Mailing List Archive

On Mon, Jan 11, 2021 at 11:06:33PM +0000, Jason Long wrote:
> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?

Look at the log file, probably /var/log/httpd/access_log

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

You need to investigate your logs and find common patterns there, also
there are different tools to handle small and big workloads like you could
use iptables/nftables to block based on patterns and number of requests.

On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid>
wrote:

> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it
> make slowing server. when I disable "httpd" service then problem solve. How
> can I find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?
>
>
> Thank you.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--
[ ]'s

Filipe Cifali Stangler

Thank you.
I see a lot of request in "/var/log/httpd/access_log".






On Tuesday, January 12, 2021, 02:46:10 AM GMT+3:30, Alain D D Williams <addw@phcomp.co.uk> wrote:





On Mon, Jan 11, 2021 at 11:06:33PM +0000, Jason Long wrote:

> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?


Look at the log file, probably /var/log/httpd/access_log

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

I used a rule like:

# firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'

But not matter.






On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:





You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.

On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?
>
>
> Thank you.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


--
[ ]'s

Filipe Cifali Stangler


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Yeah it's probably not going to matter if you don't know what's attacking
you before setting up the rules, you need to find the patterns, either the
attack target or the attackers origins.

On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid>
wrote:

> I used a rule like:
>
> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port
> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit"
> level="warning" limit value="100/s"'
>
> But not matter.
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <
> cifali.filipe@gmail.com> wrote:
>
>
>
>
>
> You need to investigate your logs and find common patterns there, also
> there are different tools to handle small and big workloads like you could
> use iptables/nftables to block based on patterns and number of requests.
>
> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> > Hello,
> > On a CentOS web server with Apache, someone make a lot of request and it
> make slowing server. when I disable "httpd" service then problem solve. How
> can I find who made a lot of request?
> > [url]https://imgur.com/O33g3ql[/url]
> > Any idea to solve it?
> >
> >
> > Thank you.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--
[ ]'s

Filipe Cifali Stangler

How to find pattern?
Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/






On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:





Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.

On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
> I used a rule like:
>
> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
>
> But not matter.
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
>
>
>
>
>
> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
>
> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
>> Hello,
>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
>> [url]https://imgur.com/O33g3ql[/url]
>> Any idea to solve it?
>>
>>
>> Thank you.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


--
[ ]'s

Filipe Cifali Stangler


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

How to find pattern:
Look at log.
Find bad things that are similar.

Then:
Block bad things from reaching web server.

On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid>
wrote:

> How to find pattern?
> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <
> cifali.filipe@gmail.com> wrote:
>
>
>
>
>
> Yeah it's probably not going to matter if you don't know what's attacking
> you before setting up the rules, you need to find the patterns, either the
> attack target or the attackers origins.
>
> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> > I used a rule like:
> >
> > # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port
> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit"
> level="warning" limit value="100/s"'
> >
> > But not matter.
> >
> >
> >
> >
> >
> >
> > On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <
> cifali.filipe@gmail.com> wrote:
> >
> >
> >
> >
> >
> > You need to investigate your logs and find common patterns there, also
> there are different tools to handle small and big workloads like you could
> use iptables/nftables to block based on patterns and number of requests.
> >
> > On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> >> Hello,
> >> On a CentOS web server with Apache, someone make a lot of request and
> it make slowing server. when I disable "httpd" service then problem solve.
> How can I find who made a lot of request?
> >> [url]https://imgur.com/O33g3ql[/url]
> >> Any idea to solve it?
> >>
> >>
> >> Thank you.
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >
> > --
> > [ ]'s
> >
> > Filipe Cifali Stangler
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

It is a lot of IP addresses !!!






On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:





How to find pattern:
Look at log.
Find bad things that are similar.

Then:
Block bad things from reaching web server.

On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
> How to find pattern?
> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
>
>
>
>
>
> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
>
> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
>> I used a rule like:
>>
>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
>>
>> But not matter.
>>
>>
>>
>>
>>
>>
>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
>>
>>
>>
>>
>>
>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
>>
>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
>>> Hello,
>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
>>> [url]https://imgur.com/O33g3ql[/url]
>>> Any idea to solve it?
>>>
>>>
>>> Thank you.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>> --
>> [ ]'s
>>
>> Filipe Cifali Stangler
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> [ ]'s
>
> Filipe Cifali Stangler
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Concentrate on just one...

On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid>
wrote:

> It is a lot of IP addresses !!!
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <
> nick@folino.us> wrote:
>
>
>
>
>
> How to find pattern:
> Look at log.
> Find bad things that are similar.
>
> Then:
> Block bad things from reaching web server.
>
> On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> > How to find pattern?
> > Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
> >
> >
> >
> >
> >
> >
> > On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <
> cifali.filipe@gmail.com> wrote:
> >
> >
> >
> >
> >
> > Yeah it's probably not going to matter if you don't know what's
> attacking you before setting up the rules, you need to find the patterns,
> either the attack target or the attackers origins.
> >
> > On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> >> I used a rule like:
> >>
> >> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port
> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit"
> level="warning" limit value="100/s"'
> >>
> >> But not matter.
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <
> cifali.filipe@gmail.com> wrote:
> >>
> >>
> >>
> >>
> >>
> >> You need to investigate your logs and find common patterns there, also
> there are different tools to handle small and big workloads like you could
> use iptables/nftables to block based on patterns and number of requests.
> >>
> >> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> >>> Hello,
> >>> On a CentOS web server with Apache, someone make a lot of request and
> it make slowing server. when I disable "httpd" service then problem solve.
> How can I find who made a lot of request?
> >>> [url]https://imgur.com/O33g3ql[/url]
> >>> Any idea to solve it?
> >>>
> >>>
> >>> Thank you.
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>> For additional commands, e-mail: users-help@httpd.apache.org
> >>>
> >>>
> >>
> >>
> >> --
> >> [ ]'s
> >>
> >> Filipe Cifali Stangler
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >
> > --
> > [ ]'s
> >
> > Filipe Cifali Stangler
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Can you help me? 






On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:





Concentrate on just one...

On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
> It is a lot of IP addresses !!!
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
>
>
>
>
>
> How to find pattern:
> Look at log.
> Find bad things that are similar.
>
> Then:
> Block bad things from reaching web server.
>
> On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
>> How to find pattern?
>> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
>>
>>
>>
>>
>>
>>
>> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
>>
>>
>>
>>
>>
>> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
>>
>> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
>>> I used a rule like:
>>>
>>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
>>>
>>> But not matter.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
>>>
>>>
>>>
>>>
>>>
>>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
>>>
>>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
>>>> Hello,
>>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
>>>> [url]https://imgur.com/O33g3ql[/url]
>>>> Any idea to solve it?
>>>>
>>>>
>>>> Thank you.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>
>>>
>>> --
>>> [ ]'s
>>>
>>> Filipe Cifali Stangler
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>> --
>> [ ]'s
>>
>> Filipe Cifali Stangler
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

I just did. Look at the logs. What doesn't seem right?

On Mon, Jan 11, 2021 at 7:11 PM Jason Long <hack3rcon@yahoo.com.invalid>
wrote:

> Can you help me?
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <
> nick@folino.us> wrote:
>
>
>
>
>
> Concentrate on just one...
>
> On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> > It is a lot of IP addresses !!!
> >
> >
> >
> >
> >
> >
> > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <
> nick@folino.us> wrote:
> >
> >
> >
> >
> >
> > How to find pattern:
> > Look at log.
> > Find bad things that are similar.
> >
> > Then:
> > Block bad things from reaching web server.
> >
> > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> >> How to find pattern?
> >> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <
> cifali.filipe@gmail.com> wrote:
> >>
> >>
> >>
> >>
> >>
> >> Yeah it's probably not going to matter if you don't know what's
> attacking you before setting up the rules, you need to find the patterns,
> either the attack target or the attackers origins.
> >>
> >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> >>> I used a rule like:
> >>>
> >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port
> port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit"
> level="warning" limit value="100/s"'
> >>>
> >>> But not matter.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <
> cifali.filipe@gmail.com> wrote:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> You need to investigate your logs and find common patterns there, also
> there are different tools to handle small and big workloads like you could
> use iptables/nftables to block based on patterns and number of requests.
> >>>
> >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid>
> wrote:
> >>>> Hello,
> >>>> On a CentOS web server with Apache, someone make a lot of request and
> it make slowing server. when I disable "httpd" service then problem solve.
> How can I find who made a lot of request?
> >>>> [url]https://imgur.com/O33g3ql[/url]
> >>>> Any idea to solve it?
> >>>>
> >>>>
> >>>> Thank you.
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>>> For additional commands, e-mail: users-help@httpd.apache.org
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> [ ]'s
> >>>
> >>> Filipe Cifali Stangler
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>> For additional commands, e-mail: users-help@httpd.apache.org
> >>>
> >>>
> >>
> >>
> >> --
> >> [ ]'s
> >>
> >> Filipe Cifali Stangler
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

Can you help me?






On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:





Concentrate on just one...

On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
> It is a lot of IP addresses !!!
>
>
>
>
>
>
> On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
>
>
>
>
>
> How to find pattern:
> Look at log.
> Find bad things that are similar.
>
> Then:
> Block bad things from reaching web server.
>
> On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
>> How to find pattern?
>> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
>>
>>
>>
>>
>>
>>
>> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
>>
>>
>>
>>
>>
>> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
>>
>> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
>>> I used a rule like:
>>>
>>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
>>>
>>> But not matter.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
>>>
>>>
>>>
>>>
>>>
>>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
>>>
>>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
>>>> Hello,
>>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
>>>> [url]https://imgur.com/O33g3ql[/url]
>>>> Any idea to solve it?
>>>>
>>>>
>>>> Thank you.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>
>>>
>>> --
>>> [ ]'s
>>>
>>> Filipe Cifali Stangler
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>> --
>> [ ]'s
>>
>> Filipe Cifali Stangler
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



B?KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB??[??X???X?KK[XZ[?\?\??][??X???X?P?\X?K???B???Y][?[??[X[??K[XZ[?\?\??Z[?\X?K???B

On 1/11/21 6:06 PM, Jason Long wrote:
> Hello,
> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
> [url]https://imgur.com/O33g3ql[/url]
> Any idea to solve it?
>
netstat (or ss) output)?

Apache logs?

>
> Thank you.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://imgur.com/O33g3ql[/url]
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e=
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.B?KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB??[??X???X?KK[XZ[?\?\??][??X???X?P?\X?K???B???Y][?[??[X[??K[XZ[?\?\??Z[?\X?K???B

Jason,

I would also query why your process are ~ 1G resident that seems quite large for apache.

What modules do you have enabled - even with mod_perl embedded I would not want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too much data before squirting it out

There are other setups that you may want to look at if you have large dynamic requests and a lot of small static request (images/css/js) where you run two web servers - one serving static content and proxying back to dynamic content.

James

-----Original Message-----
From: James Smith <js5@sanger.ac.uk>
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e=
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [ X ?X KK[XZ[
\ \ ][ X ?X P
\X K ? B ?Y][?[ [X[  K[XZ[
\ \ Z[
\X K ? B



--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.???????????????????????????????????????????????????????????????????????F?V?7V'67&?&R?R???âW6W'2?V?7V'67&?&T?GGB?6?R??&p?f?"FF?F????6????G2?R???âW6W'2?V??GGB?6?R??&p

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith <js5@sanger.ac.uk> wrote:





Jason,

I would also query why your process are ~ 1G resident that seems quite large for apache.

What modules do you have enabled  - even with mod_perl embedded I would not want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too much data before squirting it out

There are other setups that you may want to look at if you have large dynamic requests and a lot of small static request (images/css/js) where you run two web servers - one serving static content and proxying back to dynamic content.

James

-----Original Message-----
From: James Smith <js5@sanger.ac.uk>
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e=
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research  Limited, a charity registered in England with number 1021457 and a  company registered in England with number 2742969, whose registered  office is 215 Euston Road, London, NW1 2BE.B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [  X  ?X KK[XZ[
\ \  ][  X  ?X P
\X K ? B  ?Y][?[  [X[ K[XZ[
\ \  Z[
\X K ? B




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Apache configuration is:
https://paste.ubuntu.com/p/RTC2WWMdYH/

And "www.conf" is:
https://paste.ubuntu.com/p/S9q5Kwpfcc/

And other settings:
https://paste.ubuntu.com/p/NydSyZghJ8/

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long <hack3rcon@yahoo.com.invalid> wrote:





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://paste.ubuntu.com/p/MjjVMvRrQc/
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://imgur.com/O33g3ql[/url]
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler

    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Can't see anything that should blow up like that to be honest - I usually use ubuntu - which configures apache in a much, much nicer way {generally for web development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 09:43
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg&e=

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY&e=

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU&e=

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long <hack3rcon@yahoo.com.invalid> wrote:





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g&e=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=xhD5gmWVf2E5_eScXEzWEDDLoztUMgj7kLGoHVJREIE&e=
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler

    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.B?KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB??[??X???X?KK[XZ[?\?\??][??X???X?P?\X?K???B???Y][?[??[X[??K[XZ[?\?\??Z[?\X?K???B

Rate limiting may work - but the rate may be just slightly to slow for your setting - manually doing it is a good thing ...

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith <js5@sanger.ac.uk> wrote:





Jason,

I would also query why your process are ~ 1G resident that seems quite large for apache.

What modules do you have enabled  - even with mod_perl embedded I would not want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too much data before squirting it out

There are other setups that you may want to look at if you have large dynamic requests and a lot of small static request (images/css/js) where you run two web servers - one serving static content and proxying back to dynamic content.

James

-----Original Message-----
From: James Smith <js5@sanger.ac.uk>
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e=
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research  Limited, a charity registered in England with number 1021457 and a  company registered in England with number 2742969, whose registered  office is 215 Euston Road, London, NW1 2BE.B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [  X  ?X KK[XZ[ \ \  ][  X  ?X P \X K ? B  ?Y][.?[.  [.X[. K[.XZ[. \ \  Z[. \X K ? B




--
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.B?KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB??[??X???X?KK[XZ[?\?\??][??X???X?P?\X?K???B???Y][?[??[X[??K[XZ[?\?\??Z[?\X?K???B

Modules are:
https://paste.ubuntu.com/p/DJSWpSP7xZ/






On Tuesday, January 12, 2021, 01:26:48 PM GMT+3:30, James Smith <js5@sanger.ac.uk> wrote:





Can't see anything that should blow up like that to be honest - I usually use ubuntu - which configures apache in a much, much nicer way {generally for web development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 09:43
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg&e=

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY&e=

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU&e=

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long <hack3rcon@yahoo.com.invalid> wrote:





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g&e=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=xhD5gmWVf2E5_eScXEzWEDDLoztUMgj7kLGoHVJREIE&e=
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler

    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

System administrators doing it manually???






On Tuesday, January 12, 2021, 01:28:50 PM GMT+3:30, James Smith <js5@sanger.ac.uk> wrote:





Rate limiting may work - but the rate may be just slightly to slow for your setting - manually doing it is a good thing ...

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith <js5@sanger.ac.uk> wrote:





Jason,

I would also query why your process are ~ 1G resident that seems quite large for apache.

What modules do you have enabled  - even with mod_perl embedded I would not want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too much data before squirting it out

There are other setups that you may want to look at if you have large dynamic requests and a lot of small static request (images/css/js) where you run two web servers - one serving static content and proxying back to dynamic content.

James

-----Original Message-----
From: James Smith <js5@sanger.ac.uk>
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e=
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research  Limited, a charity registered in England with number 1021457 and a  company registered in England with number 2742969, whose registered  office is 215 Euston Road, London, NW1 2BE.B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [  X  ?X KK[XZ[ \ \  ][  X  ?X P \X K ? B  ?Y][?[  [X[ K[XZ[ \ \  Z[ \X K ? B




--
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

That's one shed load of modules - when I run it on my dev server I have - you should really go through the modules and work out which ones you are actually using:

Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
alias_module (shared)
apreq_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
cgi_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
filter_module (shared)
headers_module (shared)
include_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
perl_module (shared)
php7_module (shared)
proxy_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
rewrite_module (shared)
setenvif_module (shared)
status_module (shared)

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 10:06
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Modules are:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_DJSWpSP7xZ_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=puY-fTQsV1ysiCnOpy4EHYLVx0o9AIycA5oenO7FFMM&s=gP5iBUkwbSUx03jK4ekkBLEDcX-4sn9jg_x70ubMVto&e=






On Tuesday, January 12, 2021, 01:26:48 PM GMT+3:30, James Smith <js5@sanger.ac.uk> wrote:





Can't see anything that should blow up like that to be honest - I usually use ubuntu - which configures apache in a much, much nicer way {generally for web development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 09:43
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg&e=

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY&e=

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU&e=

Which one is not OK?







On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long <hack3rcon@yahoo.com.invalid> wrote:





It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g&e=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=xhD5gmWVf2E5_eScXEzWEDDLoztUMgj7kLGoHVJREIE&e=
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler

    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.B?KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB??[??X???X?KK[XZ[?\?\??][??X???X?P?\X?K???B???Y][?[??[X[??K[XZ[?\?\??Z[?\X?K???B

Yes - it is something we need to do when we come under attack at work - as often the attacks are not enough to trigger standard intrusion detection (esp as our requests can be quite heavy)

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 10:07
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

System administrators doing it manually???






On Tuesday, January 12, 2021, 01:28:50 PM GMT+3:30, James Smith <js5@sanger.ac.uk> wrote:





Rate limiting may work - but the rate may be just slightly to slow for your setting - manually doing it is a good thing ...

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 09:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

Thank you, but "Firewalld" or "iptables" can't do it automatically? When an IP sending many request then it automatically blocked.






On Tuesday, January 12, 2021, 12:49:50 PM GMT+3:30, James Smith <js5@sanger.ac.uk> wrote:





Jason,

I would also query why your process are ~ 1G resident that seems quite large for apache.

What modules do you have enabled  - even with mod_perl embedded I would not want them to go about 500-800M depending on the site of your box.

I know Apache is very good at grabbing memory for each process - but it doesn't tend to hand it back - and just keeps it (just in case)

It looks like you either have a memory leak - or the code is collecting too much data before squirting it out

There are other setups that you may want to look at if you have large dynamic requests and a lot of small static request (images/css/js) where you run two web servers - one serving static content and proxying back to dynamic content.

James

-----Original Message-----
From: James Smith <js5@sanger.ac.uk>
Sent: 12 January 2021 09:09
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache in under attack. [EXT]

Put a firewall rule into block whatever that first IP address is then.

Something like:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='X.X.X.X' reject"

If you are seeing a current attack then you can tweak Charles' command line to:

tail -10000 access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

or I often use cut instead of awk..

tail -10000 access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head

-----Original Message-----
From: Jason Long <hack3rcon@yahoo.com.INVALID>
Sent: 12 January 2021 08:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache in under attack. [EXT]

It show me:

13180 X.X.X.X
   1127 X.X.X.X
    346 X.X.X.X
    294 X.X.X.X
    241 X.X.X.X
    169 X.X.X.X
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X








On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@beachcamera.com.invalid> wrote:





Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

?On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@yahoo.com.INVALID> wrote:

    Can you help me?
   
   
   
   
   
   
    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
   
   
   
   
   
    Concentrate on just one...
   
    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    > It is a lot of IP addresses !!!
    >
    >
    >
    >
    >
    >
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@folino.us> wrote:
    >
    >
    >
    >
    >
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    >
    > Then:
    > Block bad things from reaching web server.
    >
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=iTeaVG53Ne-jiAhMis6h9nlKBdUrWXhIuky31GQhURE&e=
    >>
    >>
    >>
    >>
    >>
    >>
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>
    >>
    >>
    >>
    >>
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins.
    >>
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>> I used a rule like:
    >>>
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>>
    >>> But not matter.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@gmail.com> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests.
    >>>
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@yahoo.com.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=3PjPryDoNL3lr2gh0F6gLkL-pFWSat8aihqbLnBMag8&s=5Qu-cdmn037VIUfExtigktWPBBJ7lby836voIoSO_y0&e=
    >>>> Any idea to solve it?
    >>>>
    >>>>
    >>>> Thank you.
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>>
    >>>>
    >>>
    >>>
    >>> --
    >>> [ ]'s
    >>>
    >>> Filipe Cifali Stangler
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >>> For additional commands, e-mail: users-help@httpd.apache.org
    >>>
    >>>
    >>
    >>
    >> --
    >> [ ]'s
    >>
    >> Filipe Cifali Stangler

    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    >> For additional commands, e-mail: users-help@httpd.apache.org
    >>
    >>
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    > For additional commands, e-mail: users-help@httpd.apache.org
    >
    >
   
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research  Limited, a charity registered in England with number 1021457 and a  company registered in England with number 2742969, whose registered  office is 215 Euston Road, London, NW1 2BE.B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [  X  ?X KK[XZ[ \ \  ][  X  ?X P \X K ? B  ?Y][?[  [X[ K[XZ[ \ \  Z[ \X K ? B




--
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org