the and of the apache eror log file
04:04:08 2006] [notice] caught SIGTERM, shutting down
How about the errors before this one? What are they?
 
Last edited:

garse

Registered
Dec 23, 2005
4
0
151
Hello.
Here is the list of ip addresses generated by netstat;

[email protected] [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
71 85.114.225.137
32 85.114.253.147
30 213.200.24.18
21 85.114.246.205
20 212.72.155.150
20 212.72.154.211
14 212.72.153.123
13 85.114.229.119
12 85.114.252.233
12 85.114.247.31
12 213.157.216.238
11 85.114.224.159
11 213.157.207.131
9 85.117.53.200
9 85.117.52.157
9 85.114.225.233
8 85.117.42.219
8 85.114.248.9
8 85.114.224.207
7 85.117.52.33
7 62.168.163.95
7 213.184.224.3
6 85.117.43.199
6 85.114.251.159
6 213.157.216.218
5 88.210.198.179
5 85.21.19.110

I have tryed to deny some ip-s via APF but new hosts are comming.
APF antidos doesnt helps.

This is the end of the error log

[Sun Jun 4 15:25:07 2006] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Sun Jun 4 15:28:49 2006] [notice] caught SIGTERM, shutting down
[Sun Jun 4 15:29:07 2006] [notice] mod_security/1.9.1 configured
[Sun Jun 4 15:29:07 2006] [notice] Apache/1.3.36 (Unix) PHP/5.1.4 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 configured -- resuming normal operations
[Sun Jun 4 15:29:07 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Sun Jun 4 15:29:07 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Sun Jun 4 15:29:22 2006] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Sun Jun 4 15:34:17 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:17 2006] [error] [client 85.117.52.193] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:17 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:18 2006] [error] [client 65.160.238.180] File does not exist: /home/inter/public_html/404.shtml
[Sun Jun 4 15:34:19 2006] [error] [client 88.210.204.127] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:19 2006] [error] [client 88.210.204.127] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:24 2006] [error] [client 213.157.207.113] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:34:41 2006] [error] [client 85.117.39.82] client denied by server configuration: /home/topsite/public_html/banners/topsite.swf
[Sun Jun 4 15:38:01 2006] [notice] caught SIGTERM, shutting down


and this is an access log

85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
212.58.120.18 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
212.58.120.18 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
212.58.120.18 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.42.219 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.21.19.110 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.52.76 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
85.117.36.172 - - [04/Jun/2006:15:34:22 +0400] "-" 408 -
 
Last edited:

thehostinghut

Well-Known Member
Jan 5, 2005
232
0
166
There is a software solution that will block ip's when they have a certain amount of connections.

http://projects.medialayer.com/ddos.html

This may not be a 100% fix but if you are wanting to ban those ip automaticly this will do it for you. I have installed it and it does work. It will even send you an email when it does block and ip address.

I think you need APF installed for it to work though.

I hope this helps you.

Tracy
 

garse

Registered
Dec 23, 2005
4
0
151
thanks

thehostinghut said:
There is a software solution that will block ip's when they have a certain amount of connections.

http://projects.medialayer.com/ddos.html

This may not be a 100% fix but if you are wanting to ban those ip automaticly this will do it for you. I have installed it and it does work. It will even send you an email when it does block and ip address.

I think you need APF installed for it to work though.

I hope this helps you.

Tracy
Thanks, It helps well.