References
http://www.httpblog.com/category/web-servers/apache/
Apache hit monitoring
netstat -nut | awk '{print $5}' | cut -d : -f1| sort | uniq -c | sort -n
grep "69.72.245.2" /var/log/messages | awk {'print $12'} | cut -d= -f 2|sort|uniq -c|sort –n
Memory Consumption
ps aux | awk '{print $4"\t"$11}' | sort | uniq -c | awk '{print $2" "$1" "$3}' | sort -nr
Semaphor
ipcs
Script to delete semaphore process
ipcs -s | grep apache | perl -e 'while (<STDIN>) {@a=split(/\s+/); print `ipcrm sem $a[1]`}'
or
ipcs -s|grep apache|awk '{print $2}'|while read i; do ipcrm -s $i;done
Script to know what PHP scripts are running at this time
lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' {if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
Default configuration
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
MaxClients 150
MaxRequestsPerChild 1000
</IfModule>
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_winnt.c>
ThreadsPerChild 250
MaxRequestsPerChild 0
</IfModule>
MaxClients
MaxClients sets a limit on the number of simultaneous connections/requests that will be served.
Apache recompilation
http://kb.parallels.com/260
Apache recompilation in c-panel srver using Easy apache
You can easily recompile Apache on your server with the easyapache script, and add or remove Apache or PHP modules easily. This should also update your Apache and PHP to the latest versions.
Instructions:
1) Log in as root in SSH.
2) Run this:
/scripts/easyapache
3) Choose Option 6
4) Choose the Apache modules you want on this screen eg. SUEXEC.
5) Then, scroll down to PHP modules which is halfway down the screen as seen below:
CODE
-****************************************************************************
[ ] Mysql Auth Module (not frontpage or php compatible„_ „_
„_ „_[ ] ~user bandwidth leech protection „_ „_
„_ „_[ ] Dav Module „_ „_
„_ „_[ ] Expires Module „_ „_
„_ „_[ ] Raise FD_SETSIZE to 16384 (System Wide) „_ „_
„_ „_[*] Frontpage Module „_ „_
„_ „_[*] Raise HARD_SERVER_LIMIT „_ „_
„_ „_[ ] Perl Module (not required to run .cgi scripts/not „_ „_
„_ „_Php Module ---> „_ „_
„_ „_[*] PHP suEXEC Support (not yet compatible with 4.3.2)„_ „_
„_ „_[*] Rewrite Module „_ „_
„_ „_[ ] Roaming Module (for netscape 4.5+) „_ „_
„_ „_[*] SSL Module „_ „_
„_ „_[*] suEXEC Module
****************************************************************************************
6) Click on it. Now on the next page, choose your PHP modules - GD, IMAP, etc.
7) Return to the main screen, and you're finished!
Apache will take a few minutes to recompile. After recompiling, restart Apache and you should be fine.
Hopefully this will help others like me who had trouble finding these options when I used easyapache for the first time.
20 04 2009
1. Find.. to which IP address in the server is targeted by the ddos attack
netstat -plan | grep :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c
2. Find… from which IPs, the attack is coming
netstat -plan | grep :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c
3. Then find the TTL values of the attacking IP addresses
tcpdump -nn -vvv host xxxx |grep yyy (xxxx = ip attacking and yyyy = ip being attacked)
usually we need only tcpdump -nn -vvv host xxxx (as attack is coming from numerous ips)
4. Now block all the ips matching the TTL value obtained from the above script
iptables -A INPUT -p tcp -s 0.0.0.0/0 -d yyyy -m ttl –ttl-eq=zzz -j DROP (zzz is the ttl value)
——————————————————————————————————————-
Install mod security and dos evasive
——————————————————————————————————————-
Harden the sysctl parameters (kernel params) to mitigate the current attack.
Increasing the backlog queue size and decreasing the backlog queuing time might help a bit.
——————————————————————————————————————-
Also install an open source script to prevent DDoS attack to certain extend.
http://deflate.medialayer.com/
MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Apache status monitoring
lynx localhost/whm-server-status
Disable mod_security for a domain in cpanel
ocate the .htaccess file in Apache web root directory (public_html or /var/www/ or others), if it does not exist, create a new file named .htaccess,
SecFilterEngine Off // # Turn off mod_security filtering.
SecFilterScanPOST Off // # The below probably isn’t needed, but better safe than sorry.
If mod_security2
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
Uninstallation of ModSecurity (mod_security) from Apache module
Ref : http://www.mydigitallife.info/2006/10/21/remove-and-uninstall-or-disable-modsecurity-mod_security/
solved the problem that was a big doss attack
[root@server4 ~]# wc -l /proc/net/ip_conntrack
2261 /proc/net/ip_conntrack
[root@server4 ~]#
That ip conntrack was hitting the max limit it was about 48000 so i activated BFD and numbers dropped and server responding fine last 2 days…
Server has 8gb ram and cpu dual Intel Xeon CPU quad core E5430 @ 2.66GHz
And apache configuration is
KeepAlive On
MaxKeepAliveRequests 150
#before 150 last time 250
KeepAliveTimeout 10
MinSpareServers 10
MaxSpareServers 15
StartServers 10
MaxClients 256
# before 230 lasttime 260
MaxRequestsPerChild 1000
AccessFileName .htaccess
UseCanonicalName On
DefaultType text/plain
HostnameLookups Off
And mysql
Quote:
max_connections = 400
back_log = 50
skip-innodb
key_buffer = 768M # eskisi 512M
key_buffer_size = 50M
myisam_sort_buffer_size = 50M
join_buffer_size = 1M
read_buffer_size = 2M
sort_buffer_size = 2M
table_cache = 2500
thread_cache_size = 126
wait_timeout = 7 # orjinali 15
connect_timeout = 10
tmp_table_size = 64M
max_heap_table_size = 128M
max_allowed_packet = 64M #64M
net_buffer_length = 16384
max_connect_errors = 10
thread_concurrency = 4
concurrent_insert = 2
#table_lock_wait_timeout = 30
read_rnd_buffer_size = 786432
bulk_insert_buffer_size = 8M
query_cache_limit = 5M
query_cache_size = 64M
query_cache_type = 1
query_prealloc_size = 262144
Quick steps to improving Apache performance
1.) When you are compiling turn off all the features and modules you do not need. The less the better.
2.) Turn off DNS logging with "HostnameLookups off" in httpd.conf file
3.) If you have .htaccess definitions, if possible, move it to httpd.conf file and turn off .htaccess lookup.
4.) If you prefer to use .htaccess, make sure you let the apache browser know that it should read it from the exact dir. For example, if you have /my/web/sites, configure httpd.conf to start looking for .htaccess only starting from /my/web/sites/ not just /my/ for example
5.) Tune MinSpareServers, MaxSpareServers, and StartServers
6.) If you are using mod_security always remember the more rules you have the less performance it is
My suggestion in Apache tweaking
------------------------
Timeout 120 // 2minutes
KeepAlive On
MaxKeepAliveRequests 150 // This value however doesn’t apply if you have keepalive’s turned off.
KeepAliveTimeout 15 // Keepalivetimeout is the value in seconds to wait for the next request over the same connection for the same client. If you are serving a lot of small files, increasing this value will help. In another case, if you have thousands of concurrent connections, decreasing this value will boost the performance.
------------------------
MaxKeepAliveRequests //As per system performance ( 0 is unlimited)
specifies the number of requests allowed per connection when the KeepAlive on has been set
ExtendedStatus off //
Network traffic visualizer
----------------------------
iptraf and pktstat help to visualize your network traffic.
Apache Wait Timeout
------------------------------------------
As far as I know there is no way to forcibly close the socket outside of writing a better signal handler into your program, but there is a /proc file which controls how long the timeout takes. The file is
/proc/sys/net/ipv4/tcp_tw_recycle
and you can set the timeout to 1 second by doing this:
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
if http not start with socket
======================
fuser -k -n tcp <socketno>