[BlueOnyx:13060] Re: Possible attack - Limited resources

Eric Peabody admin at bnserve.com
Sat May 18 08:05:02 -05 2013 

Marcello,

You can limit the number of httpd processes by editing 
/etc/httpd/conf/httpd.conf.  Find the section for the prefork MPM 
configuration and change the line:

   ServerLimit      256

This line sets the max number of copies of apache that will be started.  
Set that to a lower number and restart httpd.  The number to choose 
depends on your RAM.

You can run, "tail -f /var/log/httpd/access_log 
/var/log/httpd/error_log" to watch what is happening.  If it looks 
malicious and if the malicious behavior is coming from a few IP 
addresses, you can block them using iptables.  This has instructions on 
how to do that: http://www.cyberciti.biz/faq/linux-iptables-drop/.  Be 
sure you do not block yourself!

If the problem is not caused by malicious behavior but by something like 
an overactive web crawler, you should consider turning on keep-alives.  
This will let a client reuse a connection for several requests rather 
than making a new connection for each request.  If you run, "netstat 
-na|grep TIME_WAIT|wc -l" and get a large number, turning on keep-alives 
will usually help.  (The TIME_WAIT state is used while a connection is 
closing.)

To turn on keep-alives, edit /etc/httpd/conf/httpd.conf and change 
"KeepAlive Off" to "KeepAlive On". I suggest also setting the timeout to 
a lower number, perhaps, "KeepAliveTimeout 5".  Once you have made your 
changes, restart httpd.

Good luck!

Eric Peabody


On 5/18/13 7:20 AM, Marcello Torchio wrote:
> Hi,
>
> i'm having trouble with my BO server.
>
> Few minutes ago one of my customer contact me saying that his website 
> was down.
>
> I've connected to server through SSH and i was unable to restart httpd.
>
> There were 3 httpd processes "froze"
>
> So i'v done kill -9 PID and restarted httpd
>
> All works fine.
>
>
> The problem is that if I restart httpd all the memory (RAM) will be 
> completely used.
>
> running top from terminal says that there are a lot op httpd 
> processes, responsible of that big RAM usage.
>
> Is there any kind of DoS attack?
>
> What can i do?
>
> Thanks
>
> Marcello
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130518/20afb3ea/attachment.html>

More information about the Blueonyx mailing list