1

I suspect sometings is going wrong in my webserver (maybe possible DoS attack). In fact I see a lot of such entries:

[Sun Jul 19 10:36:21 2015] [error] [client 141.212.122.18] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /x
[Mon Jul 20 12:19:41 2015] [notice] caught SIGTERM, shutting down

Is it possible to stop them? (fail2ban?)

gdm
  • 459
  • 2
  • 5
  • 19
  • 1
    The two log entries are more than 24 hours apart, why do you think they are related? – Oliver Jul 21 '15 at 09:04
  • Yes you are right. But anyway I see a lot of SIGTERM for apache. How could I check what is going on? – gdm Jul 21 '15 at 09:15
  • SIGTERM means that some process is sending the TERM signal to apache. The same is also done by `/etc/init.d/apache stop`, so it doesn't necessarily mean something bad. You could start checking the logs in order to see who was online at that moment or what else could have been going on. – Oliver Jul 21 '15 at 09:36
  • Check to see if they all happen at the same time of day, in which case log rotation might be an issue. – MadHatter Sep 06 '15 at 05:47

1 Answers1

1

I don't suspect anything is going wrong here. If it were an attempt at DoS that has any chance of success, you'd see a lot more traffic.

On the off chance the connection was someone trying to run an exploit, it looks like it failed, since your server was still up until something restarted it about a day later. There is absolutely no chance those log items are related unless the clock changed.

Take a breath, and calm down... and revise your log review process to look for patterns. May I suggest a SEIM or at least a log aggregator with analytics?

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92