We have recently installed the latest version of Mod QOS on apache 2.2 and found alot of below log entries (I have removed the IPs) which we believed to be false positives. Our site is behaving normally and there were no feedback on any abnormalities whatsoever.
Is this even normal ? Should we ignore these errors ?
[Sun Feb 19 10:15:31 2017][error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c= [Sun Feb 19 10:15:31 2017][error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c= [Sun Feb 19 10:15:31 2017][error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c= [Sun Feb 19 10:15:31 2017][error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c= [Sun Feb 19 10:15:31 2017][error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c= [Sun Feb 19 10:15:36 2017][error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c= [Sun Feb 19 10:15:36 2017][error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=52, c= [Sun Feb 19 10:15:36 2017][error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=53, c= [Sun Feb 19 10:15:36 2017][error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=54, c=
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The "mod_qos(034)" messages may be caused by unused speculative TCP pre-connections. This is not exceptional. Users won't notify that the server closes those idle connections.
To avoid the messages, you should configure "QS_SrvMinDataRate" to be active on high server load only (use the third "connections" attribute) or you configure the "Timeout" directive being lower that the measurement interval of the "QS_SrvMinDataRate" directive (which is 5 seconds by default if not set otherwise while compiling mod_qos or setting the "QS_SrvSampleRate" directive).
The "mod_qos(031)" messages are less usual. This happens normally only if many users connect your server using the same proxy server (are hidden behind the same network via NAT, e.g. B2B). Maybe your application causes the browser to open many connections in parallel? I recommend to check what browser these users use (User-Agent header) and analyze once yourself how the browser behaves when accessing your site.
Again, I recommend to enable "QS_SrvMaxConnPerIP" only if your server becomes very busy (second parameter "connections").
Regads, Pascal
Last edit: Pascal Buchbinder 2017-02-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Pascal, thanks for the prompt response. Our main objective is to implement something to prevent slowlorris attack as recommended by a pentesting vendor and they recommended below configurations.
So you mean we should add a QS_SrvMinDataRate 150 1200 <connections> ? What would be a sensible figure ? Don't quite understand the "Timeout" directive that you mentioned.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
i have install mod_qos and it working well. now the mod_qos error logs are saved in each site's error log. i want to save all mod_qos errors logs in /var/log/apache2/error.log. how can i do this? please help
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We have recently installed the latest version of Mod QOS on apache 2.2 and found alot of below log entries (I have removed the IPs) which we believed to be false positives. Our site is behaving normally and there were no feedback on any abnormalities whatsoever.
Is this even normal ? Should we ignore these errors ?
[Sun Feb 19 10:15:31 2017] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c=
[Sun Feb 19 10:15:31 2017] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c=
[Sun Feb 19 10:15:31 2017] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c=
[Sun Feb 19 10:15:31 2017] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c=
[Sun Feb 19 10:15:31 2017] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c=
[Sun Feb 19 10:15:36 2017] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=51, c=
[Sun Feb 19 10:15:36 2017] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=52, c=
[Sun Feb 19 10:15:36 2017] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=53, c=
[Sun Feb 19 10:15:36 2017] [error] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=50, concurrent connections=54, c=
The "mod_qos(034)" messages may be caused by unused speculative TCP pre-connections. This is not exceptional. Users won't notify that the server closes those idle connections.
To avoid the messages, you should configure "QS_SrvMinDataRate" to be active on high server load only (use the third "connections" attribute) or you configure the "Timeout" directive being lower that the measurement interval of the "QS_SrvMinDataRate" directive (which is 5 seconds by default if not set otherwise while compiling mod_qos or setting the "QS_SrvSampleRate" directive).
The "mod_qos(031)" messages are less usual. This happens normally only if many users connect your server using the same proxy server (are hidden behind the same network via NAT, e.g. B2B). Maybe your application causes the browser to open many connections in parallel? I recommend to check what browser these users use (User-Agent header) and analyze once yourself how the browser behaves when accessing your site.
Again, I recommend to enable "QS_SrvMaxConnPerIP" only if your server becomes very busy (second parameter "connections").
Regads, Pascal
Last edit: Pascal Buchbinder 2017-02-24
Hi Pascal, thanks for the prompt response. Our main objective is to implement something to prevent slowlorris attack as recommended by a pentesting vendor and they recommended below configurations.
So you mean we should add a QS_SrvMinDataRate 150 1200 <connections> ? What would be a sensible figure ? Don't quite understand the "Timeout" directive that you mentioned.
You might want to read http://mod-qos.sourceforge.net/dos.html for further explanations about those directives.
i have install mod_qos and it working well. now the mod_qos error logs are saved in each site's error log. i want to save all mod_qos errors logs in /var/log/apache2/error.log. how can i do this? please help