Thread: Re: [mod-security-users] Apache hang on https protocol violation
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2008-06-25 23:38:54
|
Nick, I was not able to duplicate this. Below I have 2.2.9 apache running as a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 and mlogc running to a console. Each request produced an alert about the IP in the host header. Additionally, I up'ed the ab test considerably. I also tried mis-configuring mlogc in various ways, but these yielded similar results. There are some differences in our setups. I have most modules as modules vs compiled in as you have them. I am also running 64bit. But I do not think these should make that much difference. If you would send me the exact configure options you used with your 2.2.9 apache I will compile one here and test if you want. $ httpd -V Server version: Apache/2.2.9 (Unix) Server built: Jun 25 2008 16:25:03 Server's Module Magic Number: 20051115:15 Server loaded: APR 1.3.0, APR-Util 1.3.0 Compiled using: APR 1.3.0, APR-Util 1.3.0 Architecture: 64-bit Server MPM: Worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/worker" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/apps/httpd-2.2.9" -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" $ httpd -lCompiled in modules: core.c worker.c http_core.c mod_so.c $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump This is ApacheBench, Version 2.3 <$Revision: 655654 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking 127.0.1.1 (be patient) Completed 1000 requests Completed 2000 requests Completed 3000 requests Completed 4000 requests Completed 5000 requests Completed 6000 requests Completed 7000 requests Completed 8000 requests Completed 9000 requests Completed 10000 requests Finished 10000 requests Server Software: FooBar/1.2.3 Server Hostname: 127.0.1.1 Server Port: 8100 Document Path: /cgi-bin/dump Document Length: 226 bytes Concurrency Level: 1000 Time taken for tests: 44.678 seconds Complete requests: 10000 Failed requests: 0 Write errors: 0 Non-2xx responses: 10000 Keep-Alive requests: 0 Total transferred: 3980000 bytes HTML transferred: 2260000 bytes Requests per second: 223.82 [#/sec] (mean) Time per request: 4467.792 [ms] (mean) Time per request: 4.468 [ms] (mean, across all concurrent requests) Transfer rate: 86.99 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 469 1819.0 0 20999 Processing: 3 3814 4000.3 2614 27551 Waiting: 3 3258 3543.1 2191 26116 Total: 3 4283 4748.7 3025 36558 Percentage of the requests served within a certain time (ms) 50% 3025 66% 4818 75% 6226 80% 7324 90% 10264 95% 13155 98% 18743 99% 23293 100% 36558 (longest request) Nicola Bianchi wrote: > Hi Brian, > here the information that you require! > If you need additional info just tell me... > > Thank you a lot for the help ;) > Regards. > Nick > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > SecRuleEngine On > SecRequestBodyAccess On > SecResponseBodyAccess On > SecResponseBodyMimeType (null) text/html text/plain text/xml > SecResponseBodyLimit 524288 > SecServerSignature "Apache/2.2.0 (Fedora)" > SecComponentSignature "core ruleset/1.6.1" > SecUploadDir /tmp > SecUploadKeepFiles Off > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > SecAuditLogType Serial > SecAuditLog logs/modsec_audit.log > SecAuditLogParts "ABIFHKZ" > SecArgumentSeparator "&" > SecCookieFormat 0 > SecRequestBodyInMemoryLimit 131072 > SecDebugLog logs/modsec_debug.log > SecDebugLogLevel 1 > SecDataDir /tmp > SecTmpDir /tmp > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep .. > SecRuleEngine On > SecRequestBodyAccess On > SecResponseBodyAccess On > SecResponseBodyMimeType (null) text/html text/plain text/xml > SecDefaultAction > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > SecServerSignature "Server X" > SecUploadDir /opt/jail/tmp > SecAuditLogType Concurrent > SecAuditLog "|bin/mlogc /opt/waf/mod_security/prod/bin/mlogc.conf" > SecAuditLogStorageDir logs/modsec_audit/ > SecDebugLogLevel 0 > SecDataDir /opt/jail/tmp > SecTmpDir /opt/jail/tmp > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > Server version: Apache/2.2.9 (Unix) > Server built: Jun 18 2008 11:18:47 > Server's Module Magic Number: 20051115:15 > Server loaded: APR 1.3.0, APR-Util 1.3.0 > Compiled using: APR 1.3.0, APR-Util 1.3.0 > Architecture: 32-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > Compiled in modules: > core.c > mod_authn_file.c > mod_authn_default.c > mod_authz_host.c > mod_authz_groupfile.c > mod_authz_user.c > mod_authz_default.c > mod_auth_basic.c > mod_cache.c > mod_disk_cache.c > mod_mem_cache.c > mod_include.c > mod_filter.c > mod_deflate.c > mod_log_config.c > mod_logio.c > mod_env.c > mod_expires.c > mod_headers.c > mod_unique_id.c > mod_setenvif.c > mod_proxy.c > mod_proxy_connect.c > mod_proxy_ftp.c > mod_proxy_http.c > mod_proxy_ajp.c > mod_proxy_balancer.c > mod_ssl.c > worker.c > http_core.c > mod_mime.c > mod_status.c > mod_dir.c > mod_actions.c > mod_alias.c > mod_rewrite.c > mod_so.c > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > <IfModule !mpm_netware_module> > PidFile "logs/httpd.pid" > </IfModule> > <IfModule !mpm_winnt_module> > <IfModule !mpm_netware_module> > LockFile "logs/accept.lock" > </IfModule> > </IfModule> > <IfModule mpm_worker_module> > StartServers 5 > MaxClients 400 > MinSpareThreads 25 > MaxSpareThreads 75 > ThreadsPerChild 25 > MaxRequestsPerChild 1000 > </IfModule> > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > KeepAlive On > MaxKeepAliveRequests 100 > KeepAliveTimeout 5 > > > #### cat vhosts.d/www.mysite.com.conf > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80>> > ServerName www.mysite.com <http://www.mysite.com> > ServerAlias mysite.com <http://mysite.com> > > # Log files > # ErrorLog logs/www.mysite.com-error_log > # CustomLog logs/www.mysite.com-access_log combined > > # Add ClientIP to the Request Headers > RewriteEngine On > RewriteCond %{REMOTE_ADDR} (.*) > RewriteRule .* - [E=R_A:%1] > RequestHeader add ClientIP %{R_A}e > > # Send all pages except the manut one to the internal web server > ProxyPreserveHost On > ProxyPass /manut.html ! > ProxyPass / http://www.mysite.com/ > ProxyPassReverse / http://www.mysite.com/ > > # ModSecurity specific rules (no additional rules enabled for the moment) > Include conf/rules.d/www.mysite.com.rules > </VirtualHost> > > <VirtualHost 192.168.168.100:443 <http://192.168.168.100:443>> > ServerName www.mysite.com <http://www.mysite.com> > ServerAlias mysite.com <http://mysite.com> > > # Log files > # ErrorLog logs/www.mysite.com-error_log > # CustomLog logs/www.mysite.com-access_log combined > > # SSL config > SSLEngine on > SSLProtocol All -SSLv2 > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > SSLCertificateFile conf/cert/www.mysite.com.crt > SSLCertificateKeyFile conf/cert/www.mysite.com.key > SSLCertificateChainFile conf/cert/Verisign04.crt > > # Add ClientIP to the Request Headers > RewriteEngine On > RewriteCond %{REMOTE_ADDR} (.*) > RewriteRule .* - [E=R_A:%1] > RequestHeader add ClientIP %{R_A}e > > # Send all pages except the manut one to the internal web server > ProxyPreserveHost On > ProxyPass /manut.html ! > ProxyPass / http://www.mysite.com/ > ProxyPassReverse / http://www.mysite.com/ > > # ModSecurity specific rules (no additional rules enabled for the > moment) > Include conf/rules.d/www.mysite.com.rules > > </VirtualHost> > > > In attach the error_log of a test with: > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > Hang after 272 request... (restart of apache needed!) > > > #### top -d 1 (snapshot in the half of test) > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, 2 zombie > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, 0.0%hi, 0.2%si, > 0.0%st > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k buffers > Swap: 4194296k total, 0k used, 4194296k free, 1130024k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > COMMAND > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > httpd > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > httpd > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > httpd > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > httpd > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > httpd > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > httpd > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > httpd > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > httpd > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > httpd > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > httpd > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > httpd > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > xfsdatad/0 > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > httpd > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > httpd > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > init > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > migration/0 > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > ksoftirqd/0 > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > <Bri...@br... <mailto:Bri...@br...>> wrote: > > Nicola, > > I need to be able to duplicate this problem. Would you please send your > settings for Apache and modsecurity? > > For ModSecurity, I need your config settings (usually in > modsecurity_crs_10_config.conf) and which other files you are including. > > For Apache I at least need these: > > 1. Output from "httpd -V" and "httpd -l" > > 2. Values for the following directives: > > ServerLimit > StartServers > MaxClients > MinSpareThreads > MaxSpareThreads > ThreadsPerChild > MaxRequestsPerChild > MaxRequestsPerThread > KeepAlive > KeepAliveTimeout > > 3. As well as your config for proxying (Balancer, ProxyPass, etc)? > > 4. Additionally, your entire error_log at at least level "info" (cleared > before the test), the server-status output during (or near) the hang and > CPU/Mem usage stats during the test would be nice as well. > > thanks, > -B > > > Ivan Ristic wrote: > > Hi Nicola, > > > > We'll have to try to reproduce your problem somehow, as it doesn't > > happen in my tests. I've been using ab constantly over the years for > > testing, and I don't recall any problems either. > > > > Are you using mlogc or any other mechanism to transmit alerts > elsewhere? > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > <bia...@gm... <mailto:bia...@gm...>> wrote: > >> Hi people, > >> I'm a new modsecurity user and I've a problem which maybe some of > you can > >> resolve ;). > >> > >> My configuration is: reverse proxy (http/https) with apache 2.2.9 and > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE SLES10. > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of RAM > >> > >> If I try this benchmark all work fine, without problem: > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > >> > >> ... no lost requests, no particular delay. > >> > >> The problem come out if I try to do a "DOS attack" pointing directly > > to the > >> ip address of mysite in https > >> After few request (~200) apache hang and stop responding ... > >> > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > >> > > > ############################################################################# > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > >> # Licensed to The Apache Software Foundation, http://www.apache.org/ > >> # > >> # Benchmarking 192.168.168.100 <http://192.168.168.100> (be patient) > >> # Completed 200 requests > >> # apr_poll: The timeout specified has expired (70007) > >> # Total of 272 requests completed > >> > > > ############################################################################# > >> > >> Here an extract from the logs: > >> > > > ############################################################################# > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > 192.168.168.168 <http://192.168.168.168>] > >> ModSecurity: Access denied with code 400 (phase 2). Pattern match > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > >> > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > >> [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname > >> "192.168.168.100 <http://192.168.168.100>"] [uri "/"] [unique_id > "SF@XssIL0NIAAB@ncMAAAACI"] > >> > > > ############################################################################# > >> > >> If I turn off modsecurity (SecRuleEngine Off) and I repeat the test I > > don't > >> have problem! > >> If I disable the specific rule (SecRuleRemoveById "960017") all > work fine! > >> > >> So, have you some idea about this issue? > >> How can I prevent this kind of "DOS attack"? > >> > >> Thanks a lot! Regards > >> Nick > >> > >> PS: sorry for my ridicolous english ;) > >> > >> > ------------------------------------------------------------------------- > >> Check out the new SourceForge.net Marketplace. > >> It's the best place to buy or sell services for > >> just about anything Open Source. > >> http://sourceforge.net/services/buy/index.php > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > <mailto:mod...@li...> > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> > >> > > > > > > > > -- > > Ivan Ristic > > > > > ------------------------------------------------------------------------- > > Check out the new SourceForge.net Marketplace. > > It's the best place to buy or sell services for > > just about anything Open Source. > > http://sourceforge.net/services/buy/index.php > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > <mailto:mod...@li...> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > -- > Brian Rectanus > Breach Security > > -- Brian Rectanus Breach Security |
From: Brian R. <Bri...@br...> - 2008-06-26 17:31:52
|
One other thing to try to see if it makes a difference is to not recycle your processes: MaxRequestsPerChild 0 -B Nicola Bianchi wrote: > Hi Brian, > here the information that you require! > If you need additional info just tell me... > > Thank you a lot for the help ;) > Regards. > Nick > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > SecRuleEngine On > SecRequestBodyAccess On > SecResponseBodyAccess On > SecResponseBodyMimeType (null) text/html text/plain text/xml > SecResponseBodyLimit 524288 > SecServerSignature "Apache/2.2.0 (Fedora)" > SecComponentSignature "core ruleset/1.6.1" > SecUploadDir /tmp > SecUploadKeepFiles Off > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > SecAuditLogType Serial > SecAuditLog logs/modsec_audit.log > SecAuditLogParts "ABIFHKZ" > SecArgumentSeparator "&" > SecCookieFormat 0 > SecRequestBodyInMemoryLimit 131072 > SecDebugLog logs/modsec_debug.log > SecDebugLogLevel 1 > SecDataDir /tmp > SecTmpDir /tmp > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep .. > SecRuleEngine On > SecRequestBodyAccess On > SecResponseBodyAccess On > SecResponseBodyMimeType (null) text/html text/plain text/xml > SecDefaultAction > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > SecServerSignature "Server X" > SecUploadDir /opt/jail/tmp > SecAuditLogType Concurrent > SecAuditLog "|bin/mlogc /opt/waf/mod_security/prod/bin/mlogc.conf" > SecAuditLogStorageDir logs/modsec_audit/ > SecDebugLogLevel 0 > SecDataDir /opt/jail/tmp > SecTmpDir /opt/jail/tmp > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > Server version: Apache/2.2.9 (Unix) > Server built: Jun 18 2008 11:18:47 > Server's Module Magic Number: 20051115:15 > Server loaded: APR 1.3.0, APR-Util 1.3.0 > Compiled using: APR 1.3.0, APR-Util 1.3.0 > Architecture: 32-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > Compiled in modules: > core.c > mod_authn_file.c > mod_authn_default.c > mod_authz_host.c > mod_authz_groupfile.c > mod_authz_user.c > mod_authz_default.c > mod_auth_basic.c > mod_cache.c > mod_disk_cache.c > mod_mem_cache.c > mod_include.c > mod_filter.c > mod_deflate.c > mod_log_config.c > mod_logio.c > mod_env.c > mod_expires.c > mod_headers.c > mod_unique_id.c > mod_setenvif.c > mod_proxy.c > mod_proxy_connect.c > mod_proxy_ftp.c > mod_proxy_http.c > mod_proxy_ajp.c > mod_proxy_balancer.c > mod_ssl.c > worker.c > http_core.c > mod_mime.c > mod_status.c > mod_dir.c > mod_actions.c > mod_alias.c > mod_rewrite.c > mod_so.c > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > <IfModule !mpm_netware_module> > PidFile "logs/httpd.pid" > </IfModule> > <IfModule !mpm_winnt_module> > <IfModule !mpm_netware_module> > LockFile "logs/accept.lock" > </IfModule> > </IfModule> > <IfModule mpm_worker_module> > StartServers 5 > MaxClients 400 > MinSpareThreads 25 > MaxSpareThreads 75 > ThreadsPerChild 25 > MaxRequestsPerChild 1000 > </IfModule> > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > KeepAlive On > MaxKeepAliveRequests 100 > KeepAliveTimeout 5 > > > #### cat vhosts.d/www.mysite.com.conf > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80>> > ServerName www.mysite.com <http://www.mysite.com> > ServerAlias mysite.com <http://mysite.com> > > # Log files > # ErrorLog logs/www.mysite.com-error_log > # CustomLog logs/www.mysite.com-access_log combined > > # Add ClientIP to the Request Headers > RewriteEngine On > RewriteCond %{REMOTE_ADDR} (.*) > RewriteRule .* - [E=R_A:%1] > RequestHeader add ClientIP %{R_A}e > > # Send all pages except the manut one to the internal web server > ProxyPreserveHost On > ProxyPass /manut.html ! > ProxyPass / http://www.mysite.com/ > ProxyPassReverse / http://www.mysite.com/ > > # ModSecurity specific rules (no additional rules enabled for the moment) > Include conf/rules.d/www.mysite.com.rules > </VirtualHost> > > <VirtualHost 192.168.168.100:443 <http://192.168.168.100:443>> > ServerName www.mysite.com <http://www.mysite.com> > ServerAlias mysite.com <http://mysite.com> > > # Log files > # ErrorLog logs/www.mysite.com-error_log > # CustomLog logs/www.mysite.com-access_log combined > > # SSL config > SSLEngine on > SSLProtocol All -SSLv2 > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > SSLCertificateFile conf/cert/www.mysite.com.crt > SSLCertificateKeyFile conf/cert/www.mysite.com.key > SSLCertificateChainFile conf/cert/Verisign04.crt > > # Add ClientIP to the Request Headers > RewriteEngine On > RewriteCond %{REMOTE_ADDR} (.*) > RewriteRule .* - [E=R_A:%1] > RequestHeader add ClientIP %{R_A}e > > # Send all pages except the manut one to the internal web server > ProxyPreserveHost On > ProxyPass /manut.html ! > ProxyPass / http://www.mysite.com/ > ProxyPassReverse / http://www.mysite.com/ > > # ModSecurity specific rules (no additional rules enabled for the > moment) > Include conf/rules.d/www.mysite.com.rules > > </VirtualHost> > > > In attach the error_log of a test with: > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > Hang after 272 request... (restart of apache needed!) > > > #### top -d 1 (snapshot in the half of test) > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, 2 zombie > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, 0.0%hi, 0.2%si, > 0.0%st > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k buffers > Swap: 4194296k total, 0k used, 4194296k free, 1130024k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > COMMAND > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > httpd > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > httpd > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > httpd > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > httpd > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > httpd > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > httpd > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > httpd > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > httpd > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > httpd > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > httpd > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > httpd > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > xfsdatad/0 > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > httpd > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > httpd > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > init > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > migration/0 > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > ksoftirqd/0 > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > <Bri...@br... <mailto:Bri...@br...>> wrote: > > Nicola, > > I need to be able to duplicate this problem. Would you please send your > settings for Apache and modsecurity? > > For ModSecurity, I need your config settings (usually in > modsecurity_crs_10_config.conf) and which other files you are including. > > For Apache I at least need these: > > 1. Output from "httpd -V" and "httpd -l" > > 2. Values for the following directives: > > ServerLimit > StartServers > MaxClients > MinSpareThreads > MaxSpareThreads > ThreadsPerChild > MaxRequestsPerChild > MaxRequestsPerThread > KeepAlive > KeepAliveTimeout > > 3. As well as your config for proxying (Balancer, ProxyPass, etc)? > > 4. Additionally, your entire error_log at at least level "info" (cleared > before the test), the server-status output during (or near) the hang and > CPU/Mem usage stats during the test would be nice as well. > > thanks, > -B > > > Ivan Ristic wrote: > > Hi Nicola, > > > > We'll have to try to reproduce your problem somehow, as it doesn't > > happen in my tests. I've been using ab constantly over the years for > > testing, and I don't recall any problems either. > > > > Are you using mlogc or any other mechanism to transmit alerts > elsewhere? > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > <bia...@gm... <mailto:bia...@gm...>> wrote: > >> Hi people, > >> I'm a new modsecurity user and I've a problem which maybe some of > you can > >> resolve ;). > >> > >> My configuration is: reverse proxy (http/https) with apache 2.2.9 and > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE SLES10. > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of RAM > >> > >> If I try this benchmark all work fine, without problem: > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > >> > >> ... no lost requests, no particular delay. > >> > >> The problem come out if I try to do a "DOS attack" pointing directly > > to the > >> ip address of mysite in https > >> After few request (~200) apache hang and stop responding ... > >> > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > >> > > > ############################################################################# > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > >> # Licensed to The Apache Software Foundation, http://www.apache.org/ > >> # > >> # Benchmarking 192.168.168.100 <http://192.168.168.100> (be patient) > >> # Completed 200 requests > >> # apr_poll: The timeout specified has expired (70007) > >> # Total of 272 requests completed > >> > > > ############################################################################# > >> > >> Here an extract from the logs: > >> > > > ############################################################################# > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > 192.168.168.168 <http://192.168.168.168>] > >> ModSecurity: Access denied with code 400 (phase 2). Pattern match > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > >> > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > >> [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname > >> "192.168.168.100 <http://192.168.168.100>"] [uri "/"] [unique_id > "SF@XssIL0NIAAB@ncMAAAACI"] > >> > > > ############################################################################# > >> > >> If I turn off modsecurity (SecRuleEngine Off) and I repeat the test I > > don't > >> have problem! > >> If I disable the specific rule (SecRuleRemoveById "960017") all > work fine! > >> > >> So, have you some idea about this issue? > >> How can I prevent this kind of "DOS attack"? > >> > >> Thanks a lot! Regards > >> Nick > >> > >> PS: sorry for my ridicolous english ;) > >> > >> > ------------------------------------------------------------------------- > >> Check out the new SourceForge.net Marketplace. > >> It's the best place to buy or sell services for > >> just about anything Open Source. > >> http://sourceforge.net/services/buy/index.php > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > <mailto:mod...@li...> > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> > >> > > > > > > > > -- > > Ivan Ristic > > > > > ------------------------------------------------------------------------- > > Check out the new SourceForge.net Marketplace. > > It's the best place to buy or sell services for > > just about anything Open Source. > > http://sourceforge.net/services/buy/index.php > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > <mailto:mod...@li...> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > -- > Brian Rectanus > Breach Security > > -- Brian Rectanus Breach Security |
From: Nicola B. <bia...@gm...> - 2008-06-27 08:41:47
|
Same problem with: MaxRequestsPerChild 0 :( nick On Thu, Jun 26, 2008 at 7:31 PM, Brian Rectanus <Bri...@br...> wrote: > One other thing to try to see if it makes a difference is to not recycle > your processes: > > MaxRequestsPerChild 0 > > -B > > Nicola Bianchi wrote: > > Hi Brian, > > here the information that you require! > > If you need additional info just tell me... > > > > Thank you a lot for the help ;) > > Regards. > > Nick > > > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > > SecRuleEngine On > > SecRequestBodyAccess On > > SecResponseBodyAccess On > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > SecResponseBodyLimit 524288 > > SecServerSignature "Apache/2.2.0 (Fedora)" > > SecComponentSignature "core ruleset/1.6.1" > > SecUploadDir /tmp > > SecUploadKeepFiles Off > > SecAuditEngine RelevantOnly > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > SecAuditLogType Serial > > SecAuditLog logs/modsec_audit.log > > SecAuditLogParts "ABIFHKZ" > > SecArgumentSeparator "&" > > SecCookieFormat 0 > > SecRequestBodyInMemoryLimit 131072 > > SecDebugLog logs/modsec_debug.log > > SecDebugLogLevel 1 > > SecDataDir /tmp > > SecTmpDir /tmp > > > > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep .. > > SecRuleEngine On > > SecRequestBodyAccess On > > SecResponseBodyAccess On > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > SecDefaultAction > > > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > > SecServerSignature "Server X" > > SecUploadDir /opt/jail/tmp > > SecAuditLogType Concurrent > > SecAuditLog "|bin/mlogc /opt/waf/mod_security/prod/bin/mlogc.conf" > > SecAuditLogStorageDir logs/modsec_audit/ > > SecDebugLogLevel 0 > > SecDataDir /opt/jail/tmp > > SecTmpDir /opt/jail/tmp > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > > Server version: Apache/2.2.9 (Unix) > > Server built: Jun 18 2008 11:18:47 > > Server's Module Magic Number: 20051115:15 > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > Architecture: 32-bit > > Server MPM: Worker > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APACHE_MPM_DIR="server/mpm/worker" > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=128 > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > > Compiled in modules: > > core.c > > mod_authn_file.c > > mod_authn_default.c > > mod_authz_host.c > > mod_authz_groupfile.c > > mod_authz_user.c > > mod_authz_default.c > > mod_auth_basic.c > > mod_cache.c > > mod_disk_cache.c > > mod_mem_cache.c > > mod_include.c > > mod_filter.c > > mod_deflate.c > > mod_log_config.c > > mod_logio.c > > mod_env.c > > mod_expires.c > > mod_headers.c > > mod_unique_id.c > > mod_setenvif.c > > mod_proxy.c > > mod_proxy_connect.c > > mod_proxy_ftp.c > > mod_proxy_http.c > > mod_proxy_ajp.c > > mod_proxy_balancer.c > > mod_ssl.c > > worker.c > > http_core.c > > mod_mime.c > > mod_status.c > > mod_dir.c > > mod_actions.c > > mod_alias.c > > mod_rewrite.c > > mod_so.c > > > > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > > <IfModule !mpm_netware_module> > > PidFile "logs/httpd.pid" > > </IfModule> > > <IfModule !mpm_winnt_module> > > <IfModule !mpm_netware_module> > > LockFile "logs/accept.lock" > > </IfModule> > > </IfModule> > > <IfModule mpm_worker_module> > > StartServers 5 > > MaxClients 400 > > MinSpareThreads 25 > > MaxSpareThreads 75 > > ThreadsPerChild 25 > > MaxRequestsPerChild 1000 > > </IfModule> > > > > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > > KeepAlive On > > MaxKeepAliveRequests 100 > > KeepAliveTimeout 5 > > > > > > #### cat vhosts.d/www.mysite.com.conf > > > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80>> > > ServerName www.mysite.com <http://www.mysite.com> > > ServerAlias mysite.com <http://mysite.com> > > > > # Log files > > # ErrorLog logs/www.mysite.com-error_log > > # CustomLog logs/www.mysite.com-access_log combined > > > > # Add ClientIP to the Request Headers > > RewriteEngine On > > RewriteCond %{REMOTE_ADDR} (.*) > > RewriteRule .* - [E=R_A:%1] > > RequestHeader add ClientIP %{R_A}e > > > > # Send all pages except the manut one to the internal web server > > ProxyPreserveHost On > > ProxyPass /manut.html ! > > ProxyPass / http://www.mysite.com/ > > ProxyPassReverse / http://www.mysite.com/ > > > > # ModSecurity specific rules (no additional rules enabled for the > moment) > > Include conf/rules.d/www.mysite.com.rules > > </VirtualHost> > > > > <VirtualHost 192.168.168.100:443 <http://192.168.168.100:443>> > > ServerName www.mysite.com <http://www.mysite.com> > > ServerAlias mysite.com <http://mysite.com> > > > > # Log files > > # ErrorLog logs/www.mysite.com-error_log > > # CustomLog logs/www.mysite.com-access_log combined > > > > # SSL config > > SSLEngine on > > SSLProtocol All -SSLv2 > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > > SSLCertificateFile conf/cert/www.mysite.com.crt > > SSLCertificateKeyFile conf/cert/www.mysite.com.key > > SSLCertificateChainFile conf/cert/Verisign04.crt > > > > # Add ClientIP to the Request Headers > > RewriteEngine On > > RewriteCond %{REMOTE_ADDR} (.*) > > RewriteRule .* - [E=R_A:%1] > > RequestHeader add ClientIP %{R_A}e > > > > # Send all pages except the manut one to the internal web server > > ProxyPreserveHost On > > ProxyPass /manut.html ! > > ProxyPass / http://www.mysite.com/ > > ProxyPassReverse / http://www.mysite.com/ > > > > # ModSecurity specific rules (no additional rules enabled for the > > moment) > > Include conf/rules.d/www.mysite.com.rules > > > > </VirtualHost> > > > > > > In attach the error_log of a test with: > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > > Hang after 272 request... (restart of apache needed!) > > > > > > #### top -d 1 (snapshot in the half of test) > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, 2 zombie > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, 0.0%hi, 0.2%si, > > 0.0%st > > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k buffers > > Swap: 4194296k total, 0k used, 4194296k free, 1130024k cached > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > > COMMAND > > > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > > httpd > > > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > > httpd > > > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > > httpd > > > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > > httpd > > > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > > httpd > > > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > > httpd > > > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > > httpd > > > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > > httpd > > > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > > httpd > > > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > > httpd > > > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > > httpd > > > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > > xfsdatad/0 > > > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > > httpd > > > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > > httpd > > > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > > init > > > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > > migration/0 > > > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > > ksoftirqd/0 > > > > > > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > > <Bri...@br... <mailto:Bri...@br...>> wrote: > > > > Nicola, > > > > I need to be able to duplicate this problem. Would you please send > your > > settings for Apache and modsecurity? > > > > For ModSecurity, I need your config settings (usually in > > modsecurity_crs_10_config.conf) and which other files you are > including. > > > > For Apache I at least need these: > > > > 1. Output from "httpd -V" and "httpd -l" > > > > 2. Values for the following directives: > > > > ServerLimit > > StartServers > > MaxClients > > MinSpareThreads > > MaxSpareThreads > > ThreadsPerChild > > MaxRequestsPerChild > > MaxRequestsPerThread > > KeepAlive > > KeepAliveTimeout > > > > 3. As well as your config for proxying (Balancer, ProxyPass, etc)? > > > > 4. Additionally, your entire error_log at at least level "info" > (cleared > > before the test), the server-status output during (or near) the hang > and > > CPU/Mem usage stats during the test would be nice as well. > > > > thanks, > > -B > > > > > > Ivan Ristic wrote: > > > Hi Nicola, > > > > > > We'll have to try to reproduce your problem somehow, as it doesn't > > > happen in my tests. I've been using ab constantly over the years > for > > > testing, and I don't recall any problems either. > > > > > > Are you using mlogc or any other mechanism to transmit alerts > > elsewhere? > > > > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > > <bia...@gm... <mailto:bia...@gm...>> > wrote: > > >> Hi people, > > >> I'm a new modsecurity user and I've a problem which maybe some of > > you can > > >> resolve ;). > > >> > > >> My configuration is: reverse proxy (http/https) with apache 2.2.9 > and > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE SLES10. > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of RAM > > >> > > >> If I try this benchmark all work fine, without problem: > > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > > >> > > >> ... no lost requests, no particular delay. > > >> > > >> The problem come out if I try to do a "DOS attack" pointing > directly > > > to the > > >> ip address of mysite in https > > >> After few request (~200) apache hang and stop responding ... > > >> > > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > > >> > > > > > > ############################################################################# > > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > http://www.zeustech.net/ > > >> # Licensed to The Apache Software Foundation, > http://www.apache.org/ > > >> # > > >> # Benchmarking 192.168.168.100 <http://192.168.168.100> (be > patient) > > >> # Completed 200 requests > > >> # apr_poll: The timeout specified has expired (70007) > > >> # Total of 272 requests completed > > >> > > > > > > ############################################################################# > > >> > > >> Here an extract from the logs: > > >> > > > > > > ############################################################################# > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > > 192.168.168.168 <http://192.168.168.168>] > > >> ModSecurity: Access denied with code 400 (phase 2). Pattern match > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > > >> > > > > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > >> [line "60"] [id "960017"] [msg "Host header is a numeric IP > address"] > > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname > > >> "192.168.168.100 <http://192.168.168.100>"] [uri "/"] [unique_id > > "SF@XssIL0NIAAB@ncMAAAACI"] > > >> > > > > > > ############################################################################# > > >> > > >> If I turn off modsecurity (SecRuleEngine Off) and I repeat the > test I > > > don't > > >> have problem! > > >> If I disable the specific rule (SecRuleRemoveById "960017") all > > work fine! > > >> > > >> So, have you some idea about this issue? > > >> How can I prevent this kind of "DOS attack"? > > >> > > >> Thanks a lot! Regards > > >> Nick > > >> > > >> PS: sorry for my ridicolous english ;) > > >> > > >> > > > ------------------------------------------------------------------------- > > >> Check out the new SourceForge.net Marketplace. > > >> It's the best place to buy or sell services for > > >> just about anything Open Source. > > >> http://sourceforge.net/services/buy/index.php > > >> _______________________________________________ > > >> mod-security-users mailing list > > >> mod...@li... > > <mailto:mod...@li...> > > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > > >> > > >> > > > > > > > > > > > > -- > > > Ivan Ristic > > > > > > > > > ------------------------------------------------------------------------- > > > Check out the new SourceForge.net Marketplace. > > > It's the best place to buy or sell services for > > > just about anything Open Source. > > > http://sourceforge.net/services/buy/index.php > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > <mailto:mod...@li...> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > -- > > Brian Rectanus > > Breach Security > > > > > > > -- > Brian Rectanus > Breach Security > |
From: Nicola B. <bia...@gm...> - 2008-06-26 05:19:03
|
Brian, have you tryed with httpS request? Without S I don't have hang problems... My compiling configurations: ################################################################ tar xvfz httpd-${APACHE_VERSIONE}.tar.gz cd httpd-${APACHE_VERSIONE}/ ./configure \ --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ --with-mpm=worker --enable-so \ --enable-unique-id \ --enable-proxy --enable-proxy-http --enable-proxy-balancer \ --enable-rewrite --enable-headers \ --enable-logio \ --enable-expires \ --enable-ssl \ --enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \ --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ --disable-negotiation --disable-userdir \ --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} ################################################################ ################################################################ cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ ./configure \ --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ --with-apr=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ --with-apu=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ --enable-strict-compile ################################################################ On Thu, Jun 26, 2008 at 1:38 AM, Brian Rectanus <Bri...@br...> wrote: > Nick, > > I was not able to duplicate this. Below I have 2.2.9 apache running as > a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 and mlogc > running to a console. Each request produced an alert about the IP in > the host header. Additionally, I up'ed the ab test considerably. I > also tried mis-configuring mlogc in various ways, but these yielded > similar results. > > There are some differences in our setups. I have most modules as > modules vs compiled in as you have them. I am also running 64bit. But > I do not think these should make that much difference. > > If you would send me the exact configure options you used with your > 2.2.9 apache I will compile one here and test if you want. > > > $ httpd -V > Server version: Apache/2.2.9 (Unix) > Server built: Jun 25 2008 16:25:03 > Server's Module Magic Number: 20051115:15 > Server loaded: APR 1.3.0, APR-Util 1.3.0 > Compiled using: APR 1.3.0, APR-Util 1.3.0 > Architecture: 64-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/apps/httpd-2.2.9" > -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > $ httpd -lCompiled in modules: > core.c > worker.c > http_core.c > mod_so.c > > $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: FooBar/1.2.3 > Server Hostname: 127.0.1.1 > Server Port: 8100 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 44.678 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10000 > Keep-Alive requests: 0 > Total transferred: 3980000 bytes > HTML transferred: 2260000 bytes > Requests per second: 223.82 [#/sec] (mean) > Time per request: 4467.792 [ms] (mean) > Time per request: 4.468 [ms] (mean, across all concurrent requests) > Transfer rate: 86.99 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 0 469 1819.0 0 20999 > Processing: 3 3814 4000.3 2614 27551 > Waiting: 3 3258 3543.1 2191 26116 > Total: 3 4283 4748.7 3025 36558 > > Percentage of the requests served within a certain time (ms) > 50% 3025 > 66% 4818 > 75% 6226 > 80% 7324 > 90% 10264 > 95% 13155 > 98% 18743 > 99% 23293 > 100% 36558 (longest request) > > > > Nicola Bianchi wrote: > > Hi Brian, > > here the information that you require! > > If you need additional info just tell me... > > > > Thank you a lot for the help ;) > > Regards. > > Nick > > > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > > SecRuleEngine On > > SecRequestBodyAccess On > > SecResponseBodyAccess On > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > SecResponseBodyLimit 524288 > > SecServerSignature "Apache/2.2.0 (Fedora)" > > SecComponentSignature "core ruleset/1.6.1" > > SecUploadDir /tmp > > SecUploadKeepFiles Off > > SecAuditEngine RelevantOnly > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > SecAuditLogType Serial > > SecAuditLog logs/modsec_audit.log > > SecAuditLogParts "ABIFHKZ" > > SecArgumentSeparator "&" > > SecCookieFormat 0 > > SecRequestBodyInMemoryLimit 131072 > > SecDebugLog logs/modsec_debug.log > > SecDebugLogLevel 1 > > SecDataDir /tmp > > SecTmpDir /tmp > > > > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep .. > > SecRuleEngine On > > SecRequestBodyAccess On > > SecResponseBodyAccess On > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > SecDefaultAction > > > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > > SecServerSignature "Server X" > > SecUploadDir /opt/jail/tmp > > SecAuditLogType Concurrent > > SecAuditLog "|bin/mlogc /opt/waf/mod_security/prod/bin/mlogc.conf" > > SecAuditLogStorageDir logs/modsec_audit/ > > SecDebugLogLevel 0 > > SecDataDir /opt/jail/tmp > > SecTmpDir /opt/jail/tmp > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > > Server version: Apache/2.2.9 (Unix) > > Server built: Jun 18 2008 11:18:47 > > Server's Module Magic Number: 20051115:15 > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > Architecture: 32-bit > > Server MPM: Worker > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APACHE_MPM_DIR="server/mpm/worker" > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=128 > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > > Compiled in modules: > > core.c > > mod_authn_file.c > > mod_authn_default.c > > mod_authz_host.c > > mod_authz_groupfile.c > > mod_authz_user.c > > mod_authz_default.c > > mod_auth_basic.c > > mod_cache.c > > mod_disk_cache.c > > mod_mem_cache.c > > mod_include.c > > mod_filter.c > > mod_deflate.c > > mod_log_config.c > > mod_logio.c > > mod_env.c > > mod_expires.c > > mod_headers.c > > mod_unique_id.c > > mod_setenvif.c > > mod_proxy.c > > mod_proxy_connect.c > > mod_proxy_ftp.c > > mod_proxy_http.c > > mod_proxy_ajp.c > > mod_proxy_balancer.c > > mod_ssl.c > > worker.c > > http_core.c > > mod_mime.c > > mod_status.c > > mod_dir.c > > mod_actions.c > > mod_alias.c > > mod_rewrite.c > > mod_so.c > > > > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > > <IfModule !mpm_netware_module> > > PidFile "logs/httpd.pid" > > </IfModule> > > <IfModule !mpm_winnt_module> > > <IfModule !mpm_netware_module> > > LockFile "logs/accept.lock" > > </IfModule> > > </IfModule> > > <IfModule mpm_worker_module> > > StartServers 5 > > MaxClients 400 > > MinSpareThreads 25 > > MaxSpareThreads 75 > > ThreadsPerChild 25 > > MaxRequestsPerChild 1000 > > </IfModule> > > > > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > > KeepAlive On > > MaxKeepAliveRequests 100 > > KeepAliveTimeout 5 > > > > > > #### cat vhosts.d/www.mysite.com.conf > > > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80>> > > ServerName www.mysite.com <http://www.mysite.com> > > ServerAlias mysite.com <http://mysite.com> > > > > # Log files > > # ErrorLog logs/www.mysite.com-error_log > > # CustomLog logs/www.mysite.com-access_log combined > > > > # Add ClientIP to the Request Headers > > RewriteEngine On > > RewriteCond %{REMOTE_ADDR} (.*) > > RewriteRule .* - [E=R_A:%1] > > RequestHeader add ClientIP %{R_A}e > > > > # Send all pages except the manut one to the internal web server > > ProxyPreserveHost On > > ProxyPass /manut.html ! > > ProxyPass / http://www.mysite.com/ > > ProxyPassReverse / http://www.mysite.com/ > > > > # ModSecurity specific rules (no additional rules enabled for the > moment) > > Include conf/rules.d/www.mysite.com.rules > > </VirtualHost> > > > > <VirtualHost 192.168.168.100:443 <http://192.168.168.100:443>> > > ServerName www.mysite.com <http://www.mysite.com> > > ServerAlias mysite.com <http://mysite.com> > > > > # Log files > > # ErrorLog logs/www.mysite.com-error_log > > # CustomLog logs/www.mysite.com-access_log combined > > > > # SSL config > > SSLEngine on > > SSLProtocol All -SSLv2 > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > > SSLCertificateFile conf/cert/www.mysite.com.crt > > SSLCertificateKeyFile conf/cert/www.mysite.com.key > > SSLCertificateChainFile conf/cert/Verisign04.crt > > > > # Add ClientIP to the Request Headers > > RewriteEngine On > > RewriteCond %{REMOTE_ADDR} (.*) > > RewriteRule .* - [E=R_A:%1] > > RequestHeader add ClientIP %{R_A}e > > > > # Send all pages except the manut one to the internal web server > > ProxyPreserveHost On > > ProxyPass /manut.html ! > > ProxyPass / http://www.mysite.com/ > > ProxyPassReverse / http://www.mysite.com/ > > > > # ModSecurity specific rules (no additional rules enabled for the > > moment) > > Include conf/rules.d/www.mysite.com.rules > > > > </VirtualHost> > > > > > > In attach the error_log of a test with: > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > > Hang after 272 request... (restart of apache needed!) > > > > > > #### top -d 1 (snapshot in the half of test) > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, 2 zombie > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, 0.0%hi, 0.2%si, > > 0.0%st > > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k buffers > > Swap: 4194296k total, 0k used, 4194296k free, 1130024k cached > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > > COMMAND > > > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > > httpd > > > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > > httpd > > > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > > httpd > > > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > > httpd > > > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > > httpd > > > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > > httpd > > > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > > httpd > > > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > > httpd > > > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > > httpd > > > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > > httpd > > > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > > httpd > > > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > > xfsdatad/0 > > > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > > httpd > > > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > > httpd > > > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > > init > > > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > > migration/0 > > > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > > ksoftirqd/0 > > > > > > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > > <Bri...@br... <mailto:Bri...@br...>> wrote: > > > > Nicola, > > > > I need to be able to duplicate this problem. Would you please send > your > > settings for Apache and modsecurity? > > > > For ModSecurity, I need your config settings (usually in > > modsecurity_crs_10_config.conf) and which other files you are > including. > > > > For Apache I at least need these: > > > > 1. Output from "httpd -V" and "httpd -l" > > > > 2. Values for the following directives: > > > > ServerLimit > > StartServers > > MaxClients > > MinSpareThreads > > MaxSpareThreads > > ThreadsPerChild > > MaxRequestsPerChild > > MaxRequestsPerThread > > KeepAlive > > KeepAliveTimeout > > > > 3. As well as your config for proxying (Balancer, ProxyPass, etc)? > > > > 4. Additionally, your entire error_log at at least level "info" > (cleared > > before the test), the server-status output during (or near) the hang > and > > CPU/Mem usage stats during the test would be nice as well. > > > > thanks, > > -B > > > > > > Ivan Ristic wrote: > > > Hi Nicola, > > > > > > We'll have to try to reproduce your problem somehow, as it doesn't > > > happen in my tests. I've been using ab constantly over the years > for > > > testing, and I don't recall any problems either. > > > > > > Are you using mlogc or any other mechanism to transmit alerts > > elsewhere? > > > > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > > <bia...@gm... <mailto:bia...@gm...>> > wrote: > > >> Hi people, > > >> I'm a new modsecurity user and I've a problem which maybe some of > > you can > > >> resolve ;). > > >> > > >> My configuration is: reverse proxy (http/https) with apache 2.2.9 > and > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE SLES10. > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of RAM > > >> > > >> If I try this benchmark all work fine, without problem: > > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > > >> > > >> ... no lost requests, no particular delay. > > >> > > >> The problem come out if I try to do a "DOS attack" pointing > directly > > > to the > > >> ip address of mysite in https > > >> After few request (~200) apache hang and stop responding ... > > >> > > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > > >> > > > > > > ############################################################################# > > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > http://www.zeustech.net/ > > >> # Licensed to The Apache Software Foundation, > http://www.apache.org/ > > >> # > > >> # Benchmarking 192.168.168.100 <http://192.168.168.100> (be > patient) > > >> # Completed 200 requests > > >> # apr_poll: The timeout specified has expired (70007) > > >> # Total of 272 requests completed > > >> > > > > > > ############################################################################# > > >> > > >> Here an extract from the logs: > > >> > > > > > > ############################################################################# > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > > 192.168.168.168 <http://192.168.168.168>] > > >> ModSecurity: Access denied with code 400 (phase 2). Pattern match > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > > >> > > > > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > >> [line "60"] [id "960017"] [msg "Host header is a numeric IP > address"] > > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname > > >> "192.168.168.100 <http://192.168.168.100>"] [uri "/"] [unique_id > > "SF@XssIL0NIAAB@ncMAAAACI"] > > >> > > > > > > ############################################################################# > > >> > > >> If I turn off modsecurity (SecRuleEngine Off) and I repeat the > test I > > > don't > > >> have problem! > > >> If I disable the specific rule (SecRuleRemoveById "960017") all > > work fine! > > >> > > >> So, have you some idea about this issue? > > >> How can I prevent this kind of "DOS attack"? > > >> > > >> Thanks a lot! Regards > > >> Nick > > >> > > >> PS: sorry for my ridicolous english ;) > > >> > > >> > > > ------------------------------------------------------------------------- > > >> Check out the new SourceForge.net Marketplace. > > >> It's the best place to buy or sell services for > > >> just about anything Open Source. > > >> http://sourceforge.net/services/buy/index.php > > >> _______________________________________________ > > >> mod-security-users mailing list > > >> mod...@li... > > <mailto:mod...@li...> > > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > > >> > > >> > > > > > > > > > > > > -- > > > Ivan Ristic > > > > > > > > > ------------------------------------------------------------------------- > > > Check out the new SourceForge.net Marketplace. > > > It's the best place to buy or sell services for > > > just about anything Open Source. > > > http://sourceforge.net/services/buy/index.php > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > <mailto:mod...@li...> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > -- > > Brian Rectanus > > Breach Security > > > > > > > -- > Brian Rectanus > Breach Security > |
From: Brian R. <Bri...@br...> - 2008-06-26 17:05:27
|
I still cannot duplicate - sorry. Try recompiling with APR/APU 1.3.2 and see if that makes a difference for you. Results below... Nicola Bianchi wrote: > Brian, > have you tryed with httpS request? Without S I don't have hang problems... $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump This is ApacheBench, Version 2.3 <$Revision: 655654 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking 127.0.1.1 (be patient) Completed 1000 requests Completed 2000 requests Completed 3000 requests Completed 4000 requests Completed 5000 requests Completed 6000 requests Completed 7000 requests Completed 8000 requests Completed 9000 requests Completed 10000 requests Finished 10000 requests Server Software: FooBar/1.2.3 Server Hostname: 127.0.1.1 Server Port: 8100 SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 Document Path: /cgi-bin/dump Document Length: 226 bytes Concurrency Level: 1000 Time taken for tests: 121.536 seconds Complete requests: 10000 Failed requests: 0 Write errors: 0 Non-2xx responses: 10303 Keep-Alive requests: 0 Total transferred: 4072344 bytes HTML transferred: 2300228 bytes Requests per second: 82.28 [#/sec] (mean) Time per request: 12153.563 [ms] (mean) Time per request: 12.154 [ms] (mean, across all concurrent requests) Transfer rate: 32.72 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 115 7139 10962.6 4574 98384 Processing: 4 4075 1088.8 4217 6623 Waiting: 3 1254 652.5 1270 3484 Total: 174 11214 11049.4 9159 102880 Percentage of the requests served within a certain time (ms) 50% 9159 66% 9953 75% 10954 80% 11610 90% 17395 95% 19417 98% 30490 99% 99874 100% 102880 (longest request) > > My compiling configurations: > > ################################################################ > tar xvfz httpd-${APACHE_VERSIONE}.tar.gz > cd httpd-${APACHE_VERSIONE}/ > ./configure \ > --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ > --with-mpm=worker --enable-so \ > --enable-unique-id \ > --enable-proxy --enable-proxy-http --enable-proxy-balancer \ > --enable-rewrite --enable-headers \ > --enable-logio \ > --enable-expires \ > --enable-ssl \ > --enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \ > --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ > --disable-negotiation --disable-userdir \ > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} > ################################################################ > > ################################################################ > cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ > ./configure \ > --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ > --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ > --with-apr=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > --with-apu=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ > --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ > --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ > --enable-strict-compile > ################################################################ And compiled your way (mostly - I am still 64 bit): Mine is faster, BTW - kidding ;) $ httpd -V Server version: Apache/2.2.9 (Unix) Server built: Jun 26 2008 09:56:07 Server's Module Magic Number: 20051115:15 Server loaded: APR 1.3.0, APR-Util 1.3.0 Compiled using: APR 1.3.0, APR-Util 1.3.0 Architecture: 64-bit Server MPM: Worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/worker" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/apps/httpd-2.2.9-nicola" -D SUEXEC_BIN="/apps/httpd-2.2.9-nicola/bin/suexec" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" $ httpd -l Compiled in modules: core.c mod_authn_file.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authz_default.c mod_auth_basic.c mod_cache.c mod_disk_cache.c mod_mem_cache.c mod_include.c mod_filter.c mod_deflate.c mod_log_config.c mod_logio.c mod_env.c mod_expires.c mod_headers.c mod_unique_id.c mod_setenvif.c mod_proxy.c mod_proxy_connect.c mod_proxy_ftp.c mod_proxy_http.c mod_proxy_ajp.c mod_proxy_balancer.c mod_ssl.c worker.c http_core.c mod_mime.c mod_status.c mod_dir.c mod_actions.c mod_alias.c mod_rewrite.c mod_so.c $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump This is ApacheBench, Version 2.3 <$Revision: 655654 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking 127.0.1.1 (be patient) Completed 1000 requests Completed 2000 requests Completed 3000 requests Completed 4000 requests Completed 5000 requests Completed 6000 requests Completed 7000 requests Completed 8000 requests Completed 9000 requests Completed 10000 requests Finished 10000 requests Server Software: Server Hostname: 127.0.1.1 Server Port: 8100 SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 Document Path: /cgi-bin/dump Document Length: 226 bytes Concurrency Level: 1000 Time taken for tests: 123.303 seconds Complete requests: 10000 Failed requests: 0 Write errors: 0 Non-2xx responses: 10313 Keep-Alive requests: 0 Total transferred: 3854410 bytes HTML transferred: 2307460 bytes Requests per second: 81.10 [#/sec] (mean) Time per request: 12330.260 [ms] (mean) Time per request: 12.330 [ms] (mean, across all concurrent requests) Transfer rate: 30.53 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 203 7297 8204.7 5242 99241 Processing: 26 4395 1357.0 4492 7688 Waiting: 7 1384 728.3 1404 4157 Total: 846 11692 8415.4 10091 103464 Percentage of the requests served within a certain time (ms) 50% 10091 66% 11590 75% 12576 80% 13366 90% 17806 95% 19963 98% 30589 99% 56842 100% 103464 (longest request) > > > On Thu, Jun 26, 2008 at 1:38 AM, Brian Rectanus > <Bri...@br... <mailto:Bri...@br...>> wrote: > > Nick, > > I was not able to duplicate this. Below I have 2.2.9 apache running as > a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 and mlogc > running to a console. Each request produced an alert about the IP in > the host header. Additionally, I up'ed the ab test considerably. I > also tried mis-configuring mlogc in various ways, but these yielded > similar results. > > There are some differences in our setups. I have most modules as > modules vs compiled in as you have them. I am also running 64bit. But > I do not think these should make that much difference. > > If you would send me the exact configure options you used with your > 2.2.9 apache I will compile one here and test if you want. > > > $ httpd -V > Server version: Apache/2.2.9 (Unix) > Server built: Jun 25 2008 16:25:03 > Server's Module Magic Number: 20051115:15 > Server loaded: APR 1.3.0, APR-Util 1.3.0 > Compiled using: APR 1.3.0, APR-Util 1.3.0 > Architecture: 64-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/apps/httpd-2.2.9" > -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > $ httpd -lCompiled in modules: > core.c > worker.c > http_core.c > mod_so.c > > $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 <http://127.0.1.1> (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: FooBar/1.2.3 > Server Hostname: 127.0.1.1 <http://127.0.1.1> > Server Port: 8100 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 44.678 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10000 > Keep-Alive requests: 0 > Total transferred: 3980000 bytes > HTML transferred: 2260000 bytes > Requests per second: 223.82 [#/sec] (mean) > Time per request: 4467.792 [ms] (mean) > Time per request: 4.468 [ms] (mean, across all concurrent > requests) > Transfer rate: 86.99 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 0 469 1819.0 0 20999 > Processing: 3 3814 4000.3 2614 27551 > Waiting: 3 3258 3543.1 2191 26116 > Total: 3 4283 4748.7 3025 36558 > > Percentage of the requests served within a certain time (ms) > 50% 3025 > 66% 4818 > 75% 6226 > 80% 7324 > 90% 10264 > 95% 13155 > 98% 18743 > 99% 23293 > 100% 36558 (longest request) > > > > Nicola Bianchi wrote: > > Hi Brian, > > here the information that you require! > > If you need additional info just tell me... > > > > Thank you a lot for the help ;) > > Regards. > > Nick > > > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > > SecRuleEngine On > > SecRequestBodyAccess On > > SecResponseBodyAccess On > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > SecResponseBodyLimit 524288 > > SecServerSignature "Apache/2.2.0 (Fedora)" > > SecComponentSignature "core ruleset/1.6.1" > > SecUploadDir /tmp > > SecUploadKeepFiles Off > > SecAuditEngine RelevantOnly > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > SecAuditLogType Serial > > SecAuditLog logs/modsec_audit.log > > SecAuditLogParts "ABIFHKZ" > > SecArgumentSeparator "&" > > SecCookieFormat 0 > > SecRequestBodyInMemoryLimit 131072 > > SecDebugLog logs/modsec_debug.log > > SecDebugLogLevel 1 > > SecDataDir /tmp > > SecTmpDir /tmp > > > > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep .. > > SecRuleEngine On > > SecRequestBodyAccess On > > SecResponseBodyAccess On > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > SecDefaultAction > > > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > > SecServerSignature "Server X" > > SecUploadDir /opt/jail/tmp > > SecAuditLogType Concurrent > > SecAuditLog "|bin/mlogc /opt/waf/mod_security/prod/bin/mlogc.conf" > > SecAuditLogStorageDir logs/modsec_audit/ > > SecDebugLogLevel 0 > > SecDataDir /opt/jail/tmp > > SecTmpDir /opt/jail/tmp > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > > Server version: Apache/2.2.9 (Unix) > > Server built: Jun 18 2008 11:18:47 > > Server's Module Magic Number: 20051115:15 > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > Architecture: 32-bit > > Server MPM: Worker > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APACHE_MPM_DIR="server/mpm/worker" > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=128 > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > > Compiled in modules: > > core.c > > mod_authn_file.c > > mod_authn_default.c > > mod_authz_host.c > > mod_authz_groupfile.c > > mod_authz_user.c > > mod_authz_default.c > > mod_auth_basic.c > > mod_cache.c > > mod_disk_cache.c > > mod_mem_cache.c > > mod_include.c > > mod_filter.c > > mod_deflate.c > > mod_log_config.c > > mod_logio.c > > mod_env.c > > mod_expires.c > > mod_headers.c > > mod_unique_id.c > > mod_setenvif.c > > mod_proxy.c > > mod_proxy_connect.c > > mod_proxy_ftp.c > > mod_proxy_http.c > > mod_proxy_ajp.c > > mod_proxy_balancer.c > > mod_ssl.c > > worker.c > > http_core.c > > mod_mime.c > > mod_status.c > > mod_dir.c > > mod_actions.c > > mod_alias.c > > mod_rewrite.c > > mod_so.c > > > > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > > <IfModule !mpm_netware_module> > > PidFile "logs/httpd.pid" > > </IfModule> > > <IfModule !mpm_winnt_module> > > <IfModule !mpm_netware_module> > > LockFile "logs/accept.lock" > > </IfModule> > > </IfModule> > > <IfModule mpm_worker_module> > > StartServers 5 > > MaxClients 400 > > MinSpareThreads 25 > > MaxSpareThreads 75 > > ThreadsPerChild 25 > > MaxRequestsPerChild 1000 > > </IfModule> > > > > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > > KeepAlive On > > MaxKeepAliveRequests 100 > > KeepAliveTimeout 5 > > > > > > #### cat vhosts.d/www.mysite.com.conf > > > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80> > <http://192.168.168.100:80>> > > ServerName www.mysite.com <http://www.mysite.com> > <http://www.mysite.com> > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com> > > > > # Log files > > # ErrorLog logs/www.mysite.com-error_log > > # CustomLog logs/www.mysite.com-access_log combined > > > > # Add ClientIP to the Request Headers > > RewriteEngine On > > RewriteCond %{REMOTE_ADDR} (.*) > > RewriteRule .* - [E=R_A:%1] > > RequestHeader add ClientIP %{R_A}e > > > > # Send all pages except the manut one to the internal web server > > ProxyPreserveHost On > > ProxyPass /manut.html ! > > ProxyPass / http://www.mysite.com/ > > ProxyPassReverse / http://www.mysite.com/ > > > > # ModSecurity specific rules (no additional rules enabled for > the moment) > > Include conf/rules.d/www.mysite.com.rules > > </VirtualHost> > > > > <VirtualHost 192.168.168.100:443 <http://192.168.168.100:443> > <http://192.168.168.100:443>> > > ServerName www.mysite.com <http://www.mysite.com> > <http://www.mysite.com> > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com> > > > > # Log files > > # ErrorLog logs/www.mysite.com-error_log > > # CustomLog logs/www.mysite.com-access_log combined > > > > # SSL config > > SSLEngine on > > SSLProtocol All -SSLv2 > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > > SSLCertificateFile conf/cert/www.mysite.com.crt > > SSLCertificateKeyFile conf/cert/www.mysite.com.key > > SSLCertificateChainFile conf/cert/Verisign04.crt > > > > # Add ClientIP to the Request Headers > > RewriteEngine On > > RewriteCond %{REMOTE_ADDR} (.*) > > RewriteRule .* - [E=R_A:%1] > > RequestHeader add ClientIP %{R_A}e > > > > # Send all pages except the manut one to the internal web server > > ProxyPreserveHost On > > ProxyPass /manut.html ! > > ProxyPass / http://www.mysite.com/ > > ProxyPassReverse / http://www.mysite.com/ > > > > # ModSecurity specific rules (no additional rules enabled for the > > moment) > > Include conf/rules.d/www.mysite.com.rules > > > > </VirtualHost> > > > > > > In attach the error_log of a test with: > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > > Hang after 272 request... (restart of apache needed!) > > > > > > #### top -d 1 (snapshot in the half of test) > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, 2 zombie > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, 0.0%hi, 0.2%si, > > 0.0%st > > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k > buffers > > Swap: 4194296k total, 0k used, 4194296k free, 1130024k > cached > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > > COMMAND > > > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > > httpd > > > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > > httpd > > > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > > httpd > > > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > > httpd > > > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > > httpd > > > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > > httpd > > > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > > httpd > > > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > > httpd > > > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > > httpd > > > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > > httpd > > > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > > httpd > > > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > > xfsdatad/0 > > > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > > httpd > > > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > > httpd > > > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > > init > > > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > > migration/0 > > > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > > ksoftirqd/0 > > > > > > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > > <Bri...@br... <mailto:Bri...@br...> > <mailto:Bri...@br... > <mailto:Bri...@br...>>> wrote: > > > > Nicola, > > > > I need to be able to duplicate this problem. Would you please > send your > > settings for Apache and modsecurity? > > > > For ModSecurity, I need your config settings (usually in > > modsecurity_crs_10_config.conf) and which other files you are > including. > > > > For Apache I at least need these: > > > > 1. Output from "httpd -V" and "httpd -l" > > > > 2. Values for the following directives: > > > > ServerLimit > > StartServers > > MaxClients > > MinSpareThreads > > MaxSpareThreads > > ThreadsPerChild > > MaxRequestsPerChild > > MaxRequestsPerThread > > KeepAlive > > KeepAliveTimeout > > > > 3. As well as your config for proxying (Balancer, ProxyPass, etc)? > > > > 4. Additionally, your entire error_log at at least level > "info" (cleared > > before the test), the server-status output during (or near) > the hang and > > CPU/Mem usage stats during the test would be nice as well. > > > > thanks, > > -B > > > > > > Ivan Ristic wrote: > > > Hi Nicola, > > > > > > We'll have to try to reproduce your problem somehow, as it > doesn't > > > happen in my tests. I've been using ab constantly over the > years for > > > testing, and I don't recall any problems either. > > > > > > Are you using mlogc or any other mechanism to transmit alerts > > elsewhere? > > > > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > > <bia...@gm... <mailto:bia...@gm...> > <mailto:bia...@gm... <mailto:bia...@gm...>>> > wrote: > > >> Hi people, > > >> I'm a new modsecurity user and I've a problem which maybe > some of > > you can > > >> resolve ;). > > >> > > >> My configuration is: reverse proxy (http/https) with apache > 2.2.9 and > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE SLES10. > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of RAM > > >> > > >> If I try this benchmark all work fine, without problem: > > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > > >> > > >> ... no lost requests, no particular delay. > > >> > > >> The problem come out if I try to do a "DOS attack" pointing > directly > > > to the > > >> ip address of mysite in https > > >> After few request (~200) apache hang and stop responding ... > > >> > > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > > >> > > > > > > ############################################################################# > > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > http://www.zeustech.net/ > > >> # Licensed to The Apache Software Foundation, > http://www.apache.org/ > > >> # > > >> # Benchmarking 192.168.168.100 <http://192.168.168.100> > <http://192.168.168.100> (be patient) > > >> # Completed 200 requests > > >> # apr_poll: The timeout specified has expired (70007) > > >> # Total of 272 requests completed > > >> > > > > > > ############################################################################# > > >> > > >> Here an extract from the logs: > > >> > > > > > > ############################################################################# > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > > 192.168.168.168 <http://192.168.168.168> <http://192.168.168.168>] > > >> ModSecurity: Access denied with code 400 (phase 2). Pattern > match > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > > >> > > > > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > >> [line "60"] [id "960017"] [msg "Host header is a numeric IP > address"] > > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] > [hostname > > >> "192.168.168.100 <http://192.168.168.100> > <http://192.168.168.100>"] [uri "/"] [unique_id > > "SF@XssIL0NIAAB@ncMAAAACI"] > > >> > > > > > > ############################################################################# > > >> > > >> If I turn off modsecurity (SecRuleEngine Off) and I repeat > the test I > > > don't > > >> have problem! > > >> If I disable the specific rule (SecRuleRemoveById "960017") all > > work fine! > > >> > > >> So, have you some idea about this issue? > > >> How can I prevent this kind of "DOS attack"? > > >> > > >> Thanks a lot! Regards > > >> Nick > > >> > > >> PS: sorry for my ridicolous english ;) > > >> > > >> > > > ------------------------------------------------------------------------- > > >> Check out the new SourceForge.net Marketplace. > > >> It's the best place to buy or sell services for > > >> just about anything Open Source. > > >> http://sourceforge.net/services/buy/index.php > > >> _______________________________________________ > > >> mod-security-users mailing list > > >> mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > > >> > > >> > > > > > > > > > > > > -- > > > Ivan Ristic > > > > > > > > > ------------------------------------------------------------------------- > > > Check out the new SourceForge.net Marketplace. > > > It's the best place to buy or sell services for > > > just about anything Open Source. > > > http://sourceforge.net/services/buy/index.php > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > -- > > Brian Rectanus > > Breach Security > > > > > > > -- > Brian Rectanus > Breach Security > > -- Brian Rectanus Breach Security |
From: Nicola B. <bia...@gm...> - 2008-06-27 09:32:05
|
Hi Brian, I greatly appreciate your interest for my problem, thank you. Tomorrow I've recompiled apache and modsecurity for the external apr/apr-util version. I've followed this steps: export AMBIENTE=prod export XML_VERSIONE=2.6.32 export PCRE_VERSIONE=7.7 export LUA_VERSIONE=5.1.3 export APACHE_VERSIONE=2.2.9 export MODSEC_VERSIONE=2.5.5 export CORERULES_VERSIONE=2.5-1.6.1 export APR_VERSIONE=1.3.2 export APR_UTIL_VERSIONE=1.3.2 cd /tmp tar xzfv apr-${APR_VERSIONE}.tar.gz cd apr-${APR_VERSIONE} ./configure --prefix=/opt/waf/bin/apr-${APR_VERSIONE} make && make test make install cd /opt/waf/bin/ rm apr_${AMBIENTE} ln -s apr-1.3.2 apr_${AMBIENTE} cd /tmp tar xzvf apr-util-${APR_UTIL_VERSIONE}.tar.gz cd apr-util-${APR_UTIL_VERSIONE} ./configure --prefix=/opt/waf/bin/apr-util-${APR_UTIL_VERSIONE} --with-apr=/opt/waf/bin/apr-${APR_VERSIONE} make && make test make install cd /opt/waf/bin rm apr-util_${AMBIENTE} ln -s apr-util-${APR_UTIL_VERSIONE} apr-util_${AMBIENTE} cd /tmp tar xvfz httpd-${APACHE_VERSIONE}.tar.gz cd httpd-${APACHE_VERSIONE}/ ./configure \ --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ --with-mpm=worker --enable-so \ --enable-unique-id \ --enable-proxy --enable-proxy-http --enable-proxy-balancer \ --enable-rewrite --enable-headers \ --enable-logio \ --enable-expires \ --enable-ssl \ --enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \ --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ --disable-negotiation --disable-userdir \ --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ --with-apr=/opt/waf/bin/apr-${APR_VERSIONE} \ --with-apr-util=/opt/waf/bin/apr-util-${APR_VERSIONE} make make install rm /opt/waf/bin/apache_${AMBIENTE} ln -s httpd-${APACHE_VERSIONE} /opt/waf/bin/apache_${AMBIENTE} cd /tmp tar xvfz modsecurity-apache_${MODSEC_VERSIONE}.tar.gz cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ ./configure \ --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ --with-apr=/opt/waf/bin/apr-${APR_VERSIONE} \ --with-apu=/opt/waf/bin/apr-util-${APR_VERSIONE} \ --enable-strict-compile make && make test # All tests passed (518). mkdir -p /opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} rm /opt/waf/bin/modsecurity-apache_${AMBIENTE} ln -s modsecurity-apache_${MODSEC_VERSIONE} /opt/waf/bin/modsecurity-apache_${AMBIENTE} cp .libs/mod_security2.so /opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE}/ cd mlogc-src/ make chown -R root:root mlogc chmod -R go= mlogc rm -f /opt/waf/mod_security/${AMBIENTE}/bin/mlogc cp -p mlogc /opt/waf/mod_security/${AMBIENTE}/bin/ ##### check ldd /opt/waf/mod_security/${AMBIENTE}/bin/mlogc linux-gate.so.1 => (0xffffe000) libapr-1.so.0 => /opt/waf/bin/apr-1.3.2/lib/libapr-1.so.0 (0xb7ef3000) libcurl.so.3 => /usr/lib/libcurl.so.3 (0xb7ebf000) libidn.so.11 => /usr/lib/libidn.so.11 (0xb7e8f000) libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7e52000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7d29000) libdl.so.2 => /lib/libdl.so.2 (0xb7d25000) libz.so.1 => /lib/libz.so.1 (0xb7d13000) libpcre.so.0 => /usr/lib/libpcre.so.0 (0xb7ce7000) libpthread.so.0 => /lib/libpthread.so.0 (0xb7cd1000) libc.so.6 => /lib/libc.so.6 (0xb7ba5000) librt.so.1 => /lib/librt.so.1 (0xb7b9b000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7b68000) /lib/ld-linux.so.2 (0xb7f21000) /opt/waf/bin/apache_${AMBIENTE}/bin/httpd -V Server version: Apache/2.2.9 (Unix) Server built: Jun 27 2008 10:08:36 Server's Module Magic Number: 20051115:15 Server loaded: APR 1.3.2, APR-Util 1.3.2 Compiled using: APR 1.3.2, APR-Util 1.3.2 Architecture: 32-bit Server MPM: Worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/worker" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9-apr" -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9-apr/bin/suexec" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" #### end of check I've starded apache whitout error: /etc/init.d/apachectl_${AMBIENTE} start tail -10 /opt/waf/mod_security/${AMBIENTE}/logs/error_log Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables Server Gated Cryptography (SGC) Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Configuring server for SSL protocol Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables Server Gated Cryptography (SGC) Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Configuring server for SSL protocol Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables Server Gated Cryptography (SGC) Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Configuring server for SSL protocol Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables Server Gated Cryptography (SGC) Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] mod_ssl/2.2.9 compiled against Server: Apache/2.2.9, Library: OpenSSL/0.9.8a Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [notice] Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8a Server X configured -- resuming normal operations Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Server built: Jun 27 2008 10:08:36 tail -10 /opt/waf/mod_security/prod/logs/mlogc-error.log [Fri Jun 27 10:38:42 2008] [3] [27039/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 10:38:43 2008] [3] [27048/0] ModSecurity Audit Log Collector 1.4.4 delaying startup for 1000ms [Fri Jun 27 10:38:43 2008] [3] [27044/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 10:38:43 2008] [3] [27052/0] ModSecurity Audit Log Collector 1.4.4 delaying startup for 1000ms [Fri Jun 27 10:38:44 2008] [3] [27048/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 10:38:44 2008] [3] [27052/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 11:02:38 2008] [3] [29959/0] ModSecurity Audit Log Collector 1.4.4 delaying startup for 1000ms [Fri Jun 27 11:02:39 2008] [3] [29962/0] ModSecurity Audit Log Collector 1.4.4 delaying startup for 1000ms [Fri Jun 27 11:02:39 2008] [3] [29959/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 11:02:40 2008] [3] [29962/0] ModSecurity Audit Log Collector 1.4.4 started. ps -ef | grep apache_${AMBIENTE} root 29961 1 0 11:02 ? 00:00:00 /opt/waf/bin/apache_prod/bin/httpd -f /opt/waf/mod_security/prod/conf/httpd.conf -k start wwwrun 29964 29961 0 11:02 ? 00:00:00 /opt/waf/bin/apache_prod/bin/httpd -f /opt/waf/mod_security/prod/conf/httpd.conf -k start wwwrun 29965 29961 0 11:02 ? 00:00:00 /opt/waf/bin/apache_prod/bin/httpd -f /opt/waf/mod_security/prod/conf/httpd.conf -k start ps -ef | grep mlogc root 29959 1 0 11:02 pts/2 00:00:00 /opt/jail/opt/waf/mod_security/prod/bin/mlogc /opt/jail/opt/waf/mod_security/prod/bin/mlogc.conf root 29962 29961 0 11:02 ? 00:00:00 /opt/jail/opt/waf/mod_security/prod/bin/mlogc /opt/jail/opt/waf/mod_security/prod/bin/mlogc.conf ##### always the strange parent shell .... but apache still hang !!! Same problem :( ... no log to the console and so on .. maybe after a weekend of relax I'll be more lucky... ;) byebye Nick PS: no jail ... only a nice to have On Thu, Jun 26, 2008 at 7:05 PM, Brian Rectanus <Bri...@br...> wrote: > I still cannot duplicate - sorry. Try recompiling with APR/APU 1.3.2 > and see if that makes a difference for you. Results below... > > Nicola Bianchi wrote: > > Brian, > > have you tryed with httpS request? Without S I don't have hang > problems... > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: FooBar/1.2.3 > Server Hostname: 127.0.1.1 > Server Port: 8100 > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 121.536 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10303 > Keep-Alive requests: 0 > Total transferred: 4072344 bytes > HTML transferred: 2300228 bytes > Requests per second: 82.28 [#/sec] (mean) > Time per request: 12153.563 [ms] (mean) > Time per request: 12.154 [ms] (mean, across all concurrent requests) > Transfer rate: 32.72 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 115 7139 10962.6 4574 98384 > Processing: 4 4075 1088.8 4217 6623 > Waiting: 3 1254 652.5 1270 3484 > Total: 174 11214 11049.4 9159 102880 > > Percentage of the requests served within a certain time (ms) > 50% 9159 > 66% 9953 > 75% 10954 > 80% 11610 > 90% 17395 > 95% 19417 > 98% 30490 > 99% 99874 > 100% 102880 (longest request) > > > > > > > My compiling configurations: > > > > ################################################################ > > tar xvfz httpd-${APACHE_VERSIONE}.tar.gz > > cd httpd-${APACHE_VERSIONE}/ > > ./configure \ > > --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ > > --with-mpm=worker --enable-so \ > > --enable-unique-id \ > > --enable-proxy --enable-proxy-http --enable-proxy-balancer \ > > --enable-rewrite --enable-headers \ > > --enable-logio \ > > --enable-expires \ > > --enable-ssl \ > > --enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \ > > --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ > > --disable-negotiation --disable-userdir \ > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} > > ################################################################ > > > > ################################################################ > > cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ > > ./configure \ > > --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ > > --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ > > --with-apr=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > --with-apu=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ > > --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ > > --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ > > --enable-strict-compile > > ################################################################ > > And compiled your way (mostly - I am still 64 bit): > > Mine is faster, BTW - kidding ;) > > $ httpd -V > Server version: Apache/2.2.9 (Unix) > Server built: Jun 26 2008 09:56:07 > Server's Module Magic Number: 20051115:15 > Server loaded: APR 1.3.0, APR-Util 1.3.0 > Compiled using: APR 1.3.0, APR-Util 1.3.0 > Architecture: 64-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/apps/httpd-2.2.9-nicola" > -D SUEXEC_BIN="/apps/httpd-2.2.9-nicola/bin/suexec" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > $ httpd -l > Compiled in modules: > core.c > mod_authn_file.c > mod_authn_default.c > mod_authz_host.c > mod_authz_groupfile.c > mod_authz_user.c > mod_authz_default.c > mod_auth_basic.c > mod_cache.c > mod_disk_cache.c > mod_mem_cache.c > mod_include.c > mod_filter.c > mod_deflate.c > mod_log_config.c > mod_logio.c > mod_env.c > mod_expires.c > mod_headers.c > mod_unique_id.c > mod_setenvif.c > mod_proxy.c > mod_proxy_connect.c > mod_proxy_ftp.c > mod_proxy_http.c > mod_proxy_ajp.c > mod_proxy_balancer.c > mod_ssl.c > worker.c > http_core.c > mod_mime.c > mod_status.c > mod_dir.c > mod_actions.c > mod_alias.c > mod_rewrite.c > mod_so.c > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: > Server Hostname: 127.0.1.1 > Server Port: 8100 > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 123.303 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10313 > Keep-Alive requests: 0 > Total transferred: 3854410 bytes > HTML transferred: 2307460 bytes > Requests per second: 81.10 [#/sec] (mean) > Time per request: 12330.260 [ms] (mean) > Time per request: 12.330 [ms] (mean, across all concurrent requests) > Transfer rate: 30.53 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 203 7297 8204.7 5242 99241 > Processing: 26 4395 1357.0 4492 7688 > Waiting: 7 1384 728.3 1404 4157 > Total: 846 11692 8415.4 10091 103464 > > Percentage of the requests served within a certain time (ms) > 50% 10091 > 66% 11590 > 75% 12576 > 80% 13366 > 90% 17806 > 95% 19963 > 98% 30589 > 99% 56842 > 100% 103464 (longest request) > > > > > > > > > > On Thu, Jun 26, 2008 at 1:38 AM, Brian Rectanus > > <Bri...@br... <mailto:Bri...@br...>> wrote: > > > > Nick, > > > > I was not able to duplicate this. Below I have 2.2.9 apache running > as > > a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 and mlogc > > running to a console. Each request produced an alert about the IP in > > the host header. Additionally, I up'ed the ab test considerably. I > > also tried mis-configuring mlogc in various ways, but these yielded > > similar results. > > > > There are some differences in our setups. I have most modules as > > modules vs compiled in as you have them. I am also running 64bit. > But > > I do not think these should make that much difference. > > > > If you would send me the exact configure options you used with your > > 2.2.9 apache I will compile one here and test if you want. > > > > > > $ httpd -V > > Server version: Apache/2.2.9 (Unix) > > Server built: Jun 25 2008 16:25:03 > > Server's Module Magic Number: 20051115:15 > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > Architecture: 64-bit > > Server MPM: Worker > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APACHE_MPM_DIR="server/mpm/worker" > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=128 > > -D HTTPD_ROOT="/apps/httpd-2.2.9" > > -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > $ httpd -lCompiled in modules: > > core.c > > worker.c > > http_core.c > > mod_so.c > > > > $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > > Licensed to The Apache Software Foundation, http://www.apache.org/ > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> (be patient) > > Completed 1000 requests > > Completed 2000 requests > > Completed 3000 requests > > Completed 4000 requests > > Completed 5000 requests > > Completed 6000 requests > > Completed 7000 requests > > Completed 8000 requests > > Completed 9000 requests > > Completed 10000 requests > > Finished 10000 requests > > > > > > Server Software: FooBar/1.2.3 > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > > Server Port: 8100 > > > > Document Path: /cgi-bin/dump > > Document Length: 226 bytes > > > > Concurrency Level: 1000 > > Time taken for tests: 44.678 seconds > > Complete requests: 10000 > > Failed requests: 0 > > Write errors: 0 > > Non-2xx responses: 10000 > > Keep-Alive requests: 0 > > Total transferred: 3980000 bytes > > HTML transferred: 2260000 bytes > > Requests per second: 223.82 [#/sec] (mean) > > Time per request: 4467.792 [ms] (mean) > > Time per request: 4.468 [ms] (mean, across all concurrent > > requests) > > Transfer rate: 86.99 [Kbytes/sec] received > > > > Connection Times (ms) > > min mean[+/-sd] median max > > Connect: 0 469 1819.0 0 20999 > > Processing: 3 3814 4000.3 2614 27551 > > Waiting: 3 3258 3543.1 2191 26116 > > Total: 3 4283 4748.7 3025 36558 > > > > Percentage of the requests served within a certain time (ms) > > 50% 3025 > > 66% 4818 > > 75% 6226 > > 80% 7324 > > 90% 10264 > > 95% 13155 > > 98% 18743 > > 99% 23293 > > 100% 36558 (longest request) > > > > > > > > Nicola Bianchi wrote: > > > Hi Brian, > > > here the information that you require! > > > If you need additional info just tell me... > > > > > > Thank you a lot for the help ;) > > > Regards. > > > Nick > > > > > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > > > SecRuleEngine On > > > SecRequestBodyAccess On > > > SecResponseBodyAccess On > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > SecResponseBodyLimit 524288 > > > SecServerSignature "Apache/2.2.0 (Fedora)" > > > SecComponentSignature "core ruleset/1.6.1" > > > SecUploadDir /tmp > > > SecUploadKeepFiles Off > > > SecAuditEngine RelevantOnly > > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > > SecAuditLogType Serial > > > SecAuditLog logs/modsec_audit.log > > > SecAuditLogParts "ABIFHKZ" > > > SecArgumentSeparator "&" > > > SecCookieFormat 0 > > > SecRequestBodyInMemoryLimit 131072 > > > SecDebugLog logs/modsec_debug.log > > > SecDebugLogLevel 1 > > > SecDataDir /tmp > > > SecTmpDir /tmp > > > > > > > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep .. > > > SecRuleEngine On > > > SecRequestBodyAccess On > > > SecResponseBodyAccess On > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > SecDefaultAction > > > > > > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > > > SecServerSignature "Server X" > > > SecUploadDir /opt/jail/tmp > > > SecAuditLogType Concurrent > > > SecAuditLog "|bin/mlogc /opt/waf/mod_security/prod/bin/mlogc.conf" > > > SecAuditLogStorageDir logs/modsec_audit/ > > > SecDebugLogLevel 0 > > > SecDataDir /opt/jail/tmp > > > SecTmpDir /opt/jail/tmp > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > > > Server version: Apache/2.2.9 (Unix) > > > Server built: Jun 18 2008 11:18:47 > > > Server's Module Magic Number: 20051115:15 > > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > > Architecture: 32-bit > > > Server MPM: Worker > > > threaded: yes (fixed thread count) > > > forked: yes (variable process count) > > > Server compiled with.... > > > -D APACHE_MPM_DIR="server/mpm/worker" > > > -D APR_HAS_SENDFILE > > > -D APR_HAS_MMAP > > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > > -D APR_USE_SYSVSEM_SERIALIZE > > > -D APR_USE_PTHREAD_SERIALIZE > > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > > -D APR_HAS_OTHER_CHILD > > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > > -D DYNAMIC_MODULE_LIMIT=128 > > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > > -D DEFAULT_ERRORLOG="logs/error_log" > > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > > > Compiled in modules: > > > core.c > > > mod_authn_file.c > > > mod_authn_default.c > > > mod_authz_host.c > > > mod_authz_groupfile.c > > > mod_authz_user.c > > > mod_authz_default.c > > > mod_auth_basic.c > > > mod_cache.c > > > mod_disk_cache.c > > > mod_mem_cache.c > > > mod_include.c > > > mod_filter.c > > > mod_deflate.c > > > mod_log_config.c > > > mod_logio.c > > > mod_env.c > > > mod_expires.c > > > mod_headers.c > > > mod_unique_id.c > > > mod_setenvif.c > > > mod_proxy.c > > > mod_proxy_connect.c > > > mod_proxy_ftp.c > > > mod_proxy_http.c > > > mod_proxy_ajp.c > > > mod_proxy_balancer.c > > > mod_ssl.c > > > worker.c > > > http_core.c > > > mod_mime.c > > > mod_status.c > > > mod_dir.c > > > mod_actions.c > > > mod_alias.c > > > mod_rewrite.c > > > mod_so.c > > > > > > > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > > > <IfModule !mpm_netware_module> > > > PidFile "logs/httpd.pid" > > > </IfModule> > > > <IfModule !mpm_winnt_module> > > > <IfModule !mpm_netware_module> > > > LockFile "logs/accept.lock" > > > </IfModule> > > > </IfModule> > > > <IfModule mpm_worker_module> > > > StartServers 5 > > > MaxClients 400 > > > MinSpareThreads 25 > > > MaxSpareThreads 75 > > > ThreadsPerChild 25 > > > MaxRequestsPerChild 1000 > > > </IfModule> > > > > > > > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > > > KeepAlive On > > > MaxKeepAliveRequests 100 > > > KeepAliveTimeout 5 > > > > > > > > > #### cat vhosts.d/www.mysite.com.conf > > > > > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80> > > <http://192.168.168.100:80>> > > > ServerName www.mysite.com <http://www.mysite.com> > > <http://www.mysite.com> > > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com> > > > > > > # Log files > > > # ErrorLog logs/www.mysite.com-error_log > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > # Add ClientIP to the Request Headers > > > RewriteEngine On > > > RewriteCond %{REMOTE_ADDR} (.*) > > > RewriteRule .* - [E=R_A:%1] > > > RequestHeader add ClientIP %{R_A}e > > > > > > # Send all pages except the manut one to the internal web server > > > ProxyPreserveHost On > > > ProxyPass /manut.html ! > > > ProxyPass / http://www.mysite.com/ > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > # ModSecurity specific rules (no additional rules enabled for > > the moment) > > > Include conf/rules.d/www.mysite.com.rules > > > </VirtualHost> > > > > > > <VirtualHost 192.168.168.100:443 <http://192.168.168.100:443> > > <http://192.168.168.100:443>> > > > ServerName www.mysite.com <http://www.mysite.com> > > <http://www.mysite.com> > > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com> > > > > > > # Log files > > > # ErrorLog logs/www.mysite.com-error_log > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > # SSL config > > > SSLEngine on > > > SSLProtocol All -SSLv2 > > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > > > SSLCertificateFile conf/cert/www.mysite.com.crt > > > SSLCertificateKeyFile conf/cert/www.mysite.com.key > > > SSLCertificateChainFile conf/cert/Verisign04.crt > > > > > > # Add ClientIP to the Request Headers > > > RewriteEngine On > > > RewriteCond %{REMOTE_ADDR} (.*) > > > RewriteRule .* - [E=R_A:%1] > > > RequestHeader add ClientIP %{R_A}e > > > > > > # Send all pages except the manut one to the internal web server > > > ProxyPreserveHost On > > > ProxyPass /manut.html ! > > > ProxyPass / http://www.mysite.com/ > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > # ModSecurity specific rules (no additional rules enabled for > the > > > moment) > > > Include conf/rules.d/www.mysite.com.rules > > > > > > </VirtualHost> > > > > > > > > > In attach the error_log of a test with: > > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > > > Hang after 272 request... (restart of apache needed!) > > > > > > > > > #### top -d 1 (snapshot in the half of test) > > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, 2 > zombie > > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, 0.0%hi, > 0.2%si, > > > 0.0%st > > > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k > > buffers > > > Swap: 4194296k total, 0k used, 4194296k free, 1130024k > > cached > > > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > > > COMMAND > > > > > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > > > httpd > > > > > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > > > httpd > > > > > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > > > httpd > > > > > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > > > httpd > > > > > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > > > httpd > > > > > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > > > httpd > > > > > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > > > httpd > > > > > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > > > httpd > > > > > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > > > httpd > > > > > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > > > httpd > > > > > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > > > httpd > > > > > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > > > xfsdatad/0 > > > > > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > > > httpd > > > > > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > > > httpd > > > > > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > > > init > > > > > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > > > migration/0 > > > > > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > > > ksoftirqd/0 > > > > > > > > > > > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > > > <Bri...@br... <mailto:Bri...@br...> > > <mailto:Bri...@br... > > <mailto:Bri...@br...>>> wrote: > > > > > > Nicola, > > > > > > I need to be able to duplicate this problem. Would you please > > send your > > > settings for Apache and modsecurity? > > > > > > For ModSecurity, I need your config settings (usually in > > > modsecurity_crs_10_config.conf) and which other files you are > > including. > > > > > > For Apache I at least need these: > > > > > > 1. Output from "httpd -V" and "httpd -l" > > > > > > 2. Values for the following directives: > > > > > > ServerLimit > > > StartServers > > > MaxClients > > > MinSpareThreads > > > MaxSpareThreads > > > ThreadsPerChild > > > MaxRequestsPerChild > > > MaxRequestsPerThread > > > KeepAlive > > > KeepAliveTimeout > > > > > > 3. As well as your config for proxying (Balancer, ProxyPass, > etc)? > > > > > > 4. Additionally, your entire error_log at at least level > > "info" (cleared > > > before the test), the server-status output during (or near) > > the hang and > > > CPU/Mem usage stats during the test would be nice as well. > > > > > > thanks, > > > -B > > > > > > > > > Ivan Ristic wrote: > > > > Hi Nicola, > > > > > > > > We'll have to try to reproduce your problem somehow, as it > > doesn't > > > > happen in my tests. I've been using ab constantly over the > > years for > > > > testing, and I don't recall any problems either. > > > > > > > > Are you using mlogc or any other mechanism to transmit alerts > > > elsewhere? > > > > > > > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > > > <bia...@gm... <mailto:bia...@gm...> > > <mailto:bia...@gm... <mailto:bia...@gm...>>> > > wrote: > > > >> Hi people, > > > >> I'm a new modsecurity user and I've a problem which maybe > > some of > > > you can > > > >> resolve ;). > > > >> > > > >> My configuration is: reverse proxy (http/https) with apache > > 2.2.9 and > > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE > SLES10. > > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of > RAM > > > >> > > > >> If I try this benchmark all work fine, without problem: > > > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > > > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > > > >> > > > >> ... no lost requests, no particular delay. > > > >> > > > >> The problem come out if I try to do a "DOS attack" pointing > > directly > > > > to the > > > >> ip address of mysite in https > > > >> After few request (~200) apache hang and stop responding ... > > > >> > > > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > > > >> > > > > > > > > > > ############################################################################# > > > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > > http://www.zeustech.net/ > > > >> # Licensed to The Apache Software Foundation, > > http://www.apache.org/ > > > >> # > > > >> # Benchmarking 192.168.168.100 <http://192.168.168.100> > > <http://192.168.168.100> (be patient) > > > >> # Completed 200 requests > > > >> # apr_poll: The timeout specified has expired (70007) > > > >> # Total of 272 requests completed > > > >> > > > > > > > > > > ############################################################################# > > > >> > > > >> Here an extract from the logs: > > > >> > > > > > > > > > > ############################################################################# > > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > > > 192.168.168.168 <http://192.168.168.168> < > http://192.168.168.168>] > > > >> ModSecurity: Access denied with code 400 (phase 2). Pattern > > match > > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > > > >> > > > > > > > > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> [line "60"] [id "960017"] [msg "Host header is a numeric IP > > address"] > > > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] > > [hostname > > > >> "192.168.168.100 <http://192.168.168.100> > > <http://192.168.168.100>"] [uri "/"] [unique_id > > > "SF@XssIL0NIAAB@ncMAAAACI"] > > > >> > > > > > > > > > > ############################################################################# > > > >> > > > >> If I turn off modsecurity (SecRuleEngine Off) and I repeat > > the test I > > > > don't > > > >> have problem! > > > >> If I disable the specific rule (SecRuleRemoveById "960017") > all > > > work fine! > > > >> > > > >> So, have you some idea about this issue? > > > >> How can I prevent this kind of "DOS attack"? > > > >> > > > >> Thanks a lot! Regards > > > >> Nick > > > >> > > > >> PS: sorry for my ridicolous english ;) > > > >> > > > >> > > > > > > ------------------------------------------------------------------------- > > > >> Check out the new SourceForge.net Marketplace. > > > >> It's the best place to buy or sell services for > > > >> just about anything Open Source. > > > >> http://sourceforge.net/services/buy/index.php > > > >> _______________________________________________ > > > >> mod-security-users mailing list > > > >> mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>> > > > >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > >> > > > >> > > > > > > > > > > > > > > > > -- > > > > Ivan Ristic > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > Check out the new SourceForge.net Marketplace. > > > > It's the best place to buy or sell services for > > > > just about anything Open Source. > > > > http://sourceforge.net/services/buy/index.php > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > > > -- > > > Brian Rectanus > > > Breach Security > > > > > > > > > > > > -- > > Brian Rectanus > > Breach Security > > > > > > > -- > Brian Rectanus > Breach Security > |
From: Nicola B. <bia...@gm...> - 2008-07-02 13:50:21
|
Hi Brian, today, with a co-worker, I've recompiled my environment on a "Ubuntu 8.04 Server" machine and I still have the same problem: mlogc don't work! (...and apache hang) If I stop apache mlogc still up until a kill -9 ... and mlogc start attached to the init parent (pid 1)... With the perl log script all work perfectly, no hang, no particular performance problem. At this point I don't know where is my error. Can you tell me the parameters that you use for the compilation of apache and modsecurity/mlogc? Thank you in advance. Regards Nick On Thu, Jun 26, 2008 at 7:05 PM, Brian Rectanus <Bri...@br...> wrote: > I still cannot duplicate - sorry. Try recompiling with APR/APU 1.3.2 > and see if that makes a difference for you. Results below... > > Nicola Bianchi wrote: > > Brian, > > have you tryed with httpS request? Without S I don't have hang > problems... > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: FooBar/1.2.3 > Server Hostname: 127.0.1.1 > Server Port: 8100 > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 121.536 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10303 > Keep-Alive requests: 0 > Total transferred: 4072344 bytes > HTML transferred: 2300228 bytes > Requests per second: 82.28 [#/sec] (mean) > Time per request: 12153.563 [ms] (mean) > Time per request: 12.154 [ms] (mean, across all concurrent requests) > Transfer rate: 32.72 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 115 7139 10962.6 4574 98384 > Processing: 4 4075 1088.8 4217 6623 > Waiting: 3 1254 652.5 1270 3484 > Total: 174 11214 11049.4 9159 102880 > > Percentage of the requests served within a certain time (ms) > 50% 9159 > 66% 9953 > 75% 10954 > 80% 11610 > 90% 17395 > 95% 19417 > 98% 30490 > 99% 99874 > 100% 102880 (longest request) > > > > > > > My compiling configurations: > > > > ################################################################ > > tar xvfz httpd-${APACHE_VERSIONE}.tar.gz > > cd httpd-${APACHE_VERSIONE}/ > > ./configure \ > > --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ > > --with-mpm=worker --enable-so \ > > --enable-unique-id \ > > --enable-proxy --enable-proxy-http --enable-proxy-balancer \ > > --enable-rewrite --enable-headers \ > > --enable-logio \ > > --enable-expires \ > > --enable-ssl \ > > --enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \ > > --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ > > --disable-negotiation --disable-userdir \ > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} > > ################################################################ > > > > ################################################################ > > cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ > > ./configure \ > > --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ > > --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ > > --with-apr=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > --with-apu=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ > > --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ > > --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ > > --enable-strict-compile > > ################################################################ > > And compiled your way (mostly - I am still 64 bit): > > Mine is faster, BTW - kidding ;) > > $ httpd -V > Server version: Apache/2.2.9 (Unix) > Server built: Jun 26 2008 09:56:07 > Server's Module Magic Number: 20051115:15 > Server loaded: APR 1.3.0, APR-Util 1.3.0 > Compiled using: APR 1.3.0, APR-Util 1.3.0 > Architecture: 64-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/apps/httpd-2.2.9-nicola" > -D SUEXEC_BIN="/apps/httpd-2.2.9-nicola/bin/suexec" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > $ httpd -l > Compiled in modules: > core.c > mod_authn_file.c > mod_authn_default.c > mod_authz_host.c > mod_authz_groupfile.c > mod_authz_user.c > mod_authz_default.c > mod_auth_basic.c > mod_cache.c > mod_disk_cache.c > mod_mem_cache.c > mod_include.c > mod_filter.c > mod_deflate.c > mod_log_config.c > mod_logio.c > mod_env.c > mod_expires.c > mod_headers.c > mod_unique_id.c > mod_setenvif.c > mod_proxy.c > mod_proxy_connect.c > mod_proxy_ftp.c > mod_proxy_http.c > mod_proxy_ajp.c > mod_proxy_balancer.c > mod_ssl.c > worker.c > http_core.c > mod_mime.c > mod_status.c > mod_dir.c > mod_actions.c > mod_alias.c > mod_rewrite.c > mod_so.c > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: > Server Hostname: 127.0.1.1 > Server Port: 8100 > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 123.303 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10313 > Keep-Alive requests: 0 > Total transferred: 3854410 bytes > HTML transferred: 2307460 bytes > Requests per second: 81.10 [#/sec] (mean) > Time per request: 12330.260 [ms] (mean) > Time per request: 12.330 [ms] (mean, across all concurrent requests) > Transfer rate: 30.53 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 203 7297 8204.7 5242 99241 > Processing: 26 4395 1357.0 4492 7688 > Waiting: 7 1384 728.3 1404 4157 > Total: 846 11692 8415.4 10091 103464 > > Percentage of the requests served within a certain time (ms) > 50% 10091 > 66% 11590 > 75% 12576 > 80% 13366 > 90% 17806 > 95% 19963 > 98% 30589 > 99% 56842 > 100% 103464 (longest request) > > > > > > > > > > On Thu, Jun 26, 2008 at 1:38 AM, Brian Rectanus > > <Bri...@br... <mailto:Bri...@br...>> wrote: > > > > Nick, > > > > I was not able to duplicate this. Below I have 2.2.9 apache running > as > > a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 and mlogc > > running to a console. Each request produced an alert about the IP in > > the host header. Additionally, I up'ed the ab test considerably. I > > also tried mis-configuring mlogc in various ways, but these yielded > > similar results. > > > > There are some differences in our setups. I have most modules as > > modules vs compiled in as you have them. I am also running 64bit. > But > > I do not think these should make that much difference. > > > > If you would send me the exact configure options you used with your > > 2.2.9 apache I will compile one here and test if you want. > > > > > > $ httpd -V > > Server version: Apache/2.2.9 (Unix) > > Server built: Jun 25 2008 16:25:03 > > Server's Module Magic Number: 20051115:15 > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > Architecture: 64-bit > > Server MPM: Worker > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APACHE_MPM_DIR="server/mpm/worker" > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=128 > > -D HTTPD_ROOT="/apps/httpd-2.2.9" > > -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > $ httpd -lCompiled in modules: > > core.c > > worker.c > > http_core.c > > mod_so.c > > > > $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > > Licensed to The Apache Software Foundation, http://www.apache.org/ > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> (be patient) > > Completed 1000 requests > > Completed 2000 requests > > Completed 3000 requests > > Completed 4000 requests > > Completed 5000 requests > > Completed 6000 requests > > Completed 7000 requests > > Completed 8000 requests > > Completed 9000 requests > > Completed 10000 requests > > Finished 10000 requests > > > > > > Server Software: FooBar/1.2.3 > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > > Server Port: 8100 > > > > Document Path: /cgi-bin/dump > > Document Length: 226 bytes > > > > Concurrency Level: 1000 > > Time taken for tests: 44.678 seconds > > Complete requests: 10000 > > Failed requests: 0 > > Write errors: 0 > > Non-2xx responses: 10000 > > Keep-Alive requests: 0 > > Total transferred: 3980000 bytes > > HTML transferred: 2260000 bytes > > Requests per second: 223.82 [#/sec] (mean) > > Time per request: 4467.792 [ms] (mean) > > Time per request: 4.468 [ms] (mean, across all concurrent > > requests) > > Transfer rate: 86.99 [Kbytes/sec] received > > > > Connection Times (ms) > > min mean[+/-sd] median max > > Connect: 0 469 1819.0 0 20999 > > Processing: 3 3814 4000.3 2614 27551 > > Waiting: 3 3258 3543.1 2191 26116 > > Total: 3 4283 4748.7 3025 36558 > > > > Percentage of the requests served within a certain time (ms) > > 50% 3025 > > 66% 4818 > > 75% 6226 > > 80% 7324 > > 90% 10264 > > 95% 13155 > > 98% 18743 > > 99% 23293 > > 100% 36558 (longest request) > > > > > > > > Nicola Bianchi wrote: > > > Hi Brian, > > > here the information that you require! > > > If you need additional info just tell me... > > > > > > Thank you a lot for the help ;) > > > Regards. > > > Nick > > > > > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > > > SecRuleEngine On > > > SecRequestBodyAccess On > > > SecResponseBodyAccess On > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > SecResponseBodyLimit 524288 > > > SecServerSignature "Apache/2.2.0 (Fedora)" > > > SecComponentSignature "core ruleset/1.6.1" > > > SecUploadDir /tmp > > > SecUploadKeepFiles Off > > > SecAuditEngine RelevantOnly > > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > > SecAuditLogType Serial > > > SecAuditLog logs/modsec_audit.log > > > SecAuditLogParts "ABIFHKZ" > > > SecArgumentSeparator "&" > > > SecCookieFormat 0 > > > SecRequestBodyInMemoryLimit 131072 > > > SecDebugLog logs/modsec_debug.log > > > SecDebugLogLevel 1 > > > SecDataDir /tmp > > > SecTmpDir /tmp > > > > > > > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep .. > > > SecRuleEngine On > > > SecRequestBodyAccess On > > > SecResponseBodyAccess On > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > SecDefaultAction > > > > > > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > > > SecServerSignature "Server X" > > > SecUploadDir /opt/jail/tmp > > > SecAuditLogType Concurrent > > > SecAuditLog "|bin/mlogc /opt/waf/mod_security/prod/bin/mlogc.conf" > > > SecAuditLogStorageDir logs/modsec_audit/ > > > SecDebugLogLevel 0 > > > SecDataDir /opt/jail/tmp > > > SecTmpDir /opt/jail/tmp > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > > > Server version: Apache/2.2.9 (Unix) > > > Server built: Jun 18 2008 11:18:47 > > > Server's Module Magic Number: 20051115:15 > > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > > Architecture: 32-bit > > > Server MPM: Worker > > > threaded: yes (fixed thread count) > > > forked: yes (variable process count) > > > Server compiled with.... > > > -D APACHE_MPM_DIR="server/mpm/worker" > > > -D APR_HAS_SENDFILE > > > -D APR_HAS_MMAP > > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > > -D APR_USE_SYSVSEM_SERIALIZE > > > -D APR_USE_PTHREAD_SERIALIZE > > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > > -D APR_HAS_OTHER_CHILD > > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > > -D DYNAMIC_MODULE_LIMIT=128 > > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > > -D DEFAULT_ERRORLOG="logs/error_log" > > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > > > Compiled in modules: > > > core.c > > > mod_authn_file.c > > > mod_authn_default.c > > > mod_authz_host.c > > > mod_authz_groupfile.c > > > mod_authz_user.c > > > mod_authz_default.c > > > mod_auth_basic.c > > > mod_cache.c > > > mod_disk_cache.c > > > mod_mem_cache.c > > > mod_include.c > > > mod_filter.c > > > mod_deflate.c > > > mod_log_config.c > > > mod_logio.c > > > mod_env.c > > > mod_expires.c > > > mod_headers.c > > > mod_unique_id.c > > > mod_setenvif.c > > > mod_proxy.c > > > mod_proxy_connect.c > > > mod_proxy_ftp.c > > > mod_proxy_http.c > > > mod_proxy_ajp.c > > > mod_proxy_balancer.c > > > mod_ssl.c > > > worker.c > > > http_core.c > > > mod_mime.c > > > mod_status.c > > > mod_dir.c > > > mod_actions.c > > > mod_alias.c > > > mod_rewrite.c > > > mod_so.c > > > > > > > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > > > <IfModule !mpm_netware_module> > > > PidFile "logs/httpd.pid" > > > </IfModule> > > > <IfModule !mpm_winnt_module> > > > <IfModule !mpm_netware_module> > > > LockFile "logs/accept.lock" > > > </IfModule> > > > </IfModule> > > > <IfModule mpm_worker_module> > > > StartServers 5 > > > MaxClients 400 > > > MinSpareThreads 25 > > > MaxSpareThreads 75 > > > ThreadsPerChild 25 > > > MaxRequestsPerChild 1000 > > > </IfModule> > > > > > > > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > > > KeepAlive On > > > MaxKeepAliveRequests 100 > > > KeepAliveTimeout 5 > > > > > > > > > #### cat vhosts.d/www.mysite.com.conf > > > > > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80> > > <http://192.168.168.100:80>> > > > ServerName www.mysite.com <http://www.mysite.com> > > <http://www.mysite.com> > > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com> > > > > > > # Log files > > > # ErrorLog logs/www.mysite.com-error_log > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > # Add ClientIP to the Request Headers > > > RewriteEngine On > > > RewriteCond %{REMOTE_ADDR} (.*) > > > RewriteRule .* - [E=R_A:%1] > > > RequestHeader add ClientIP %{R_A}e > > > > > > # Send all pages except the manut one to the internal web server > > > ProxyPreserveHost On > > > ProxyPass /manut.html ! > > > ProxyPass / http://www.mysite.com/ > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > # ModSecurity specific rules (no additional rules enabled for > > the moment) > > > Include conf/rules.d/www.mysite.com.rules > > > </VirtualHost> > > > > > > <VirtualHost 192.168.168.100:443 <http://192.168.168.100:443> > > <http://192.168.168.100:443>> > > > ServerName www.mysite.com <http://www.mysite.com> > > <http://www.mysite.com> > > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com> > > > > > > # Log files > > > # ErrorLog logs/www.mysite.com-error_log > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > # SSL config > > > SSLEngine on > > > SSLProtocol All -SSLv2 > > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > > > SSLCertificateFile conf/cert/www.mysite.com.crt > > > SSLCertificateKeyFile conf/cert/www.mysite.com.key > > > SSLCertificateChainFile conf/cert/Verisign04.crt > > > > > > # Add ClientIP to the Request Headers > > > RewriteEngine On > > > RewriteCond %{REMOTE_ADDR} (.*) > > > RewriteRule .* - [E=R_A:%1] > > > RequestHeader add ClientIP %{R_A}e > > > > > > # Send all pages except the manut one to the internal web server > > > ProxyPreserveHost On > > > ProxyPass /manut.html ! > > > ProxyPass / http://www.mysite.com/ > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > # ModSecurity specific rules (no additional rules enabled for > the > > > moment) > > > Include conf/rules.d/www.mysite.com.rules > > > > > > </VirtualHost> > > > > > > > > > In attach the error_log of a test with: > > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > > > Hang after 272 request... (restart of apache needed!) > > > > > > > > > #### top -d 1 (snapshot in the half of test) > > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, 2 > zombie > > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, 0.0%hi, > 0.2%si, > > > 0.0%st > > > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k > > buffers > > > Swap: 4194296k total, 0k used, 4194296k free, 1130024k > > cached > > > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > > > COMMAND > > > > > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > > > httpd > > > > > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > > > httpd > > > > > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > > > httpd > > > > > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > > > httpd > > > > > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > > > httpd > > > > > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > > > httpd > > > > > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > > > httpd > > > > > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > > > httpd > > > > > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > > > httpd > > > > > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > > > httpd > > > > > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > > > httpd > > > > > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > > > xfsdatad/0 > > > > > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > > > httpd > > > > > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > > > httpd > > > > > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > > > init > > > > > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > > > migration/0 > > > > > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > > > ksoftirqd/0 > > > > > > > > > > > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > > > <Bri...@br... <mailto:Bri...@br...> > > <mailto:Bri...@br... > > <mailto:Bri...@br...>>> wrote: > > > > > > Nicola, > > > > > > I need to be able to duplicate this problem. Would you please > > send your > > > settings for Apache and modsecurity? > > > > > > For ModSecurity, I need your config settings (usually in > > > modsecurity_crs_10_config.conf) and which other files you are > > including. > > > > > > For Apache I at least need these: > > > > > > 1. Output from "httpd -V" and "httpd -l" > > > > > > 2. Values for the following directives: > > > > > > ServerLimit > > > StartServers > > > MaxClients > > > MinSpareThreads > > > MaxSpareThreads > > > ThreadsPerChild > > > MaxRequestsPerChild > > > MaxRequestsPerThread > > > KeepAlive > > > KeepAliveTimeout > > > > > > 3. As well as your config for proxying (Balancer, ProxyPass, > etc)? > > > > > > 4. Additionally, your entire error_log at at least level > > "info" (cleared > > > before the test), the server-status output during (or near) > > the hang and > > > CPU/Mem usage stats during the test would be nice as well. > > > > > > thanks, > > > -B > > > > > > > > > Ivan Ristic wrote: > > > > Hi Nicola, > > > > > > > > We'll have to try to reproduce your problem somehow, as it > > doesn't > > > > happen in my tests. I've been using ab constantly over the > > years for > > > > testing, and I don't recall any problems either. > > > > > > > > Are you using mlogc or any other mechanism to transmit alerts > > > elsewhere? > > > > > > > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > > > <bia...@gm... <mailto:bia...@gm...> > > <mailto:bia...@gm... <mailto:bia...@gm...>>> > > wrote: > > > >> Hi people, > > > >> I'm a new modsecurity user and I've a problem which maybe > > some of > > > you can > > > >> resolve ;). > > > >> > > > >> My configuration is: reverse proxy (http/https) with apache > > 2.2.9 and > > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE > SLES10. > > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of > RAM > > > >> > > > >> If I try this benchmark all work fine, without problem: > > > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > > > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > > > >> > > > >> ... no lost requests, no particular delay. > > > >> > > > >> The problem come out if I try to do a "DOS attack" pointing > > directly > > > > to the > > > >> ip address of mysite in https > > > >> After few request (~200) apache hang and stop responding ... > > > >> > > > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > > > >> > > > > > > > > > > ############################################################################# > > > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > > http://www.zeustech.net/ > > > >> # Licensed to The Apache Software Foundation, > > http://www.apache.org/ > > > >> # > > > >> # Benchmarking 192.168.168.100 <http://192.168.168.100> > > <http://192.168.168.100> (be patient) > > > >> # Completed 200 requests > > > >> # apr_poll: The timeout specified has expired (70007) > > > >> # Total of 272 requests completed > > > >> > > > > > > > > > > ############################################################################# > > > >> > > > >> Here an extract from the logs: > > > >> > > > > > > > > > > ############################################################################# > > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > > > 192.168.168.168 <http://192.168.168.168> < > http://192.168.168.168>] > > > >> ModSecurity: Access denied with code 400 (phase 2). Pattern > > match > > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > > > >> > > > > > > > > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> [line "60"] [id "960017"] [msg "Host header is a numeric IP > > address"] > > > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] > > [hostname > > > >> "192.168.168.100 <http://192.168.168.100> > > <http://192.168.168.100>"] [uri "/"] [unique_id > > > "SF@XssIL0NIAAB@ncMAAAACI"] > > > >> > > > > > > > > > > ############################################################################# > > > >> > > > >> If I turn off modsecurity (SecRuleEngine Off) and I repeat > > the test I > > > > don't > > > >> have problem! > > > >> If I disable the specific rule (SecRuleRemoveById "960017") > all > > > work fine! > > > >> > > > >> So, have you some idea about this issue? > > > >> How can I prevent this kind of "DOS attack"? > > > >> > > > >> Thanks a lot! Regards > > > >> Nick > > > >> > > > >> PS: sorry for my ridicolous english ;) > > > >> > > > >> > > > > > > ------------------------------------------------------------------------- > > > >> Check out the new SourceForge.net Marketplace. > > > >> It's the best place to buy or sell services for > > > >> just about anything Open Source. > > > >> http://sourceforge.net/services/buy/index.php > > > >> _______________________________________________ > > > >> mod-security-users mailing list > > > >> mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>> > > > >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > >> > > > >> > > > > > > > > > > > > > > > > -- > > > > Ivan Ristic > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > Check out the new SourceForge.net Marketplace. > > > > It's the best place to buy or sell services for > > > > just about anything Open Source. > > > > http://sourceforge.net/services/buy/index.php > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > > > -- > > > Brian Rectanus > > > Breach Security > > > > > > > > > > > > -- > > Brian Rectanus > > Breach Security > > > > > > > -- > Brian Rectanus > Breach Security > |
From: Brian R. <Bri...@br...> - 2008-07-02 15:43:43
|
I used both of these, on Ubuntu 8.04 x86_64 without any issues: # Like Yours: ./configure \ --prefix=$APACHE_PREFIX \ --with-mpm=worker --enable-so \ --enable-unique-id \ --enable-proxy --enable-proxy-http --enable-proxy-balancer \ --enable-rewrite --enable-headers \ --enable-logio \ --enable-expires \ --enable-ssl \ --enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \ --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ --disable-negotiation --disable-userdir \ --with-apr=/apps/apr-1.3.0 \ --with-apr-util=/apps/apr-util-1.3.0 \ --with-pcre=/usr # What I typically do: ./configure \ --prefix=$APACHE_PREFIX \ --enable-modules=all \ --enable-mods-shared=all \ --enable-headers \ --enable-unique_id \ --enable-proxy \ --enable-proxy_http \ --enable-ssl \ --enable-rewrite \ --enable-so \ --with-apr=/apps/apr-1.3.0 \ --with-apr-util=/apps/apr-util-1.3.0 \ --with-pcre=/usr \ --with-mpm=worker For ModSecurity/mlogc: ./configure \ --with-apxs=$APACHE_PREFIX/bin/apxs \ --with-apr=/apps/apr-1.3.0 \ --with-apu=/apps/apr-util-1.3.0 \ --enable-strict-compile make && make test && make mlogc && sudo make install mlogc is in placed in ../tools -B Nicola Bianchi wrote: > Hi Brian, > today, with a co-worker, I've recompiled my environment on a "Ubuntu > 8.04 Server" machine and I still have the same problem: > mlogc don't work! (...and apache hang) > > If I stop apache mlogc still up until a kill -9 ... and mlogc start > attached to the init parent (pid 1)... > > With the perl log script all work perfectly, no hang, no particular > performance problem. > > At this point I don't know where is my error. > Can you tell me the parameters that you use for the compilation of > apache and modsecurity/mlogc? > > Thank you in advance. > Regards > Nick > > > > On Thu, Jun 26, 2008 at 7:05 PM, Brian Rectanus > <Bri...@br... <mailto:Bri...@br...>> wrote: > > I still cannot duplicate - sorry. Try recompiling with APR/APU 1.3.2 > and see if that makes a difference for you. Results below... > > Nicola Bianchi wrote: > > Brian, > > have you tryed with httpS request? Without S I don't have hang > problems... > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 <http://127.0.1.1> (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: FooBar/1.2.3 > Server Hostname: 127.0.1.1 <http://127.0.1.1> > Server Port: 8100 > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 121.536 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10303 > Keep-Alive requests: 0 > Total transferred: 4072344 bytes > HTML transferred: 2300228 bytes > Requests per second: 82.28 [#/sec] (mean) > Time per request: 12153.563 [ms] (mean) > Time per request: 12.154 [ms] (mean, across all concurrent > requests) > Transfer rate: 32.72 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 115 7139 10962.6 4574 98384 > Processing: 4 4075 1088.8 4217 6623 > Waiting: 3 1254 652.5 1270 3484 > Total: 174 11214 11049.4 9159 102880 > > Percentage of the requests served within a certain time (ms) > 50% 9159 > 66% 9953 > 75% 10954 > 80% 11610 > 90% 17395 > 95% 19417 > 98% 30490 > 99% 99874 > 100% 102880 (longest request) > > > > > > > My compiling configurations: > > > > ################################################################ > > tar xvfz httpd-${APACHE_VERSIONE}.tar.gz > > cd httpd-${APACHE_VERSIONE}/ > > ./configure \ > > --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ > > --with-mpm=worker --enable-so \ > > --enable-unique-id \ > > --enable-proxy --enable-proxy-http --enable-proxy-balancer \ > > --enable-rewrite --enable-headers \ > > --enable-logio \ > > --enable-expires \ > > --enable-ssl \ > > --enable-deflate --enable-cache --enable-disk-cache > --enable-mem-cache \ > > --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ > > --disable-negotiation --disable-userdir \ > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} > > ################################################################ > > > > ################################################################ > > cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ > > ./configure \ > > --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ > > --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ > > --with-apr=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > --with-apu=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ > > --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ > > --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ > > --enable-strict-compile > > ################################################################ > > And compiled your way (mostly - I am still 64 bit): > > Mine is faster, BTW - kidding ;) > > $ httpd -V > Server version: Apache/2.2.9 (Unix) > Server built: Jun 26 2008 09:56:07 > Server's Module Magic Number: 20051115:15 > Server loaded: APR 1.3.0, APR-Util 1.3.0 > Compiled using: APR 1.3.0, APR-Util 1.3.0 > Architecture: 64-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/apps/httpd-2.2.9-nicola" > -D SUEXEC_BIN="/apps/httpd-2.2.9-nicola/bin/suexec" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > $ httpd -l > Compiled in modules: > core.c > mod_authn_file.c > mod_authn_default.c > mod_authz_host.c > mod_authz_groupfile.c > mod_authz_user.c > mod_authz_default.c > mod_auth_basic.c > mod_cache.c > mod_disk_cache.c > mod_mem_cache.c > mod_include.c > mod_filter.c > mod_deflate.c > mod_log_config.c > mod_logio.c > mod_env.c > mod_expires.c > mod_headers.c > mod_unique_id.c > mod_setenvif.c > mod_proxy.c > mod_proxy_connect.c > mod_proxy_ftp.c > mod_proxy_http.c > mod_proxy_ajp.c > mod_proxy_balancer.c > mod_ssl.c > worker.c > http_core.c > mod_mime.c > mod_status.c > mod_dir.c > mod_actions.c > mod_alias.c > mod_rewrite.c > mod_so.c > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 <http://127.0.1.1> (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: > Server Hostname: 127.0.1.1 <http://127.0.1.1> > Server Port: 8100 > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 123.303 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10313 > Keep-Alive requests: 0 > Total transferred: 3854410 bytes > HTML transferred: 2307460 bytes > Requests per second: 81.10 [#/sec] (mean) > Time per request: 12330.260 [ms] (mean) > Time per request: 12.330 [ms] (mean, across all concurrent > requests) > Transfer rate: 30.53 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 203 7297 8204.7 5242 99241 > Processing: 26 4395 1357.0 4492 7688 > Waiting: 7 1384 728.3 1404 4157 > Total: 846 11692 8415.4 10091 103464 > > Percentage of the requests served within a certain time (ms) > 50% 10091 > 66% 11590 > 75% 12576 > 80% 13366 > 90% 17806 > 95% 19963 > 98% 30589 > 99% 56842 > 100% 103464 (longest request) > > > > > > > > > > On Thu, Jun 26, 2008 at 1:38 AM, Brian Rectanus > > <Bri...@br... <mailto:Bri...@br...> > <mailto:Bri...@br... > <mailto:Bri...@br...>>> wrote: > > > > Nick, > > > > I was not able to duplicate this. Below I have 2.2.9 apache > running as > > a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 > and mlogc > > running to a console. Each request produced an alert about > the IP in > > the host header. Additionally, I up'ed the ab test > considerably. I > > also tried mis-configuring mlogc in various ways, but these > yielded > > similar results. > > > > There are some differences in our setups. I have most modules as > > modules vs compiled in as you have them. I am also running > 64bit. But > > I do not think these should make that much difference. > > > > If you would send me the exact configure options you used with > your > > 2.2.9 apache I will compile one here and test if you want. > > > > > > $ httpd -V > > Server version: Apache/2.2.9 (Unix) > > Server built: Jun 25 2008 16:25:03 > > Server's Module Magic Number: 20051115:15 > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > Architecture: 64-bit > > Server MPM: Worker > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APACHE_MPM_DIR="server/mpm/worker" > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=128 > > -D HTTPD_ROOT="/apps/httpd-2.2.9" > > -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > $ httpd -lCompiled in modules: > > core.c > > worker.c > > http_core.c > > mod_so.c > > > > $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > > Licensed to The Apache Software Foundation, http://www.apache.org/ > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> <http://127.0.1.1> > (be patient) > > Completed 1000 requests > > Completed 2000 requests > > Completed 3000 requests > > Completed 4000 requests > > Completed 5000 requests > > Completed 6000 requests > > Completed 7000 requests > > Completed 8000 requests > > Completed 9000 requests > > Completed 10000 requests > > Finished 10000 requests > > > > > > Server Software: FooBar/1.2.3 > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > <http://127.0.1.1> > > Server Port: 8100 > > > > Document Path: /cgi-bin/dump > > Document Length: 226 bytes > > > > Concurrency Level: 1000 > > Time taken for tests: 44.678 seconds > > Complete requests: 10000 > > Failed requests: 0 > > Write errors: 0 > > Non-2xx responses: 10000 > > Keep-Alive requests: 0 > > Total transferred: 3980000 bytes > > HTML transferred: 2260000 bytes > > Requests per second: 223.82 [#/sec] (mean) > > Time per request: 4467.792 [ms] (mean) > > Time per request: 4.468 [ms] (mean, across all concurrent > > requests) > > Transfer rate: 86.99 [Kbytes/sec] received > > > > Connection Times (ms) > > min mean[+/-sd] median max > > Connect: 0 469 1819.0 0 20999 > > Processing: 3 3814 4000.3 2614 27551 > > Waiting: 3 3258 3543.1 2191 26116 > > Total: 3 4283 4748.7 3025 36558 > > > > Percentage of the requests served within a certain time (ms) > > 50% 3025 > > 66% 4818 > > 75% 6226 > > 80% 7324 > > 90% 10264 > > 95% 13155 > > 98% 18743 > > 99% 23293 > > 100% 36558 (longest request) > > > > > > > > Nicola Bianchi wrote: > > > Hi Brian, > > > here the information that you require! > > > If you need additional info just tell me... > > > > > > Thank you a lot for the help ;) > > > Regards. > > > Nick > > > > > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > > > SecRuleEngine On > > > SecRequestBodyAccess On > > > SecResponseBodyAccess On > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > SecResponseBodyLimit 524288 > > > SecServerSignature "Apache/2.2.0 (Fedora)" > > > SecComponentSignature "core ruleset/1.6.1" > > > SecUploadDir /tmp > > > SecUploadKeepFiles Off > > > SecAuditEngine RelevantOnly > > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > > SecAuditLogType Serial > > > SecAuditLog logs/modsec_audit.log > > > SecAuditLogParts "ABIFHKZ" > > > SecArgumentSeparator "&" > > > SecCookieFormat 0 > > > SecRequestBodyInMemoryLimit 131072 > > > SecDebugLog logs/modsec_debug.log > > > SecDebugLogLevel 1 > > > SecDataDir /tmp > > > SecTmpDir /tmp > > > > > > > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep .. > > > SecRuleEngine On > > > SecRequestBodyAccess On > > > SecResponseBodyAccess On > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > SecDefaultAction > > > > > > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > > > SecServerSignature "Server X" > > > SecUploadDir /opt/jail/tmp > > > SecAuditLogType Concurrent > > > SecAuditLog "|bin/mlogc > /opt/waf/mod_security/prod/bin/mlogc.conf" > > > SecAuditLogStorageDir logs/modsec_audit/ > > > SecDebugLogLevel 0 > > > SecDataDir /opt/jail/tmp > > > SecTmpDir /opt/jail/tmp > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > > > Server version: Apache/2.2.9 (Unix) > > > Server built: Jun 18 2008 11:18:47 > > > Server's Module Magic Number: 20051115:15 > > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > > Architecture: 32-bit > > > Server MPM: Worker > > > threaded: yes (fixed thread count) > > > forked: yes (variable process count) > > > Server compiled with.... > > > -D APACHE_MPM_DIR="server/mpm/worker" > > > -D APR_HAS_SENDFILE > > > -D APR_HAS_MMAP > > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > > -D APR_USE_SYSVSEM_SERIALIZE > > > -D APR_USE_PTHREAD_SERIALIZE > > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > > -D APR_HAS_OTHER_CHILD > > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > > -D DYNAMIC_MODULE_LIMIT=128 > > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > > -D DEFAULT_ERRORLOG="logs/error_log" > > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > > > Compiled in modules: > > > core.c > > > mod_authn_file.c > > > mod_authn_default.c > > > mod_authz_host.c > > > mod_authz_groupfile.c > > > mod_authz_user.c > > > mod_authz_default.c > > > mod_auth_basic.c > > > mod_cache.c > > > mod_disk_cache.c > > > mod_mem_cache.c > > > mod_include.c > > > mod_filter.c > > > mod_deflate.c > > > mod_log_config.c > > > mod_logio.c > > > mod_env.c > > > mod_expires.c > > > mod_headers.c > > > mod_unique_id.c > > > mod_setenvif.c > > > mod_proxy.c > > > mod_proxy_connect.c > > > mod_proxy_ftp.c > > > mod_proxy_http.c > > > mod_proxy_ajp.c > > > mod_proxy_balancer.c > > > mod_ssl.c > > > worker.c > > > http_core.c > > > mod_mime.c > > > mod_status.c > > > mod_dir.c > > > mod_actions.c > > > mod_alias.c > > > mod_rewrite.c > > > mod_so.c > > > > > > > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > > > <IfModule !mpm_netware_module> > > > PidFile "logs/httpd.pid" > > > </IfModule> > > > <IfModule !mpm_winnt_module> > > > <IfModule !mpm_netware_module> > > > LockFile "logs/accept.lock" > > > </IfModule> > > > </IfModule> > > > <IfModule mpm_worker_module> > > > StartServers 5 > > > MaxClients 400 > > > MinSpareThreads 25 > > > MaxSpareThreads 75 > > > ThreadsPerChild 25 > > > MaxRequestsPerChild 1000 > > > </IfModule> > > > > > > > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > > > KeepAlive On > > > MaxKeepAliveRequests 100 > > > KeepAliveTimeout 5 > > > > > > > > > #### cat vhosts.d/www.mysite.com.conf > > > > > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80> > <http://192.168.168.100:80> > > <http://192.168.168.100:80>> > > > ServerName www.mysite.com <http://www.mysite.com> > <http://www.mysite.com> > > <http://www.mysite.com> > > > ServerAlias mysite.com <http://mysite.com> > <http://mysite.com> <http://mysite.com> > > > > > > # Log files > > > # ErrorLog logs/www.mysite.com-error_log > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > # Add ClientIP to the Request Headers > > > RewriteEngine On > > > RewriteCond %{REMOTE_ADDR} (.*) > > > RewriteRule .* - [E=R_A:%1] > > > RequestHeader add ClientIP %{R_A}e > > > > > > # Send all pages except the manut one to the internal web > server > > > ProxyPreserveHost On > > > ProxyPass /manut.html ! > > > ProxyPass / http://www.mysite.com/ > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > # ModSecurity specific rules (no additional rules enabled for > > the moment) > > > Include conf/rules.d/www.mysite.com.rules > > > </VirtualHost> > > > > > > <VirtualHost 192.168.168.100:443 > <http://192.168.168.100:443> <http://192.168.168.100:443> > > <http://192.168.168.100:443>> > > > ServerName www.mysite.com <http://www.mysite.com> > <http://www.mysite.com> > > <http://www.mysite.com> > > > ServerAlias mysite.com <http://mysite.com> > <http://mysite.com> <http://mysite.com> > > > > > > # Log files > > > # ErrorLog logs/www.mysite.com-error_log > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > # SSL config > > > SSLEngine on > > > SSLProtocol All -SSLv2 > > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > > > SSLCertificateFile conf/cert/www.mysite.com.crt > > > SSLCertificateKeyFile conf/cert/www.mysite.com.key > > > SSLCertificateChainFile conf/cert/Verisign04.crt > > > > > > # Add ClientIP to the Request Headers > > > RewriteEngine On > > > RewriteCond %{REMOTE_ADDR} (.*) > > > RewriteRule .* - [E=R_A:%1] > > > RequestHeader add ClientIP %{R_A}e > > > > > > # Send all pages except the manut one to the internal web > server > > > ProxyPreserveHost On > > > ProxyPass /manut.html ! > > > ProxyPass / http://www.mysite.com/ > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > # ModSecurity specific rules (no additional rules > enabled for the > > > moment) > > > Include conf/rules.d/www.mysite.com.rules > > > > > > </VirtualHost> > > > > > > > > > In attach the error_log of a test with: > > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > > > Hang after 272 request... (restart of apache needed!) > > > > > > > > > #### top -d 1 (snapshot in the half of test) > > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, > 2 zombie > > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, > 0.0%hi, 0.2%si, > > > 0.0%st > > > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k > > buffers > > > Swap: 4194296k total, 0k used, 4194296k free, 1130024k > > cached > > > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > > > COMMAND > > > > > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > > > httpd > > > > > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > > > httpd > > > > > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > > > httpd > > > > > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > > > httpd > > > > > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > > > httpd > > > > > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > > > httpd > > > > > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > > > httpd > > > > > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > > > httpd > > > > > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > > > httpd > > > > > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > > > httpd > > > > > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > > > httpd > > > > > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > > > xfsdatad/0 > > > > > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > > > httpd > > > > > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > > > httpd > > > > > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > > > init > > > > > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > > > migration/0 > > > > > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > > > ksoftirqd/0 > > > > > > > > > > > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > > > <Bri...@br... > <mailto:Bri...@br...> <mailto:Bri...@br... > <mailto:Bri...@br...>> > > <mailto:Bri...@br... > <mailto:Bri...@br...> > > <mailto:Bri...@br... > <mailto:Bri...@br...>>>> wrote: > > > > > > Nicola, > > > > > > I need to be able to duplicate this problem. Would you > please > > send your > > > settings for Apache and modsecurity? > > > > > > For ModSecurity, I need your config settings (usually in > > > modsecurity_crs_10_config.conf) and which other files > you are > > including. > > > > > > For Apache I at least need these: > > > > > > 1. Output from "httpd -V" and "httpd -l" > > > > > > 2. Values for the following directives: > > > > > > ServerLimit > > > StartServers > > > MaxClients > > > MinSpareThreads > > > MaxSpareThreads > > > ThreadsPerChild > > > MaxRequestsPerChild > > > MaxRequestsPerThread > > > KeepAlive > > > KeepAliveTimeout > > > > > > 3. As well as your config for proxying (Balancer, > ProxyPass, etc)? > > > > > > 4. Additionally, your entire error_log at at least level > > "info" (cleared > > > before the test), the server-status output during (or near) > > the hang and > > > CPU/Mem usage stats during the test would be nice as well. > > > > > > thanks, > > > -B > > > > > > > > > Ivan Ristic wrote: > > > > Hi Nicola, > > > > > > > > We'll have to try to reproduce your problem somehow, as it > > doesn't > > > > happen in my tests. I've been using ab constantly over the > > years for > > > > testing, and I don't recall any problems either. > > > > > > > > Are you using mlogc or any other mechanism to transmit > alerts > > > elsewhere? > > > > > > > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > > > <bia...@gm... > <mailto:bia...@gm...> <mailto:bia...@gm... > <mailto:bia...@gm...>> > > <mailto:bia...@gm... > <mailto:bia...@gm...> <mailto:bia...@gm... > <mailto:bia...@gm...>>>> > > wrote: > > > >> Hi people, > > > >> I'm a new modsecurity user and I've a problem which maybe > > some of > > > you can > > > >> resolve ;). > > > >> > > > >> My configuration is: reverse proxy (http/https) with > apache > > 2.2.9 and > > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux > SUSE SLES10. > > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, > 4GB of RAM > > > >> > > > >> If I try this benchmark all work fine, without problem: > > > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > > > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > > > >> > > > >> ... no lost requests, no particular delay. > > > >> > > > >> The problem come out if I try to do a "DOS attack" > pointing > > directly > > > > to the > > > >> ip address of mysite in https > > > >> After few request (~200) apache hang and stop > responding ... > > > >> > > > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > > > >> > > > > > > > > > > ############################################################################# > > > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > > http://www.zeustech.net/ > > > >> # Licensed to The Apache Software Foundation, > > http://www.apache.org/ > > > >> # > > > >> # Benchmarking 192.168.168.100 > <http://192.168.168.100> <http://192.168.168.100> > > <http://192.168.168.100> (be patient) > > > >> # Completed 200 requests > > > >> # apr_poll: The timeout specified has expired (70007) > > > >> # Total of 272 requests completed > > > >> > > > > > > > > > > ############################################################################# > > > >> > > > >> Here an extract from the logs: > > > >> > > > > > > > > > > ############################################################################# > > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > > > 192.168.168.168 <http://192.168.168.168> > <http://192.168.168.168> <http://192.168.168.168>] > > > >> ModSecurity: Access denied with code 400 (phase 2). > Pattern > > match > > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > > > >> > > > > > > > > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> [line "60"] [id "960017"] [msg "Host header is a > numeric IP > > address"] > > > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] > > [hostname > > > >> "192.168.168.100 <http://192.168.168.100> > <http://192.168.168.100> > > <http://192.168.168.100>"] [uri "/"] [unique_id > > > "SF@XssIL0NIAAB@ncMAAAACI"] > > > >> > > > > > > > > > > ############################################################################# > > > >> > > > >> If I turn off modsecurity (SecRuleEngine Off) and I > repeat > > the test I > > > > don't > > > >> have problem! > > > >> If I disable the specific rule (SecRuleRemoveById > "960017") all > > > work fine! > > > >> > > > >> So, have you some idea about this issue? > > > >> How can I prevent this kind of "DOS attack"? > > > >> > > > >> Thanks a lot! Regards > > > >> Nick > > > >> > > > >> PS: sorry for my ridicolous english ;) > > > >> > > > >> > > > > > > ------------------------------------------------------------------------- > > > >> Check out the new SourceForge.net Marketplace. > > > >> It's the best place to buy or sell services for > > > >> just about anything Open Source. > > > >> http://sourceforge.net/services/buy/index.php > > > >> _______________________________________________ > > > >> mod-security-users mailing list > > > >> mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > > <mailto:mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>>> > > > >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > >> > > > >> > > > > > > > > > > > > > > > > -- > > > > Ivan Ristic > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > Check out the new SourceForge.net Marketplace. > > > > It's the best place to buy or sell services for > > > > just about anything Open Source. > > > > http://sourceforge.net/services/buy/index.php > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > > <mailto:mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>>> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > > > -- > > > Brian Rectanus > > > Breach Security > > > > > > > > > > > > -- > > Brian Rectanus > > Breach Security > > > > > > > -- > Brian Rectanus > Breach Security > > -- Brian Rectanus Breach Security |
From: Nicola B. <bia...@gm...> - 2008-07-14 01:21:58
|
Hi Brian, after many compiling test I came to this conclusion: on my "ubuntu 8.04 server", "ubuntu 8.04 desktop" and "SuSE SLES 10 SP2" the only way to get mlogc working is to compile with the "make mlogc-static" option: cd /tmp/waf/modsecurity-apache_2.5.5/apache2 ./mlogc-src/srclib/archives.sh ./mlogc-src/srclib/build.sh make mlogc-static in other ways, with libs from the OS or with the libs compiled from source (last version of apr, curl, openssl and pcre), the compilation end without error but when I start the mlogc it's attacched to the wrong parent shell (1)... and apache hang. I don't understand :( . For the moment in production I'll use the "old" perl script. Regards. Nick On Wed, Jul 2, 2008 at 5:43 PM, Brian Rectanus <Bri...@br...> wrote: > I used both of these, on Ubuntu 8.04 x86_64 without any issues: > > # Like Yours: > ./configure \ > --prefix=$APACHE_PREFIX \ > --with-mpm=worker --enable-so \ > --enable-unique-id \ > --enable-proxy --enable-proxy-http --enable-proxy-balancer \ > --enable-rewrite --enable-headers \ > --enable-logio \ > --enable-expires \ > --enable-ssl \ > --enable-deflate --enable-cache --enable-disk-cache > --enable-mem-cache \ > --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ > --disable-negotiation --disable-userdir \ > --with-apr=/apps/apr-1.3.0 \ > --with-apr-util=/apps/apr-util-1.3.0 \ > --with-pcre=/usr > > # What I typically do: > ./configure \ > --prefix=$APACHE_PREFIX \ > --enable-modules=all \ > --enable-mods-shared=all \ > --enable-headers \ > --enable-unique_id \ > --enable-proxy \ > --enable-proxy_http \ > --enable-ssl \ > --enable-rewrite \ > --enable-so \ > --with-apr=/apps/apr-1.3.0 \ > --with-apr-util=/apps/apr-util-1.3.0 \ > --with-pcre=/usr \ > --with-mpm=worker > > For ModSecurity/mlogc: > > ./configure \ > --with-apxs=$APACHE_PREFIX/bin/apxs \ > --with-apr=/apps/apr-1.3.0 \ > --with-apu=/apps/apr-util-1.3.0 \ > --enable-strict-compile > > make && make test && make mlogc && sudo make install > > mlogc is in placed in ../tools > > -B > > > > Nicola Bianchi wrote: > > Hi Brian, > > today, with a co-worker, I've recompiled my environment on a "Ubuntu > > 8.04 Server" machine and I still have the same problem: > > mlogc don't work! (...and apache hang) > > > > If I stop apache mlogc still up until a kill -9 ... and mlogc start > > attached to the init parent (pid 1)... > > > > With the perl log script all work perfectly, no hang, no particular > > performance problem. > > > > At this point I don't know where is my error. > > Can you tell me the parameters that you use for the compilation of > > apache and modsecurity/mlogc? > > > > Thank you in advance. > > Regards > > Nick > > > > > > > > On Thu, Jun 26, 2008 at 7:05 PM, Brian Rectanus > > <Bri...@br... <mailto:Bri...@br...>> wrote: > > > > I still cannot duplicate - sorry. Try recompiling with APR/APU 1.3.2 > > and see if that makes a difference for you. Results below... > > > > Nicola Bianchi wrote: > > > Brian, > > > have you tryed with httpS request? Without S I don't have hang > > problems... > > > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > > Licensed to The Apache Software Foundation, http://www.apache.org/ > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> (be patient) > > Completed 1000 requests > > Completed 2000 requests > > Completed 3000 requests > > Completed 4000 requests > > Completed 5000 requests > > Completed 6000 requests > > Completed 7000 requests > > Completed 8000 requests > > Completed 9000 requests > > Completed 10000 requests > > Finished 10000 requests > > > > > > Server Software: FooBar/1.2.3 > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > > Server Port: 8100 > > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > > > Document Path: /cgi-bin/dump > > Document Length: 226 bytes > > > > Concurrency Level: 1000 > > Time taken for tests: 121.536 seconds > > Complete requests: 10000 > > Failed requests: 0 > > Write errors: 0 > > Non-2xx responses: 10303 > > Keep-Alive requests: 0 > > Total transferred: 4072344 bytes > > HTML transferred: 2300228 bytes > > Requests per second: 82.28 [#/sec] (mean) > > Time per request: 12153.563 [ms] (mean) > > Time per request: 12.154 [ms] (mean, across all concurrent > > requests) > > Transfer rate: 32.72 [Kbytes/sec] received > > > > Connection Times (ms) > > min mean[+/-sd] median max > > Connect: 115 7139 10962.6 4574 98384 > > Processing: 4 4075 1088.8 4217 6623 > > Waiting: 3 1254 652.5 1270 3484 > > Total: 174 11214 11049.4 9159 102880 > > > > Percentage of the requests served within a certain time (ms) > > 50% 9159 > > 66% 9953 > > 75% 10954 > > 80% 11610 > > 90% 17395 > > 95% 19417 > > 98% 30490 > > 99% 99874 > > 100% 102880 (longest request) > > > > > > > > > > > > My compiling configurations: > > > > > > ################################################################ > > > tar xvfz httpd-${APACHE_VERSIONE}.tar.gz > > > cd httpd-${APACHE_VERSIONE}/ > > > ./configure \ > > > --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ > > > --with-mpm=worker --enable-so \ > > > --enable-unique-id \ > > > --enable-proxy --enable-proxy-http --enable-proxy-balancer \ > > > --enable-rewrite --enable-headers \ > > > --enable-logio \ > > > --enable-expires \ > > > --enable-ssl \ > > > --enable-deflate --enable-cache --enable-disk-cache > > --enable-mem-cache \ > > > --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ > > > --disable-negotiation --disable-userdir \ > > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} > > > ################################################################ > > > > > > ################################################################ > > > cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ > > > ./configure \ > > > --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ > > > --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ > > > --with-apr=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > > --with-apu=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ > > > --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ > > > --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ > > > --enable-strict-compile > > > ################################################################ > > > > And compiled your way (mostly - I am still 64 bit): > > > > Mine is faster, BTW - kidding ;) > > > > $ httpd -V > > Server version: Apache/2.2.9 (Unix) > > Server built: Jun 26 2008 09:56:07 > > Server's Module Magic Number: 20051115:15 > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > Architecture: 64-bit > > Server MPM: Worker > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APACHE_MPM_DIR="server/mpm/worker" > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=128 > > -D HTTPD_ROOT="/apps/httpd-2.2.9-nicola" > > -D SUEXEC_BIN="/apps/httpd-2.2.9-nicola/bin/suexec" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > $ httpd -l > > Compiled in modules: > > core.c > > mod_authn_file.c > > mod_authn_default.c > > mod_authz_host.c > > mod_authz_groupfile.c > > mod_authz_user.c > > mod_authz_default.c > > mod_auth_basic.c > > mod_cache.c > > mod_disk_cache.c > > mod_mem_cache.c > > mod_include.c > > mod_filter.c > > mod_deflate.c > > mod_log_config.c > > mod_logio.c > > mod_env.c > > mod_expires.c > > mod_headers.c > > mod_unique_id.c > > mod_setenvif.c > > mod_proxy.c > > mod_proxy_connect.c > > mod_proxy_ftp.c > > mod_proxy_http.c > > mod_proxy_ajp.c > > mod_proxy_balancer.c > > mod_ssl.c > > worker.c > > http_core.c > > mod_mime.c > > mod_status.c > > mod_dir.c > > mod_actions.c > > mod_alias.c > > mod_rewrite.c > > mod_so.c > > > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > > Licensed to The Apache Software Foundation, http://www.apache.org/ > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> (be patient) > > Completed 1000 requests > > Completed 2000 requests > > Completed 3000 requests > > Completed 4000 requests > > Completed 5000 requests > > Completed 6000 requests > > Completed 7000 requests > > Completed 8000 requests > > Completed 9000 requests > > Completed 10000 requests > > Finished 10000 requests > > > > > > Server Software: > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > > Server Port: 8100 > > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > > > Document Path: /cgi-bin/dump > > Document Length: 226 bytes > > > > Concurrency Level: 1000 > > Time taken for tests: 123.303 seconds > > Complete requests: 10000 > > Failed requests: 0 > > Write errors: 0 > > Non-2xx responses: 10313 > > Keep-Alive requests: 0 > > Total transferred: 3854410 bytes > > HTML transferred: 2307460 bytes > > Requests per second: 81.10 [#/sec] (mean) > > Time per request: 12330.260 [ms] (mean) > > Time per request: 12.330 [ms] (mean, across all concurrent > > requests) > > Transfer rate: 30.53 [Kbytes/sec] received > > > > Connection Times (ms) > > min mean[+/-sd] median max > > Connect: 203 7297 8204.7 5242 99241 > > Processing: 26 4395 1357.0 4492 7688 > > Waiting: 7 1384 728.3 1404 4157 > > Total: 846 11692 8415.4 10091 103464 > > > > Percentage of the requests served within a certain time (ms) > > 50% 10091 > > 66% 11590 > > 75% 12576 > > 80% 13366 > > 90% 17806 > > 95% 19963 > > 98% 30589 > > 99% 56842 > > 100% 103464 (longest request) > > > > > > > > > > > > > > > > > On Thu, Jun 26, 2008 at 1:38 AM, Brian Rectanus > > > <Bri...@br... <mailto:Bri...@br...> > > <mailto:Bri...@br... > > <mailto:Bri...@br...>>> wrote: > > > > > > Nick, > > > > > > I was not able to duplicate this. Below I have 2.2.9 apache > > running as > > > a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 > > and mlogc > > > running to a console. Each request produced an alert about > > the IP in > > > the host header. Additionally, I up'ed the ab test > > considerably. I > > > also tried mis-configuring mlogc in various ways, but these > > yielded > > > similar results. > > > > > > There are some differences in our setups. I have most modules > as > > > modules vs compiled in as you have them. I am also running > > 64bit. But > > > I do not think these should make that much difference. > > > > > > If you would send me the exact configure options you used with > > your > > > 2.2.9 apache I will compile one here and test if you want. > > > > > > > > > $ httpd -V > > > Server version: Apache/2.2.9 (Unix) > > > Server built: Jun 25 2008 16:25:03 > > > Server's Module Magic Number: 20051115:15 > > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > > Architecture: 64-bit > > > Server MPM: Worker > > > threaded: yes (fixed thread count) > > > forked: yes (variable process count) > > > Server compiled with.... > > > -D APACHE_MPM_DIR="server/mpm/worker" > > > -D APR_HAS_SENDFILE > > > -D APR_HAS_MMAP > > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > > -D APR_USE_SYSVSEM_SERIALIZE > > > -D APR_USE_PTHREAD_SERIALIZE > > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > > -D APR_HAS_OTHER_CHILD > > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > > -D DYNAMIC_MODULE_LIMIT=128 > > > -D HTTPD_ROOT="/apps/httpd-2.2.9" > > > -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec" > > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > > -D DEFAULT_ERRORLOG="logs/error_log" > > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > $ httpd -lCompiled in modules: > > > core.c > > > worker.c > > > http_core.c > > > mod_so.c > > > > > > $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump > > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > http://www.zeustech.net/ > > > Licensed to The Apache Software Foundation, > http://www.apache.org/ > > > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> <http://127.0.1.1> > > (be patient) > > > Completed 1000 requests > > > Completed 2000 requests > > > Completed 3000 requests > > > Completed 4000 requests > > > Completed 5000 requests > > > Completed 6000 requests > > > Completed 7000 requests > > > Completed 8000 requests > > > Completed 9000 requests > > > Completed 10000 requests > > > Finished 10000 requests > > > > > > > > > Server Software: FooBar/1.2.3 > > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > > <http://127.0.1.1> > > > Server Port: 8100 > > > > > > Document Path: /cgi-bin/dump > > > Document Length: 226 bytes > > > > > > Concurrency Level: 1000 > > > Time taken for tests: 44.678 seconds > > > Complete requests: 10000 > > > Failed requests: 0 > > > Write errors: 0 > > > Non-2xx responses: 10000 > > > Keep-Alive requests: 0 > > > Total transferred: 3980000 bytes > > > HTML transferred: 2260000 bytes > > > Requests per second: 223.82 [#/sec] (mean) > > > Time per request: 4467.792 [ms] (mean) > > > Time per request: 4.468 [ms] (mean, across all concurrent > > > requests) > > > Transfer rate: 86.99 [Kbytes/sec] received > > > > > > Connection Times (ms) > > > min mean[+/-sd] median max > > > Connect: 0 469 1819.0 0 20999 > > > Processing: 3 3814 4000.3 2614 27551 > > > Waiting: 3 3258 3543.1 2191 26116 > > > Total: 3 4283 4748.7 3025 36558 > > > > > > Percentage of the requests served within a certain time (ms) > > > 50% 3025 > > > 66% 4818 > > > 75% 6226 > > > 80% 7324 > > > 90% 10264 > > > 95% 13155 > > > 98% 18743 > > > 99% 23293 > > > 100% 36558 (longest request) > > > > > > > > > > > > Nicola Bianchi wrote: > > > > Hi Brian, > > > > here the information that you require! > > > > If you need additional info just tell me... > > > > > > > > Thank you a lot for the help ;) > > > > Regards. > > > > Nick > > > > > > > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > > > > SecRuleEngine On > > > > SecRequestBodyAccess On > > > > SecResponseBodyAccess On > > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > > SecResponseBodyLimit 524288 > > > > SecServerSignature "Apache/2.2.0 (Fedora)" > > > > SecComponentSignature "core ruleset/1.6.1" > > > > SecUploadDir /tmp > > > > SecUploadKeepFiles Off > > > > SecAuditEngine RelevantOnly > > > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > > > SecAuditLogType Serial > > > > SecAuditLog logs/modsec_audit.log > > > > SecAuditLogParts "ABIFHKZ" > > > > SecArgumentSeparator "&" > > > > SecCookieFormat 0 > > > > SecRequestBodyInMemoryLimit 131072 > > > > SecDebugLog logs/modsec_debug.log > > > > SecDebugLogLevel 1 > > > > SecDataDir /tmp > > > > SecTmpDir /tmp > > > > > > > > > > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep > .. > > > > SecRuleEngine On > > > > SecRequestBodyAccess On > > > > SecResponseBodyAccess On > > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > > SecDefaultAction > > > > > > > > > > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > > > > SecServerSignature "Server X" > > > > SecUploadDir /opt/jail/tmp > > > > SecAuditLogType Concurrent > > > > SecAuditLog "|bin/mlogc > > /opt/waf/mod_security/prod/bin/mlogc.conf" > > > > SecAuditLogStorageDir logs/modsec_audit/ > > > > SecDebugLogLevel 0 > > > > SecDataDir /opt/jail/tmp > > > > SecTmpDir /opt/jail/tmp > > > > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > > > > Server version: Apache/2.2.9 (Unix) > > > > Server built: Jun 18 2008 11:18:47 > > > > Server's Module Magic Number: 20051115:15 > > > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > > > Architecture: 32-bit > > > > Server MPM: Worker > > > > threaded: yes (fixed thread count) > > > > forked: yes (variable process count) > > > > Server compiled with.... > > > > -D APACHE_MPM_DIR="server/mpm/worker" > > > > -D APR_HAS_SENDFILE > > > > -D APR_HAS_MMAP > > > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > > > -D APR_USE_SYSVSEM_SERIALIZE > > > > -D APR_USE_PTHREAD_SERIALIZE > > > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > > > -D APR_HAS_OTHER_CHILD > > > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > > > -D DYNAMIC_MODULE_LIMIT=128 > > > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > > > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > > > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > > > -D DEFAULT_ERRORLOG="logs/error_log" > > > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > > > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > > > > Compiled in modules: > > > > core.c > > > > mod_authn_file.c > > > > mod_authn_default.c > > > > mod_authz_host.c > > > > mod_authz_groupfile.c > > > > mod_authz_user.c > > > > mod_authz_default.c > > > > mod_auth_basic.c > > > > mod_cache.c > > > > mod_disk_cache.c > > > > mod_mem_cache.c > > > > mod_include.c > > > > mod_filter.c > > > > mod_deflate.c > > > > mod_log_config.c > > > > mod_logio.c > > > > mod_env.c > > > > mod_expires.c > > > > mod_headers.c > > > > mod_unique_id.c > > > > mod_setenvif.c > > > > mod_proxy.c > > > > mod_proxy_connect.c > > > > mod_proxy_ftp.c > > > > mod_proxy_http.c > > > > mod_proxy_ajp.c > > > > mod_proxy_balancer.c > > > > mod_ssl.c > > > > worker.c > > > > http_core.c > > > > mod_mime.c > > > > mod_status.c > > > > mod_dir.c > > > > mod_actions.c > > > > mod_alias.c > > > > mod_rewrite.c > > > > mod_so.c > > > > > > > > > > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > > > > <IfModule !mpm_netware_module> > > > > PidFile "logs/httpd.pid" > > > > </IfModule> > > > > <IfModule !mpm_winnt_module> > > > > <IfModule !mpm_netware_module> > > > > LockFile "logs/accept.lock" > > > > </IfModule> > > > > </IfModule> > > > > <IfModule mpm_worker_module> > > > > StartServers 5 > > > > MaxClients 400 > > > > MinSpareThreads 25 > > > > MaxSpareThreads 75 > > > > ThreadsPerChild 25 > > > > MaxRequestsPerChild 1000 > > > > </IfModule> > > > > > > > > > > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > > > > KeepAlive On > > > > MaxKeepAliveRequests 100 > > > > KeepAliveTimeout 5 > > > > > > > > > > > > #### cat vhosts.d/www.mysite.com.conf > > > > > > > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80> > > <http://192.168.168.100:80> > > > <http://192.168.168.100:80>> > > > > ServerName www.mysite.com <http://www.mysite.com> > > <http://www.mysite.com> > > > <http://www.mysite.com> > > > > ServerAlias mysite.com <http://mysite.com> > > <http://mysite.com> <http://mysite.com> > > > > > > > > # Log files > > > > # ErrorLog logs/www.mysite.com-error_log > > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > > > # Add ClientIP to the Request Headers > > > > RewriteEngine On > > > > RewriteCond %{REMOTE_ADDR} (.*) > > > > RewriteRule .* - [E=R_A:%1] > > > > RequestHeader add ClientIP %{R_A}e > > > > > > > > # Send all pages except the manut one to the internal web > > server > > > > ProxyPreserveHost On > > > > ProxyPass /manut.html ! > > > > ProxyPass / http://www.mysite.com/ > > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > > > # ModSecurity specific rules (no additional rules enabled > for > > > the moment) > > > > Include conf/rules.d/www.mysite.com.rules > > > > </VirtualHost> > > > > > > > > <VirtualHost 192.168.168.100:443 > > <http://192.168.168.100:443> <http://192.168.168.100:443> > > > <http://192.168.168.100:443>> > > > > ServerName www.mysite.com <http://www.mysite.com> > > <http://www.mysite.com> > > > <http://www.mysite.com> > > > > ServerAlias mysite.com <http://mysite.com> > > <http://mysite.com> <http://mysite.com> > > > > > > > > # Log files > > > > # ErrorLog logs/www.mysite.com-error_log > > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > > > # SSL config > > > > SSLEngine on > > > > SSLProtocol All -SSLv2 > > > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > > > > SSLCertificateFile conf/cert/www.mysite.com.crt > > > > SSLCertificateKeyFile conf/cert/www.mysite.com.key > > > > SSLCertificateChainFile conf/cert/Verisign04.crt > > > > > > > > # Add ClientIP to the Request Headers > > > > RewriteEngine On > > > > RewriteCond %{REMOTE_ADDR} (.*) > > > > RewriteRule .* - [E=R_A:%1] > > > > RequestHeader add ClientIP %{R_A}e > > > > > > > > # Send all pages except the manut one to the internal web > > server > > > > ProxyPreserveHost On > > > > ProxyPass /manut.html ! > > > > ProxyPass / http://www.mysite.com/ > > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > > > # ModSecurity specific rules (no additional rules > > enabled for the > > > > moment) > > > > Include conf/rules.d/www.mysite.com.rules > > > > > > > > </VirtualHost> > > > > > > > > > > > > In attach the error_log of a test with: > > > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > > > > Hang after 272 request... (restart of apache needed!) > > > > > > > > > > > > #### top -d 1 (snapshot in the half of test) > > > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, > > 2 zombie > > > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, > > 0.0%hi, 0.2%si, > > > > 0.0%st > > > > Mem: 5185028k total, 1462924k used, 3722104k free, > 2832k > > > buffers > > > > Swap: 4194296k total, 0k used, 4194296k free, > 1130024k > > > cached > > > > > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > > > > COMMAND > > > > > > > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > > > > httpd > > > > > > > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > > > > httpd > > > > > > > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > > > > httpd > > > > > > > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > > > > httpd > > > > > > > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > > > > httpd > > > > > > > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > > > > httpd > > > > > > > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > > > > httpd > > > > > > > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > > > > httpd > > > > > > > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > > > > httpd > > > > > > > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > > > > httpd > > > > > > > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > > > > httpd > > > > > > > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > > > > xfsdatad/0 > > > > > > > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > > > > httpd > > > > > > > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > > > > httpd > > > > > > > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > > > > init > > > > > > > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > > > > migration/0 > > > > > > > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > > > > ksoftirqd/0 > > > > > > > > > > > > > > > > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > > > > <Bri...@br... > > <mailto:Bri...@br...> <mailto:Bri...@br... > > <mailto:Bri...@br...>> > > > <mailto:Bri...@br... > > <mailto:Bri...@br...> > > > <mailto:Bri...@br... > > <mailto:Bri...@br...>>>> wrote: > > > > > > > > Nicola, > > > > > > > > I need to be able to duplicate this problem. Would you > > please > > > send your > > > > settings for Apache and modsecurity? > > > > > > > > For ModSecurity, I need your config settings (usually in > > > > modsecurity_crs_10_config.conf) and which other files > > you are > > > including. > > > > > > > > For Apache I at least need these: > > > > > > > > 1. Output from "httpd -V" and "httpd -l" > > > > > > > > 2. Values for the following directives: > > > > > > > > ServerLimit > > > > StartServers > > > > MaxClients > > > > MinSpareThreads > > > > MaxSpareThreads > > > > ThreadsPerChild > > > > MaxRequestsPerChild > > > > MaxRequestsPerThread > > > > KeepAlive > > > > KeepAliveTimeout > > > > > > > > 3. As well as your config for proxying (Balancer, > > ProxyPass, etc)? > > > > > > > > 4. Additionally, your entire error_log at at least level > > > "info" (cleared > > > > before the test), the server-status output during (or > near) > > > the hang and > > > > CPU/Mem usage stats during the test would be nice as > well. > > > > > > > > thanks, > > > > -B > > > > > > > > > > > > Ivan Ristic wrote: > > > > > Hi Nicola, > > > > > > > > > > We'll have to try to reproduce your problem somehow, as > it > > > doesn't > > > > > happen in my tests. I've been using ab constantly over > the > > > years for > > > > > testing, and I don't recall any problems either. > > > > > > > > > > Are you using mlogc or any other mechanism to transmit > > alerts > > > > elsewhere? > > > > > > > > > > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > > > > <bia...@gm... > > <mailto:bia...@gm...> <mailto:bia...@gm... > > <mailto:bia...@gm...>> > > > <mailto:bia...@gm... > > <mailto:bia...@gm...> <mailto:bia...@gm... > > <mailto:bia...@gm...>>>> > > > wrote: > > > > >> Hi people, > > > > >> I'm a new modsecurity user and I've a problem which > maybe > > > some of > > > > you can > > > > >> resolve ;). > > > > >> > > > > >> My configuration is: reverse proxy (http/https) with > > apache > > > 2.2.9 and > > > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux > > SUSE SLES10. > > > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, > > 4GB of RAM > > > > >> > > > > >> If I try this benchmark all work fine, without > problem: > > > > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > > > > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > > > > >> > > > > >> ... no lost requests, no particular delay. > > > > >> > > > > >> The problem come out if I try to do a "DOS attack" > > pointing > > > directly > > > > > to the > > > > >> ip address of mysite in https > > > > >> After few request (~200) apache hang and stop > > responding ... > > > > >> > > > > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > > > > >> > > > > > > > > > > > > > > > ############################################################################# > > > > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 > $> > > > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > > > http://www.zeustech.net/ > > > > >> # Licensed to The Apache Software Foundation, > > > http://www.apache.org/ > > > > >> # > > > > >> # Benchmarking 192.168.168.100 > > <http://192.168.168.100> <http://192.168.168.100> > > > <http://192.168.168.100> (be patient) > > > > >> # Completed 200 requests > > > > >> # apr_poll: The timeout specified has expired (70007) > > > > >> # Total of 272 requests completed > > > > >> > > > > > > > > > > > > > > > ############################################################################# > > > > >> > > > > >> Here an extract from the logs: > > > > >> > > > > > > > > > > > > > > > ############################################################################# > > > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > > > > 192.168.168.168 <http://192.168.168.168> > > <http://192.168.168.168> <http://192.168.168.168>] > > > > >> ModSecurity: Access denied with code 400 (phase 2). > > Pattern > > > match > > > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > > > > >> > > > > > > > > > > > > > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > > >> [line "60"] [id "960017"] [msg "Host header is a > > numeric IP > > > address"] > > > > >> [severity "CRITICAL"] [tag > "PROTOCOL_VIOLATION/IP_HOST"] > > > [hostname > > > > >> "192.168.168.100 <http://192.168.168.100> > > <http://192.168.168.100> > > > <http://192.168.168.100>"] [uri "/"] [unique_id > > > > "SF@XssIL0NIAAB@ncMAAAACI"] > > > > >> > > > > > > > > > > > > > > > ############################################################################# > > > > >> > > > > >> If I turn off modsecurity (SecRuleEngine Off) and I > > repeat > > > the test I > > > > > don't > > > > >> have problem! > > > > >> If I disable the specific rule (SecRuleRemoveById > > "960017") all > > > > work fine! > > > > >> > > > > >> So, have you some idea about this issue? > > > > >> How can I prevent this kind of "DOS attack"? > > > > >> > > > > >> Thanks a lot! Regards > > > > >> Nick > > > > >> > > > > >> PS: sorry for my ridicolous english ;) > > > > >> > > > > >> > > > > > > > > > > ------------------------------------------------------------------------- > > > > >> Check out the new SourceForge.net Marketplace. > > > > >> It's the best place to buy or sell services for > > > > >> just about anything Open Source. > > > > >> http://sourceforge.net/services/buy/index.php > > > > >> _______________________________________________ > > > > >> mod-security-users mailing list > > > > >> mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>> > > > > <mailto:mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>>> > > > > >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > >> > > > > >> > > > > > > > > > > > > > > > > > > > > -- > > > > > Ivan Ristic > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > > Check out the new SourceForge.net Marketplace. > > > > > It's the best place to buy or sell services for > > > > > just about anything Open Source. > > > > > http://sourceforge.net/services/buy/index.php > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>> > > > > <mailto:mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>>> > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > > > > > > > -- > > > > Brian Rectanus > > > > Breach Security > > > > > > > > > > > > > > > > > -- > > > Brian Rectanus > > > Breach Security > > > > > > > > > > > > -- > > Brian Rectanus > > Breach Security > > > > > > > -- > Brian Rectanus > Breach Security > |
From: Brian R. <Bri...@br...> - 2008-07-19 08:03:28
|
I may have an answer to this. Ubuntu 8.04 switched from /bin/sh being /bin/bash to being /bin/dash. Try exporting SHELL=/bin/bash in the Apache startup script (or just link /bin/sh to bash instead of dash). -B Nicola Bianchi wrote: > Hi Brian, > after many compiling test I came to this conclusion: > on my "ubuntu 8.04 server", "ubuntu 8.04 desktop" and "SuSE SLES 10 SP2" > the only way to get mlogc working is to compile with the "make > mlogc-static" option: > > cd /tmp/waf/modsecurity-apache_2.5.5/apache2 > ./mlogc-src/srclib/archives.sh > ./mlogc-src/srclib/build.sh > make mlogc-static > > in other ways, with libs from the OS or with the libs compiled from > source (last version of apr, curl, openssl and pcre), the compilation > end without error but when I start the mlogc it's attacched to the wrong > parent shell (1)... and apache hang. > > I don't understand :( . > > For the moment in production I'll use the "old" perl script. > > Regards. > Nick > > On Wed, Jul 2, 2008 at 5:43 PM, Brian Rectanus > <Bri...@br... <mailto:Bri...@br...>> wrote: > > I used both of these, on Ubuntu 8.04 x86_64 without any issues: > > # Like Yours: > ./configure \ > --prefix=$APACHE_PREFIX \ > --with-mpm=worker --enable-so \ > --enable-unique-id \ > --enable-proxy --enable-proxy-http --enable-proxy-balancer \ > --enable-rewrite --enable-headers \ > --enable-logio \ > --enable-expires \ > --enable-ssl \ > --enable-deflate --enable-cache --enable-disk-cache > --enable-mem-cache \ > --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ > --disable-negotiation --disable-userdir \ > --with-apr=/apps/apr-1.3.0 \ > --with-apr-util=/apps/apr-util-1.3.0 \ > --with-pcre=/usr > > # What I typically do: > ./configure \ > --prefix=$APACHE_PREFIX \ > --enable-modules=all \ > --enable-mods-shared=all \ > --enable-headers \ > --enable-unique_id \ > --enable-proxy \ > --enable-proxy_http \ > --enable-ssl \ > --enable-rewrite \ > --enable-so \ > --with-apr=/apps/apr-1.3.0 \ > --with-apr-util=/apps/apr-util-1.3.0 \ > --with-pcre=/usr \ > --with-mpm=worker > > For ModSecurity/mlogc: > > ./configure \ > --with-apxs=$APACHE_PREFIX/bin/apxs \ > --with-apr=/apps/apr-1.3.0 \ > --with-apu=/apps/apr-util-1.3.0 \ > --enable-strict-compile > > make && make test && make mlogc && sudo make install > > mlogc is in placed in ../tools > > -B > > > > Nicola Bianchi wrote: > > Hi Brian, > > today, with a co-worker, I've recompiled my environment on a "Ubuntu > > 8.04 Server" machine and I still have the same problem: > > mlogc don't work! (...and apache hang) > > > > If I stop apache mlogc still up until a kill -9 ... and mlogc start > > attached to the init parent (pid 1)... > > > > With the perl log script all work perfectly, no hang, no particular > > performance problem. > > > > At this point I don't know where is my error. > > Can you tell me the parameters that you use for the compilation of > > apache and modsecurity/mlogc? > > > > Thank you in advance. > > Regards > > Nick > > > > > > > > On Thu, Jun 26, 2008 at 7:05 PM, Brian Rectanus > > <Bri...@br... <mailto:Bri...@br...> > <mailto:Bri...@br... > <mailto:Bri...@br...>>> wrote: > > > > I still cannot duplicate - sorry. Try recompiling with > APR/APU 1.3.2 > > and see if that makes a difference for you. Results below... > > > > Nicola Bianchi wrote: > > > Brian, > > > have you tryed with httpS request? Without S I don't have hang > > problems... > > > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > > Licensed to The Apache Software Foundation, > http://www.apache.org/ > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> <http://127.0.1.1> > (be patient) > > Completed 1000 requests > > Completed 2000 requests > > Completed 3000 requests > > Completed 4000 requests > > Completed 5000 requests > > Completed 6000 requests > > Completed 7000 requests > > Completed 8000 requests > > Completed 9000 requests > > Completed 10000 requests > > Finished 10000 requests > > > > > > Server Software: FooBar/1.2.3 > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > <http://127.0.1.1> > > Server Port: 8100 > > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > > > Document Path: /cgi-bin/dump > > Document Length: 226 bytes > > > > Concurrency Level: 1000 > > Time taken for tests: 121.536 seconds > > Complete requests: 10000 > > Failed requests: 0 > > Write errors: 0 > > Non-2xx responses: 10303 > > Keep-Alive requests: 0 > > Total transferred: 4072344 bytes > > HTML transferred: 2300228 bytes > > Requests per second: 82.28 [#/sec] (mean) > > Time per request: 12153.563 [ms] (mean) > > Time per request: 12.154 [ms] (mean, across all concurrent > > requests) > > Transfer rate: 32.72 [Kbytes/sec] received > > > > Connection Times (ms) > > min mean[+/-sd] median max > > Connect: 115 7139 10962.6 4574 98384 > > Processing: 4 4075 1088.8 4217 6623 > > Waiting: 3 1254 652.5 1270 3484 > > Total: 174 11214 11049.4 9159 102880 > > > > Percentage of the requests served within a certain time (ms) > > 50% 9159 > > 66% 9953 > > 75% 10954 > > 80% 11610 > > 90% 17395 > > 95% 19417 > > 98% 30490 > > 99% 99874 > > 100% 102880 (longest request) > > > > > > > > > > > > My compiling configurations: > > > > > > > ################################################################ > > > tar xvfz httpd-${APACHE_VERSIONE}.tar.gz > > > cd httpd-${APACHE_VERSIONE}/ > > > ./configure \ > > > --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ > > > --with-mpm=worker --enable-so \ > > > --enable-unique-id \ > > > --enable-proxy --enable-proxy-http --enable-proxy-balancer \ > > > --enable-rewrite --enable-headers \ > > > --enable-logio \ > > > --enable-expires \ > > > --enable-ssl \ > > > --enable-deflate --enable-cache --enable-disk-cache > > --enable-mem-cache \ > > > --disable-autoindex --disable-asis --disable-cgi > --disable-cgid \ > > > --disable-negotiation --disable-userdir \ > > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} > > > > ################################################################ > > > > > > > ################################################################ > > > cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ > > > ./configure \ > > > --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ > > > --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ > > > --with-apr=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > > --with-apu=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ > > > --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ > > > --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ > > > --enable-strict-compile > > > > ################################################################ > > > > And compiled your way (mostly - I am still 64 bit): > > > > Mine is faster, BTW - kidding ;) > > > > $ httpd -V > > Server version: Apache/2.2.9 (Unix) > > Server built: Jun 26 2008 09:56:07 > > Server's Module Magic Number: 20051115:15 > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > Architecture: 64-bit > > Server MPM: Worker > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APACHE_MPM_DIR="server/mpm/worker" > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=128 > > -D HTTPD_ROOT="/apps/httpd-2.2.9-nicola" > > -D SUEXEC_BIN="/apps/httpd-2.2.9-nicola/bin/suexec" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > $ httpd -l > > Compiled in modules: > > core.c > > mod_authn_file.c > > mod_authn_default.c > > mod_authz_host.c > > mod_authz_groupfile.c > > mod_authz_user.c > > mod_authz_default.c > > mod_auth_basic.c > > mod_cache.c > > mod_disk_cache.c > > mod_mem_cache.c > > mod_include.c > > mod_filter.c > > mod_deflate.c > > mod_log_config.c > > mod_logio.c > > mod_env.c > > mod_expires.c > > mod_headers.c > > mod_unique_id.c > > mod_setenvif.c > > mod_proxy.c > > mod_proxy_connect.c > > mod_proxy_ftp.c > > mod_proxy_http.c > > mod_proxy_ajp.c > > mod_proxy_balancer.c > > mod_ssl.c > > worker.c > > http_core.c > > mod_mime.c > > mod_status.c > > mod_dir.c > > mod_actions.c > > mod_alias.c > > mod_rewrite.c > > mod_so.c > > > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > > Licensed to The Apache Software Foundation, > http://www.apache.org/ > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> <http://127.0.1.1> > (be patient) > > Completed 1000 requests > > Completed 2000 requests > > Completed 3000 requests > > Completed 4000 requests > > Completed 5000 requests > > Completed 6000 requests > > Completed 7000 requests > > Completed 8000 requests > > Completed 9000 requests > > Completed 10000 requests > > Finished 10000 requests > > > > > > Server Software: > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > <http://127.0.1.1> > > Server Port: 8100 > > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > > > Document Path: /cgi-bin/dump > > Document Length: 226 bytes > > > > Concurrency Level: 1000 > > Time taken for tests: 123.303 seconds > > Complete requests: 10000 > > Failed requests: 0 > > Write errors: 0 > > Non-2xx responses: 10313 > > Keep-Alive requests: 0 > > Total transferred: 3854410 bytes > > HTML transferred: 2307460 bytes > > Requests per second: 81.10 [#/sec] (mean) > > Time per request: 12330.260 [ms] (mean) > > Time per request: 12.330 [ms] (mean, across all concurrent > > requests) > > Transfer rate: 30.53 [Kbytes/sec] received > > > > Connection Times (ms) > > min mean[+/-sd] median max > > Connect: 203 7297 8204.7 5242 99241 > > Processing: 26 4395 1357.0 4492 7688 > > Waiting: 7 1384 728.3 1404 4157 > > Total: 846 11692 8415.4 10091 103464 > > > > Percentage of the requests served within a certain time (ms) > > 50% 10091 > > 66% 11590 > > 75% 12576 > > 80% 13366 > > 90% 17806 > > 95% 19963 > > 98% 30589 > > 99% 56842 > > 100% 103464 (longest request) > > > > > > > > > > > > > > > > > On Thu, Jun 26, 2008 at 1:38 AM, Brian Rectanus > > > <Bri...@br... > <mailto:Bri...@br...> <mailto:Bri...@br... > <mailto:Bri...@br...>> > > <mailto:Bri...@br... > <mailto:Bri...@br...> > > <mailto:Bri...@br... > <mailto:Bri...@br...>>>> wrote: > > > > > > Nick, > > > > > > I was not able to duplicate this. Below I have 2.2.9 > apache > > running as > > > a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 > > and mlogc > > > running to a console. Each request produced an alert about > > the IP in > > > the host header. Additionally, I up'ed the ab test > > considerably. I > > > also tried mis-configuring mlogc in various ways, but > these > > yielded > > > similar results. > > > > > > There are some differences in our setups. I have most > modules as > > > modules vs compiled in as you have them. I am also running > > 64bit. But > > > I do not think these should make that much difference. > > > > > > If you would send me the exact configure options you > used with > > your > > > 2.2.9 apache I will compile one here and test if you want. > > > > > > > > > $ httpd -V > > > Server version: Apache/2.2.9 (Unix) > > > Server built: Jun 25 2008 16:25:03 > > > Server's Module Magic Number: 20051115:15 > > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > > Architecture: 64-bit > > > Server MPM: Worker > > > threaded: yes (fixed thread count) > > > forked: yes (variable process count) > > > Server compiled with.... > > > -D APACHE_MPM_DIR="server/mpm/worker" > > > -D APR_HAS_SENDFILE > > > -D APR_HAS_MMAP > > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > > -D APR_USE_SYSVSEM_SERIALIZE > > > -D APR_USE_PTHREAD_SERIALIZE > > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > > -D APR_HAS_OTHER_CHILD > > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > > -D DYNAMIC_MODULE_LIMIT=128 > > > -D HTTPD_ROOT="/apps/httpd-2.2.9" > > > -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec" > > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > > -D DEFAULT_ERRORLOG="logs/error_log" > > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > $ httpd -lCompiled in modules: > > > core.c > > > worker.c > > > http_core.c > > > mod_so.c > > > > > > $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump > > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > http://www.zeustech.net/ > > > Licensed to The Apache Software Foundation, > http://www.apache.org/ > > > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> > <http://127.0.1.1> <http://127.0.1.1> > > (be patient) > > > Completed 1000 requests > > > Completed 2000 requests > > > Completed 3000 requests > > > Completed 4000 requests > > > Completed 5000 requests > > > Completed 6000 requests > > > Completed 7000 requests > > > Completed 8000 requests > > > Completed 9000 requests > > > Completed 10000 requests > > > Finished 10000 requests > > > > > > > > > Server Software: FooBar/1.2.3 > > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > <http://127.0.1.1> > > <http://127.0.1.1> > > > Server Port: 8100 > > > > > > Document Path: /cgi-bin/dump > > > Document Length: 226 bytes > > > > > > Concurrency Level: 1000 > > > Time taken for tests: 44.678 seconds > > > Complete requests: 10000 > > > Failed requests: 0 > > > Write errors: 0 > > > Non-2xx responses: 10000 > > > Keep-Alive requests: 0 > > > Total transferred: 3980000 bytes > > > HTML transferred: 2260000 bytes > > > Requests per second: 223.82 [#/sec] (mean) > > > Time per request: 4467.792 [ms] (mean) > > > Time per request: 4.468 [ms] (mean, across all > concurrent > > > requests) > > > Transfer rate: 86.99 [Kbytes/sec] received > > > > > > Connection Times (ms) > > > min mean[+/-sd] median max > > > Connect: 0 469 1819.0 0 20999 > > > Processing: 3 3814 4000.3 2614 27551 > > > Waiting: 3 3258 3543.1 2191 26116 > > > Total: 3 4283 4748.7 3025 36558 > > > > > > Percentage of the requests served within a certain time > (ms) > > > 50% 3025 > > > 66% 4818 > > > 75% 6226 > > > 80% 7324 > > > 90% 10264 > > > 95% 13155 > > > 98% 18743 > > > 99% 23293 > > > 100% 36558 (longest request) > > > > > > > > > > > > Nicola Bianchi wrote: > > > > Hi Brian, > > > > here the information that you require! > > > > If you need additional info just tell me... > > > > > > > > Thank you a lot for the help ;) > > > > Regards. > > > > Nick > > > > > > > > ##### grep -v "^#" modsecurity_crs_10_config.conf | > grep .. > > > > SecRuleEngine On > > > > SecRequestBodyAccess On > > > > SecResponseBodyAccess On > > > > SecResponseBodyMimeType (null) text/html text/plain > text/xml > > > > SecResponseBodyLimit 524288 > > > > SecServerSignature "Apache/2.2.0 (Fedora)" > > > > SecComponentSignature "core ruleset/1.6.1" > > > > SecUploadDir /tmp > > > > SecUploadKeepFiles Off > > > > SecAuditEngine RelevantOnly > > > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > > > SecAuditLogType Serial > > > > SecAuditLog logs/modsec_audit.log > > > > SecAuditLogParts "ABIFHKZ" > > > > SecArgumentSeparator "&" > > > > SecCookieFormat 0 > > > > SecRequestBodyInMemoryLimit 131072 > > > > SecDebugLog logs/modsec_debug.log > > > > SecDebugLogLevel 1 > > > > SecDataDir /tmp > > > > SecTmpDir /tmp > > > > > > > > > > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf > | grep .. > > > > SecRuleEngine On > > > > SecRequestBodyAccess On > > > > SecResponseBodyAccess On > > > > SecResponseBodyMimeType (null) text/html text/plain > text/xml > > > > SecDefaultAction > > > > > > > > > > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > > > > SecServerSignature "Server X" > > > > SecUploadDir /opt/jail/tmp > > > > SecAuditLogType Concurrent > > > > SecAuditLog "|bin/mlogc > > /opt/waf/mod_security/prod/bin/mlogc.conf" > > > > SecAuditLogStorageDir logs/modsec_audit/ > > > > SecDebugLogLevel 0 > > > > SecDataDir /opt/jail/tmp > > > > SecTmpDir /opt/jail/tmp > > > > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > > > > Server version: Apache/2.2.9 (Unix) > > > > Server built: Jun 18 2008 11:18:47 > > > > Server's Module Magic Number: 20051115:15 > > > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > > > Architecture: 32-bit > > > > Server MPM: Worker > > > > threaded: yes (fixed thread count) > > > > forked: yes (variable process count) > > > > Server compiled with.... > > > > -D APACHE_MPM_DIR="server/mpm/worker" > > > > -D APR_HAS_SENDFILE > > > > -D APR_HAS_MMAP > > > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > > > -D APR_USE_SYSVSEM_SERIALIZE > > > > -D APR_USE_PTHREAD_SERIALIZE > > > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > > > -D APR_HAS_OTHER_CHILD > > > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > > > -D DYNAMIC_MODULE_LIMIT=128 > > > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > > > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > > > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > > > -D DEFAULT_ERRORLOG="logs/error_log" > > > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > > > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > > > > Compiled in modules: > > > > core.c > > > > mod_authn_file.c > > > > mod_authn_default.c > > > > mod_authz_host.c > > > > mod_authz_groupfile.c > > > > mod_authz_user.c > > > > mod_authz_default.c > > > > mod_auth_basic.c > > > > mod_cache.c > > > > mod_disk_cache.c > > > > mod_mem_cache.c > > > > mod_include.c > > > > mod_filter.c > > > > mod_deflate.c > > > > mod_log_config.c > > > > mod_logio.c > > > > mod_env.c > > > > mod_expires.c > > > > mod_headers.c > > > > mod_unique_id.c > > > > mod_setenvif.c > > > > mod_proxy.c > > > > mod_proxy_connect.c > > > > mod_proxy_ftp.c > > > > mod_proxy_http.c > > > > mod_proxy_ajp.c > > > > mod_proxy_balancer.c > > > > mod_ssl.c > > > > worker.c > > > > http_core.c > > > > mod_mime.c > > > > mod_status.c > > > > mod_dir.c > > > > mod_actions.c > > > > mod_alias.c > > > > mod_rewrite.c > > > > mod_so.c > > > > > > > > > > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > > > > <IfModule !mpm_netware_module> > > > > PidFile "logs/httpd.pid" > > > > </IfModule> > > > > <IfModule !mpm_winnt_module> > > > > <IfModule !mpm_netware_module> > > > > LockFile "logs/accept.lock" > > > > </IfModule> > > > > </IfModule> > > > > <IfModule mpm_worker_module> > > > > StartServers 5 > > > > MaxClients 400 > > > > MinSpareThreads 25 > > > > MaxSpareThreads 75 > > > > ThreadsPerChild 25 > > > > MaxRequestsPerChild 1000 > > > > </IfModule> > > > > > > > > > > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > > > > KeepAlive On > > > > MaxKeepAliveRequests 100 > > > > KeepAliveTimeout 5 > > > > > > > > > > > > #### cat vhosts.d/www.mysite.com.conf > > > > > > > > <VirtualHost 192.168.168.100:80 > <http://192.168.168.100:80> <http://192.168.168.100:80> > > <http://192.168.168.100:80> > > > <http://192.168.168.100:80>> > > > > ServerName www.mysite.com <http://www.mysite.com> > <http://www.mysite.com> > > <http://www.mysite.com> > > > <http://www.mysite.com> > > > > ServerAlias mysite.com <http://mysite.com> > <http://mysite.com> > > <http://mysite.com> <http://mysite.com> > > > > > > > > # Log files > > > > # ErrorLog logs/www.mysite.com-error_log > > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > > > # Add ClientIP to the Request Headers > > > > RewriteEngine On > > > > RewriteCond %{REMOTE_ADDR} (.*) > > > > RewriteRule .* - [E=R_A:%1] > > > > RequestHeader add ClientIP %{R_A}e > > > > > > > > # Send all pages except the manut one to the > internal web > > server > > > > ProxyPreserveHost On > > > > ProxyPass /manut.html ! > > > > ProxyPass / http://www.mysite.com/ > > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > > > # ModSecurity specific rules (no additional rules > enabled for > > > the moment) > > > > Include conf/rules.d/www.mysite.com.rules > > > > </VirtualHost> > > > > > > > > <VirtualHost 192.168.168.100:443 > <http://192.168.168.100:443> > > <http://192.168.168.100:443> <http://192.168.168.100:443> > > > <http://192.168.168.100:443>> > > > > ServerName www.mysite.com <http://www.mysite.com> > <http://www.mysite.com> > > <http://www.mysite.com> > > > <http://www.mysite.com> > > > > ServerAlias mysite.com <http://mysite.com> > <http://mysite.com> > > <http://mysite.com> <http://mysite.com> > > > > > > > > # Log files > > > > # ErrorLog logs/www.mysite.com-error_log > > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > > > # SSL config > > > > SSLEngine on > > > > SSLProtocol All -SSLv2 > > > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > > > > SSLCertificateFile conf/cert/www.mysite.com.crt > > > > SSLCertificateKeyFile conf/cert/www.mysite.com.key > > > > SSLCertificateChainFile conf/cert/Verisign04.crt > > > > > > > > # Add ClientIP to the Request Headers > > > > RewriteEngine On > > > > RewriteCond %{REMOTE_ADDR} (.*) > > > > RewriteRule .* - [E=R_A:%1] > > > > RequestHeader add ClientIP %{R_A}e > > > > > > > > # Send all pages except the manut one to the > internal web > > server > > > > ProxyPreserveHost On > > > > ProxyPass /manut.html ! > > > > ProxyPass / http://www.mysite.com/ > > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > > > # ModSecurity specific rules (no additional rules > > enabled for the > > > > moment) > > > > Include conf/rules.d/www.mysite.com.rules > > > > > > > > </VirtualHost> > > > > > > > > > > > > In attach the error_log of a test with: > > > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > > > > Hang after 272 request... (restart of apache needed!) > > > > > > > > > > > > #### top -d 1 (snapshot in the half of test) > > > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, > > 2 zombie > > > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, > > 0.0%hi, 0.2%si, > > > > 0.0%st > > > > Mem: 5185028k total, 1462924k used, 3722104k > free, 2832k > > > buffers > > > > Swap: 4194296k total, 0k used, 4194296k > free, 1130024k > > > cached > > > > > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM > TIME+ > > > > COMMAND > > > > > > > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 > 0:00.44 > > > > httpd > > > > > > > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 > 0:00.27 > > > > httpd > > > > > > > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 > 0:00.32 > > > > httpd > > > > > > > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 > 0:00.11 > > > > httpd > > > > > > > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 > 0:00.29 > > > > httpd > > > > > > > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 > 0:00.13 > > > > httpd > > > > > > > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 > 0:00.08 > > > > httpd > > > > > > > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 > 0:00.08 > > > > httpd > > > > > > > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 > 0:00.20 > > > > httpd > > > > > > > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 > 0:00.23 > > > > httpd > > > > > > > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 > 0:00.09 > > > > httpd > > > > > > > > 1024 root 10 -5 0 0 0 S 1 0.0 > 0:02.81 > > > > xfsdatad/0 > > > > > > > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 > 0:00.30 > > > > httpd > > > > > > > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 > 0:00.09 > > > > httpd > > > > > > > > 1 root 16 0 732 284 244 S 0 0.0 > 0:02.00 > > > > init > > > > > > > > 2 root RT 0 0 0 0 S 0 0.0 > 0:00.74 > > > > migration/0 > > > > > > > > 3 root 34 19 0 0 0 S 0 0.0 > 0:00.05 > > > > ksoftirqd/0 > > > > > > > > > > > > > > > > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > > > > <Bri...@br... > <mailto:Bri...@br...> > > <mailto:Bri...@br... > <mailto:Bri...@br...>> > <mailto:Bri...@br... <mailto:Bri...@br...> > > <mailto:Bri...@br... > <mailto:Bri...@br...>>> > > > <mailto:Bri...@br... > <mailto:Bri...@br...> > > <mailto:Bri...@br... > <mailto:Bri...@br...>> > > > <mailto:Bri...@br... > <mailto:Bri...@br...> > > <mailto:Bri...@br... > <mailto:Bri...@br...>>>>> wrote: > > > > > > > > Nicola, > > > > > > > > I need to be able to duplicate this problem. > Would you > > please > > > send your > > > > settings for Apache and modsecurity? > > > > > > > > For ModSecurity, I need your config settings > (usually in > > > > modsecurity_crs_10_config.conf) and which other files > > you are > > > including. > > > > > > > > For Apache I at least need these: > > > > > > > > 1. Output from "httpd -V" and "httpd -l" > > > > > > > > 2. Values for the following directives: > > > > > > > > ServerLimit > > > > StartServers > > > > MaxClients > > > > MinSpareThreads > > > > MaxSpareThreads > > > > ThreadsPerChild > > > > MaxRequestsPerChild > > > > MaxRequestsPerThread > > > > KeepAlive > > > > KeepAliveTimeout > > > > > > > > 3. As well as your config for proxying (Balancer, > > ProxyPass, etc)? > > > > > > > > 4. Additionally, your entire error_log at at > least level > > > "info" (cleared > > > > before the test), the server-status output during > (or near) > > > the hang and > > > > CPU/Mem usage stats during the test would be nice > as well. > > > > > > > > thanks, > > > > -B > > > > > > > > > > > > Ivan Ristic wrote: > > > > > Hi Nicola, > > > > > > > > > > We'll have to try to reproduce your problem > somehow, as it > > > doesn't > > > > > happen in my tests. I've been using ab > constantly over the > > > years for > > > > > testing, and I don't recall any problems either. > > > > > > > > > > Are you using mlogc or any other mechanism to > transmit > > alerts > > > > elsewhere? > > > > > > > > > > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > > > > <bia...@gm... > <mailto:bia...@gm...> > > <mailto:bia...@gm... > <mailto:bia...@gm...>> <mailto:bia...@gm... > <mailto:bia...@gm...> > > <mailto:bia...@gm... > <mailto:bia...@gm...>>> > > > <mailto:bia...@gm... > <mailto:bia...@gm...> > > <mailto:bia...@gm... > <mailto:bia...@gm...>> <mailto:bia...@gm... > <mailto:bia...@gm...> > > <mailto:bia...@gm... > <mailto:bia...@gm...>>>>> > > > wrote: > > > > >> Hi people, > > > > >> I'm a new modsecurity user and I've a problem > which maybe > > > some of > > > > you can > > > > >> resolve ;). > > > > >> > > > > >> My configuration is: reverse proxy > (http/https) with > > apache > > > 2.2.9 and > > > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux > > SUSE SLES10. > > > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ > 2.33GHz, > > 4GB of RAM > > > > >> > > > > >> If I try this benchmark all work fine, without > problem: > > > > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > > > > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > > > > >> > > > > >> ... no lost requests, no particular delay. > > > > >> > > > > >> The problem come out if I try to do a "DOS attack" > > pointing > > > directly > > > > > to the > > > > >> ip address of mysite in https > > > > >> After few request (~200) apache hang and stop > > responding ... > > > > >> > > > > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > > > > >> > > > > > > > > > > > > > > > ############################################################################# > > > > >> # This is ApacheBench, Version 2.3 <$Revision: > 655654 $> > > > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > > > http://www.zeustech.net/ > > > > >> # Licensed to The Apache Software Foundation, > > > http://www.apache.org/ > > > > >> # > > > > >> # Benchmarking 192.168.168.100 > <http://192.168.168.100> > > <http://192.168.168.100> <http://192.168.168.100> > > > <http://192.168.168.100> (be patient) > > > > >> # Completed 200 requests > > > > >> # apr_poll: The timeout specified has expired > (70007) > > > > >> # Total of 272 requests completed > > > > >> > > > > > > > > > > > > > > > ############################################################################# > > > > >> > > > > >> Here an extract from the logs: > > > > >> > > > > > > > > > > > > > > > ############################################################################# > > > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] > [client > > > > 192.168.168.168 <http://192.168.168.168> > <http://192.168.168.168> > > <http://192.168.168.168> <http://192.168.168.168>] > > > > >> ModSecurity: Access denied with code 400 > (phase 2). > > Pattern > > > match > > > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > > > > >> > > > > > > > > > > > > > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > > >> [line "60"] [id "960017"] [msg "Host header is a > > numeric IP > > > address"] > > > > >> [severity "CRITICAL"] [tag > "PROTOCOL_VIOLATION/IP_HOST"] > > > [hostname > > > > >> "192.168.168.100 <http://192.168.168.100> > <http://192.168.168.100> > > <http://192.168.168.100> > > > <http://192.168.168.100>"] [uri "/"] [unique_id > > > > "SF@XssIL0NIAAB@ncMAAAACI"] > > > > >> > > > > > > > > > > > > > > > ############################################################################# > > > > >> > > > > >> If I turn off modsecurity (SecRuleEngine Off) > and I > > repeat > > > the test I > > > > > don't > > > > >> have problem! > > > > >> If I disable the specific rule (SecRuleRemoveById > > "960017") all > > > > work fine! > > > > >> > > > > >> So, have you some idea about this issue? > > > > >> How can I prevent this kind of "DOS attack"? > > > > >> > > > > >> Thanks a lot! Regards > > > > >> Nick > > > > >> > > > > >> PS: sorry for my ridicolous english ;) > > > > >> > > > > >> > > > > > > > > > > ------------------------------------------------------------------------- > > > > >> Check out the new SourceForge.net Marketplace. > > > > >> It's the best place to buy or sell services for > > > > >> just about anything Open Source. > > > > >> http://sourceforge.net/services/buy/index.php > > > > >> _______________________________________________ > > > > >> mod-security-users mailing list > > > > >> mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > > <mailto:mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>>> > > > > <mailto:mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > > <mailto:mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>>>> > > > > >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > >> > > > > >> > > > > > > > > > > > > > > > > > > > > -- > > > > > Ivan Ristic > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > > Check out the new SourceForge.net Marketplace. > > > > > It's the best place to buy or sell services for > > > > > just about anything Open Source. > > > > > http://sourceforge.net/services/buy/index.php > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > > <mailto:mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>>> > > > > <mailto:mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > > <mailto:mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>>>> > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > > > > > > > -- > > > > Brian Rectanus > > > > Breach Security > > > > > > > > > > > > > > > > > -- > > > Brian Rectanus > > > Breach Security > > > > > > > > > > > > -- > > Brian Rectanus > > Breach Security > > > > > > > -- > Brian Rectanus > Breach Security > > -- Brian Rectanus Breach Security |