1

I accidentally seem to have configured a more or less open http proxy with apache2 when I last messed around. Because I use apache2 for various (private) stuff I noticed it relatively fast... after a week when apache2 started to perform horribly slow. So I removed all the proxy stuff again. Problem is: Even after a restart there is nothing you would call performance. Apache takes 15 seconds to deliver a 268 bytes static html page without linked stuff like images and I don't see the problem. I have a few questions I hope you can help me with:

1) Does this lsof -i output for apache2 describe normal behavior? To me it looks like apache2 keeps connections to many RDNS systems. Is that true? (Sorry, no way to paste that here in a readable manner.)

http://pastebin.com/iNz5zjnW

2) Does this access.log actually tell me those IPs try to do proxy requests through my server? Funny thing is they seem to always land in one of my protected vhosts and get 401 unauthorized, so not that much of a problem here.

http://pastebin.com/nMciUwZ2

3) Might this cause performance issues? Currently max connections is at 40 which was sufficient for many years. I understand that it could be problematic while I get those requests. The last messages was 5 hours ago. At the moment the performance is still extremely low.

[Thu Aug 09 01:45:13 2012] [error] server reached MaxClients setting, consider raising the MaxClients setting
...
[Thu Aug 09 05:04:35 2012] [error] server reached MaxClients setting, consider raising the MaxClients setting

I have not yet tried raising MaxClients. And I would rather avoid that. Thanks in advance for your time!

annih
  • 121
  • 3
  • I solved that by writing a script that auomatically adds proxy-requesting IPs to iptables. It's only a quite limited amount it seems. About 350. That's handleable. Script is run by cron every minute and checks apache's access log. Not complicated, but I could post it if somebody's interested. – annih Aug 11 '12 at 12:15

1 Answers1

0

Just in case anyone stumbles upon this once in a while, let me suggest the in my opinion optimal solution to those things: Setup fail2ban!

fail2ban is a tool specifically built for monitoring log files and automatically blocking sources with multiple bad request within a certain amount of time. Its the perfect solution for those random brute force attacks against your http/sql/ftp (and so on) servers. In my opinion this is a security tool every Unix server should have. Many distributions come with a pre-configured package. My debian package worked like a charm out of the box. And expanding the list of checked logs is as simple as defining the log file and a pattern to look for.

annih
  • 121
  • 3