Re: [mod-security-users] Apache hang on https protocol violation
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Apache hang on https protocol violation
|
From: Nicola B. <bia...@gm...> - 2008-06-27 09:32:05
|
Hi Brian,
I greatly appreciate your interest for my problem, thank you.
Tomorrow I've recompiled apache and modsecurity for the external
apr/apr-util version.
I've followed this steps:
export AMBIENTE=prod
export XML_VERSIONE=2.6.32
export PCRE_VERSIONE=7.7
export LUA_VERSIONE=5.1.3
export APACHE_VERSIONE=2.2.9
export MODSEC_VERSIONE=2.5.5
export CORERULES_VERSIONE=2.5-1.6.1
export APR_VERSIONE=1.3.2
export APR_UTIL_VERSIONE=1.3.2
cd /tmp
tar xzfv apr-${APR_VERSIONE}.tar.gz
cd apr-${APR_VERSIONE}
./configure --prefix=/opt/waf/bin/apr-${APR_VERSIONE}
make && make test
make install
cd /opt/waf/bin/
rm apr_${AMBIENTE}
ln -s apr-1.3.2 apr_${AMBIENTE}
cd /tmp
tar xzvf apr-util-${APR_UTIL_VERSIONE}.tar.gz
cd apr-util-${APR_UTIL_VERSIONE}
./configure --prefix=/opt/waf/bin/apr-util-${APR_UTIL_VERSIONE}
--with-apr=/opt/waf/bin/apr-${APR_VERSIONE}
make && make test
make install
cd /opt/waf/bin
rm apr-util_${AMBIENTE}
ln -s apr-util-${APR_UTIL_VERSIONE} apr-util_${AMBIENTE}
cd /tmp
tar xvfz httpd-${APACHE_VERSIONE}.tar.gz
cd httpd-${APACHE_VERSIONE}/
./configure \
--prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \
--with-mpm=worker --enable-so \
--enable-unique-id \
--enable-proxy --enable-proxy-http --enable-proxy-balancer \
--enable-rewrite --enable-headers \
--enable-logio \
--enable-expires \
--enable-ssl \
--enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \
--disable-autoindex --disable-asis --disable-cgi --disable-cgid \
--disable-negotiation --disable-userdir \
--with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \
--with-apr=/opt/waf/bin/apr-${APR_VERSIONE} \
--with-apr-util=/opt/waf/bin/apr-util-${APR_VERSIONE}
make
make install
rm /opt/waf/bin/apache_${AMBIENTE}
ln -s httpd-${APACHE_VERSIONE} /opt/waf/bin/apache_${AMBIENTE}
cd /tmp
tar xvfz modsecurity-apache_${MODSEC_VERSIONE}.tar.gz
cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/
./configure \
--prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \
--with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \
--with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \
--with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \
--with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \
--with-apr=/opt/waf/bin/apr-${APR_VERSIONE} \
--with-apu=/opt/waf/bin/apr-util-${APR_VERSIONE} \
--enable-strict-compile
make && make test
# All tests passed (518).
mkdir -p /opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE}
rm /opt/waf/bin/modsecurity-apache_${AMBIENTE}
ln -s modsecurity-apache_${MODSEC_VERSIONE}
/opt/waf/bin/modsecurity-apache_${AMBIENTE}
cp .libs/mod_security2.so
/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE}/
cd mlogc-src/
make
chown -R root:root mlogc
chmod -R go= mlogc
rm -f /opt/waf/mod_security/${AMBIENTE}/bin/mlogc
cp -p mlogc /opt/waf/mod_security/${AMBIENTE}/bin/
##### check
ldd /opt/waf/mod_security/${AMBIENTE}/bin/mlogc
linux-gate.so.1 => (0xffffe000)
libapr-1.so.0 => /opt/waf/bin/apr-1.3.2/lib/libapr-1.so.0 (0xb7ef3000)
libcurl.so.3 => /usr/lib/libcurl.so.3 (0xb7ebf000)
libidn.so.11 => /usr/lib/libidn.so.11 (0xb7e8f000)
libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7e52000)
libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7d29000)
libdl.so.2 => /lib/libdl.so.2 (0xb7d25000)
libz.so.1 => /lib/libz.so.1 (0xb7d13000)
libpcre.so.0 => /usr/lib/libpcre.so.0 (0xb7ce7000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7cd1000)
libc.so.6 => /lib/libc.so.6 (0xb7ba5000)
librt.so.1 => /lib/librt.so.1 (0xb7b9b000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7b68000)
/lib/ld-linux.so.2 (0xb7f21000)
/opt/waf/bin/apache_${AMBIENTE}/bin/httpd -V
Server version: Apache/2.2.9 (Unix)
Server built: Jun 27 2008 10:08:36
Server's Module Magic Number: 20051115:15
Server loaded: APR 1.3.2, APR-Util 1.3.2
Compiled using: APR 1.3.2, APR-Util 1.3.2
Architecture: 32-bit
Server MPM: Worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9-apr"
-D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9-apr/bin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
#### end of check
I've starded apache whitout error:
/etc/init.d/apachectl_${AMBIENTE} start
tail -10 /opt/waf/mod_security/${AMBIENTE}/logs/error_log
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables
Server Gated Cryptography (SGC)
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Configuring server for SSL
protocol
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables
Server Gated Cryptography (SGC)
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Configuring server for SSL
protocol
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables
Server Gated Cryptography (SGC)
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Configuring server for SSL
protocol
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables
Server Gated Cryptography (SGC)
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] mod_ssl/2.2.9 compiled against
Server: Apache/2.2.9, Library: OpenSSL/0.9.8a
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [notice] Apache/2.2.9 (Unix)
mod_ssl/2.2.9 OpenSSL/0.9.8a Server X configured -- resuming normal
operations
Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Server built: Jun 27 2008
10:08:36
tail -10 /opt/waf/mod_security/prod/logs/mlogc-error.log
[Fri Jun 27 10:38:42 2008] [3] [27039/0] ModSecurity Audit Log Collector
1.4.4 started.
[Fri Jun 27 10:38:43 2008] [3] [27048/0] ModSecurity Audit Log Collector
1.4.4 delaying startup for 1000ms
[Fri Jun 27 10:38:43 2008] [3] [27044/0] ModSecurity Audit Log Collector
1.4.4 started.
[Fri Jun 27 10:38:43 2008] [3] [27052/0] ModSecurity Audit Log Collector
1.4.4 delaying startup for 1000ms
[Fri Jun 27 10:38:44 2008] [3] [27048/0] ModSecurity Audit Log Collector
1.4.4 started.
[Fri Jun 27 10:38:44 2008] [3] [27052/0] ModSecurity Audit Log Collector
1.4.4 started.
[Fri Jun 27 11:02:38 2008] [3] [29959/0] ModSecurity Audit Log Collector
1.4.4 delaying startup for 1000ms
[Fri Jun 27 11:02:39 2008] [3] [29962/0] ModSecurity Audit Log Collector
1.4.4 delaying startup for 1000ms
[Fri Jun 27 11:02:39 2008] [3] [29959/0] ModSecurity Audit Log Collector
1.4.4 started.
[Fri Jun 27 11:02:40 2008] [3] [29962/0] ModSecurity Audit Log Collector
1.4.4 started.
ps -ef | grep apache_${AMBIENTE}
root 29961 1 0 11:02 ? 00:00:00
/opt/waf/bin/apache_prod/bin/httpd -f
/opt/waf/mod_security/prod/conf/httpd.conf -k start
wwwrun 29964 29961 0 11:02 ? 00:00:00
/opt/waf/bin/apache_prod/bin/httpd -f
/opt/waf/mod_security/prod/conf/httpd.conf -k start
wwwrun 29965 29961 0 11:02 ? 00:00:00
/opt/waf/bin/apache_prod/bin/httpd -f
/opt/waf/mod_security/prod/conf/httpd.conf -k start
ps -ef | grep mlogc
root 29959 1 0 11:02 pts/2 00:00:00
/opt/jail/opt/waf/mod_security/prod/bin/mlogc
/opt/jail/opt/waf/mod_security/prod/bin/mlogc.conf
root 29962 29961 0 11:02 ? 00:00:00
/opt/jail/opt/waf/mod_security/prod/bin/mlogc
/opt/jail/opt/waf/mod_security/prod/bin/mlogc.conf
##### always the strange parent shell
.... but apache still hang !!! Same problem :( ... no log to the console and
so on ..
maybe after a weekend of relax I'll be more lucky... ;)
byebye
Nick
PS: no jail ... only a nice to have
On Thu, Jun 26, 2008 at 7:05 PM, Brian Rectanus <Bri...@br...>
wrote:
> I still cannot duplicate - sorry. Try recompiling with APR/APU 1.3.2
> and see if that makes a difference for you. Results below...
>
> Nicola Bianchi wrote:
> > Brian,
> > have you tryed with httpS request? Without S I don't have hang
> problems...
>
> $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump
> This is ApacheBench, Version 2.3 <$Revision: 655654 $>
> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
> Licensed to The Apache Software Foundation, http://www.apache.org/
>
> Benchmarking 127.0.1.1 (be patient)
> Completed 1000 requests
> Completed 2000 requests
> Completed 3000 requests
> Completed 4000 requests
> Completed 5000 requests
> Completed 6000 requests
> Completed 7000 requests
> Completed 8000 requests
> Completed 9000 requests
> Completed 10000 requests
> Finished 10000 requests
>
>
> Server Software: FooBar/1.2.3
> Server Hostname: 127.0.1.1
> Server Port: 8100
> SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256
>
> Document Path: /cgi-bin/dump
> Document Length: 226 bytes
>
> Concurrency Level: 1000
> Time taken for tests: 121.536 seconds
> Complete requests: 10000
> Failed requests: 0
> Write errors: 0
> Non-2xx responses: 10303
> Keep-Alive requests: 0
> Total transferred: 4072344 bytes
> HTML transferred: 2300228 bytes
> Requests per second: 82.28 [#/sec] (mean)
> Time per request: 12153.563 [ms] (mean)
> Time per request: 12.154 [ms] (mean, across all concurrent requests)
> Transfer rate: 32.72 [Kbytes/sec] received
>
> Connection Times (ms)
> min mean[+/-sd] median max
> Connect: 115 7139 10962.6 4574 98384
> Processing: 4 4075 1088.8 4217 6623
> Waiting: 3 1254 652.5 1270 3484
> Total: 174 11214 11049.4 9159 102880
>
> Percentage of the requests served within a certain time (ms)
> 50% 9159
> 66% 9953
> 75% 10954
> 80% 11610
> 90% 17395
> 95% 19417
> 98% 30490
> 99% 99874
> 100% 102880 (longest request)
>
>
>
> >
> > My compiling configurations:
> >
> > ################################################################
> > tar xvfz httpd-${APACHE_VERSIONE}.tar.gz
> > cd httpd-${APACHE_VERSIONE}/
> > ./configure \
> > --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \
> > --with-mpm=worker --enable-so \
> > --enable-unique-id \
> > --enable-proxy --enable-proxy-http --enable-proxy-balancer \
> > --enable-rewrite --enable-headers \
> > --enable-logio \
> > --enable-expires \
> > --enable-ssl \
> > --enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \
> > --disable-autoindex --disable-asis --disable-cgi --disable-cgid \
> > --disable-negotiation --disable-userdir \
> > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE}
> > ################################################################
> >
> > ################################################################
> > cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/
> > ./configure \
> > --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \
> > --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \
> > --with-apr=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \
> > --with-apu=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \
> > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \
> > --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \
> > --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \
> > --enable-strict-compile
> > ################################################################
>
> And compiled your way (mostly - I am still 64 bit):
>
> Mine is faster, BTW - kidding ;)
>
> $ httpd -V
> Server version: Apache/2.2.9 (Unix)
> Server built: Jun 26 2008 09:56:07
> Server's Module Magic Number: 20051115:15
> Server loaded: APR 1.3.0, APR-Util 1.3.0
> Compiled using: APR 1.3.0, APR-Util 1.3.0
> Architecture: 64-bit
> Server MPM: Worker
> threaded: yes (fixed thread count)
> forked: yes (variable process count)
> Server compiled with....
> -D APACHE_MPM_DIR="server/mpm/worker"
> -D APR_HAS_SENDFILE
> -D APR_HAS_MMAP
> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> -D APR_USE_SYSVSEM_SERIALIZE
> -D APR_USE_PTHREAD_SERIALIZE
> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> -D APR_HAS_OTHER_CHILD
> -D AP_HAVE_RELIABLE_PIPED_LOGS
> -D DYNAMIC_MODULE_LIMIT=128
> -D HTTPD_ROOT="/apps/httpd-2.2.9-nicola"
> -D SUEXEC_BIN="/apps/httpd-2.2.9-nicola/bin/suexec"
> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> -D DEFAULT_ERRORLOG="logs/error_log"
> -D AP_TYPES_CONFIG_FILE="conf/mime.types"
> -D SERVER_CONFIG_FILE="conf/httpd.conf"
>
> $ httpd -l
> Compiled in modules:
> core.c
> mod_authn_file.c
> mod_authn_default.c
> mod_authz_host.c
> mod_authz_groupfile.c
> mod_authz_user.c
> mod_authz_default.c
> mod_auth_basic.c
> mod_cache.c
> mod_disk_cache.c
> mod_mem_cache.c
> mod_include.c
> mod_filter.c
> mod_deflate.c
> mod_log_config.c
> mod_logio.c
> mod_env.c
> mod_expires.c
> mod_headers.c
> mod_unique_id.c
> mod_setenvif.c
> mod_proxy.c
> mod_proxy_connect.c
> mod_proxy_ftp.c
> mod_proxy_http.c
> mod_proxy_ajp.c
> mod_proxy_balancer.c
> mod_ssl.c
> worker.c
> http_core.c
> mod_mime.c
> mod_status.c
> mod_dir.c
> mod_actions.c
> mod_alias.c
> mod_rewrite.c
> mod_so.c
>
> $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump
> This is ApacheBench, Version 2.3 <$Revision: 655654 $>
> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
> Licensed to The Apache Software Foundation, http://www.apache.org/
>
> Benchmarking 127.0.1.1 (be patient)
> Completed 1000 requests
> Completed 2000 requests
> Completed 3000 requests
> Completed 4000 requests
> Completed 5000 requests
> Completed 6000 requests
> Completed 7000 requests
> Completed 8000 requests
> Completed 9000 requests
> Completed 10000 requests
> Finished 10000 requests
>
>
> Server Software:
> Server Hostname: 127.0.1.1
> Server Port: 8100
> SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256
>
> Document Path: /cgi-bin/dump
> Document Length: 226 bytes
>
> Concurrency Level: 1000
> Time taken for tests: 123.303 seconds
> Complete requests: 10000
> Failed requests: 0
> Write errors: 0
> Non-2xx responses: 10313
> Keep-Alive requests: 0
> Total transferred: 3854410 bytes
> HTML transferred: 2307460 bytes
> Requests per second: 81.10 [#/sec] (mean)
> Time per request: 12330.260 [ms] (mean)
> Time per request: 12.330 [ms] (mean, across all concurrent requests)
> Transfer rate: 30.53 [Kbytes/sec] received
>
> Connection Times (ms)
> min mean[+/-sd] median max
> Connect: 203 7297 8204.7 5242 99241
> Processing: 26 4395 1357.0 4492 7688
> Waiting: 7 1384 728.3 1404 4157
> Total: 846 11692 8415.4 10091 103464
>
> Percentage of the requests served within a certain time (ms)
> 50% 10091
> 66% 11590
> 75% 12576
> 80% 13366
> 90% 17806
> 95% 19963
> 98% 30589
> 99% 56842
> 100% 103464 (longest request)
>
>
>
>
> >
> >
> > On Thu, Jun 26, 2008 at 1:38 AM, Brian Rectanus
> > <Bri...@br... <mailto:Bri...@br...>> wrote:
> >
> > Nick,
> >
> > I was not able to duplicate this. Below I have 2.2.9 apache running
> as
> > a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 and mlogc
> > running to a console. Each request produced an alert about the IP in
> > the host header. Additionally, I up'ed the ab test considerably. I
> > also tried mis-configuring mlogc in various ways, but these yielded
> > similar results.
> >
> > There are some differences in our setups. I have most modules as
> > modules vs compiled in as you have them. I am also running 64bit.
> But
> > I do not think these should make that much difference.
> >
> > If you would send me the exact configure options you used with your
> > 2.2.9 apache I will compile one here and test if you want.
> >
> >
> > $ httpd -V
> > Server version: Apache/2.2.9 (Unix)
> > Server built: Jun 25 2008 16:25:03
> > Server's Module Magic Number: 20051115:15
> > Server loaded: APR 1.3.0, APR-Util 1.3.0
> > Compiled using: APR 1.3.0, APR-Util 1.3.0
> > Architecture: 64-bit
> > Server MPM: Worker
> > threaded: yes (fixed thread count)
> > forked: yes (variable process count)
> > Server compiled with....
> > -D APACHE_MPM_DIR="server/mpm/worker"
> > -D APR_HAS_SENDFILE
> > -D APR_HAS_MMAP
> > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> > -D APR_USE_SYSVSEM_SERIALIZE
> > -D APR_USE_PTHREAD_SERIALIZE
> > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> > -D APR_HAS_OTHER_CHILD
> > -D AP_HAVE_RELIABLE_PIPED_LOGS
> > -D DYNAMIC_MODULE_LIMIT=128
> > -D HTTPD_ROOT="/apps/httpd-2.2.9"
> > -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec"
> > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> > -D DEFAULT_ERRORLOG="logs/error_log"
> > -D AP_TYPES_CONFIG_FILE="conf/mime.types"
> > -D SERVER_CONFIG_FILE="conf/httpd.conf"
> >
> > $ httpd -lCompiled in modules:
> > core.c
> > worker.c
> > http_core.c
> > mod_so.c
> >
> > $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump
> > This is ApacheBench, Version 2.3 <$Revision: 655654 $>
> > Copyright 1996 Adam Twiss, Zeus Technology Ltd,
> http://www.zeustech.net/
> > Licensed to The Apache Software Foundation, http://www.apache.org/
> >
> > Benchmarking 127.0.1.1 <http://127.0.1.1> (be patient)
> > Completed 1000 requests
> > Completed 2000 requests
> > Completed 3000 requests
> > Completed 4000 requests
> > Completed 5000 requests
> > Completed 6000 requests
> > Completed 7000 requests
> > Completed 8000 requests
> > Completed 9000 requests
> > Completed 10000 requests
> > Finished 10000 requests
> >
> >
> > Server Software: FooBar/1.2.3
> > Server Hostname: 127.0.1.1 <http://127.0.1.1>
> > Server Port: 8100
> >
> > Document Path: /cgi-bin/dump
> > Document Length: 226 bytes
> >
> > Concurrency Level: 1000
> > Time taken for tests: 44.678 seconds
> > Complete requests: 10000
> > Failed requests: 0
> > Write errors: 0
> > Non-2xx responses: 10000
> > Keep-Alive requests: 0
> > Total transferred: 3980000 bytes
> > HTML transferred: 2260000 bytes
> > Requests per second: 223.82 [#/sec] (mean)
> > Time per request: 4467.792 [ms] (mean)
> > Time per request: 4.468 [ms] (mean, across all concurrent
> > requests)
> > Transfer rate: 86.99 [Kbytes/sec] received
> >
> > Connection Times (ms)
> > min mean[+/-sd] median max
> > Connect: 0 469 1819.0 0 20999
> > Processing: 3 3814 4000.3 2614 27551
> > Waiting: 3 3258 3543.1 2191 26116
> > Total: 3 4283 4748.7 3025 36558
> >
> > Percentage of the requests served within a certain time (ms)
> > 50% 3025
> > 66% 4818
> > 75% 6226
> > 80% 7324
> > 90% 10264
> > 95% 13155
> > 98% 18743
> > 99% 23293
> > 100% 36558 (longest request)
> >
> >
> >
> > Nicola Bianchi wrote:
> > > Hi Brian,
> > > here the information that you require!
> > > If you need additional info just tell me...
> > >
> > > Thank you a lot for the help ;)
> > > Regards.
> > > Nick
> > >
> > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep ..
> > > SecRuleEngine On
> > > SecRequestBodyAccess On
> > > SecResponseBodyAccess On
> > > SecResponseBodyMimeType (null) text/html text/plain text/xml
> > > SecResponseBodyLimit 524288
> > > SecServerSignature "Apache/2.2.0 (Fedora)"
> > > SecComponentSignature "core ruleset/1.6.1"
> > > SecUploadDir /tmp
> > > SecUploadKeepFiles Off
> > > SecAuditEngine RelevantOnly
> > > SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> > > SecAuditLogType Serial
> > > SecAuditLog logs/modsec_audit.log
> > > SecAuditLogParts "ABIFHKZ"
> > > SecArgumentSeparator "&"
> > > SecCookieFormat 0
> > > SecRequestBodyInMemoryLimit 131072
> > > SecDebugLog logs/modsec_debug.log
> > > SecDebugLogLevel 1
> > > SecDataDir /tmp
> > > SecTmpDir /tmp
> > >
> > >
> > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep ..
> > > SecRuleEngine On
> > > SecRequestBodyAccess On
> > > SecResponseBodyAccess On
> > > SecResponseBodyMimeType (null) text/html text/plain text/xml
> > > SecDefaultAction
> > >
> >
> "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
> > > SecServerSignature "Server X"
> > > SecUploadDir /opt/jail/tmp
> > > SecAuditLogType Concurrent
> > > SecAuditLog "|bin/mlogc /opt/waf/mod_security/prod/bin/mlogc.conf"
> > > SecAuditLogStorageDir logs/modsec_audit/
> > > SecDebugLogLevel 0
> > > SecDataDir /opt/jail/tmp
> > > SecTmpDir /opt/jail/tmp
> > >
> > >
> > > ##### /opt/waf/bin/apache_prod/bin/httpd -V
> > > Server version: Apache/2.2.9 (Unix)
> > > Server built: Jun 18 2008 11:18:47
> > > Server's Module Magic Number: 20051115:15
> > > Server loaded: APR 1.3.0, APR-Util 1.3.0
> > > Compiled using: APR 1.3.0, APR-Util 1.3.0
> > > Architecture: 32-bit
> > > Server MPM: Worker
> > > threaded: yes (fixed thread count)
> > > forked: yes (variable process count)
> > > Server compiled with....
> > > -D APACHE_MPM_DIR="server/mpm/worker"
> > > -D APR_HAS_SENDFILE
> > > -D APR_HAS_MMAP
> > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> > > -D APR_USE_SYSVSEM_SERIALIZE
> > > -D APR_USE_PTHREAD_SERIALIZE
> > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> > > -D APR_HAS_OTHER_CHILD
> > > -D AP_HAVE_RELIABLE_PIPED_LOGS
> > > -D DYNAMIC_MODULE_LIMIT=128
> > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9"
> > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec"
> > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> > > -D DEFAULT_ERRORLOG="logs/error_log"
> > > -D AP_TYPES_CONFIG_FILE="conf/mime.types"
> > > -D SERVER_CONFIG_FILE="conf/httpd.conf"
> > >
> > >
> > >
> > > ##### /opt/waf/bin/apache_prod/bin/httpd -l
> > > Compiled in modules:
> > > core.c
> > > mod_authn_file.c
> > > mod_authn_default.c
> > > mod_authz_host.c
> > > mod_authz_groupfile.c
> > > mod_authz_user.c
> > > mod_authz_default.c
> > > mod_auth_basic.c
> > > mod_cache.c
> > > mod_disk_cache.c
> > > mod_mem_cache.c
> > > mod_include.c
> > > mod_filter.c
> > > mod_deflate.c
> > > mod_log_config.c
> > > mod_logio.c
> > > mod_env.c
> > > mod_expires.c
> > > mod_headers.c
> > > mod_unique_id.c
> > > mod_setenvif.c
> > > mod_proxy.c
> > > mod_proxy_connect.c
> > > mod_proxy_ftp.c
> > > mod_proxy_http.c
> > > mod_proxy_ajp.c
> > > mod_proxy_balancer.c
> > > mod_ssl.c
> > > worker.c
> > > http_core.c
> > > mod_mime.c
> > > mod_status.c
> > > mod_dir.c
> > > mod_actions.c
> > > mod_alias.c
> > > mod_rewrite.c
> > > mod_so.c
> > >
> > >
> > > ##### grep -v "^#" httpd-mpm.conf | grep ..
> > > <IfModule !mpm_netware_module>
> > > PidFile "logs/httpd.pid"
> > > </IfModule>
> > > <IfModule !mpm_winnt_module>
> > > <IfModule !mpm_netware_module>
> > > LockFile "logs/accept.lock"
> > > </IfModule>
> > > </IfModule>
> > > <IfModule mpm_worker_module>
> > > StartServers 5
> > > MaxClients 400
> > > MinSpareThreads 25
> > > MaxSpareThreads 75
> > > ThreadsPerChild 25
> > > MaxRequestsPerChild 1000
> > > </IfModule>
> > >
> > >
> > > #### grep KeepAlive httpd-default.conf | grep -v "^#"
> > > KeepAlive On
> > > MaxKeepAliveRequests 100
> > > KeepAliveTimeout 5
> > >
> > >
> > > #### cat vhosts.d/www.mysite.com.conf
> > >
> > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80>
> > <http://192.168.168.100:80>>
> > > ServerName www.mysite.com <http://www.mysite.com>
> > <http://www.mysite.com>
> > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com>
> > >
> > > # Log files
> > > # ErrorLog logs/www.mysite.com-error_log
> > > # CustomLog logs/www.mysite.com-access_log combined
> > >
> > > # Add ClientIP to the Request Headers
> > > RewriteEngine On
> > > RewriteCond %{REMOTE_ADDR} (.*)
> > > RewriteRule .* - [E=R_A:%1]
> > > RequestHeader add ClientIP %{R_A}e
> > >
> > > # Send all pages except the manut one to the internal web server
> > > ProxyPreserveHost On
> > > ProxyPass /manut.html !
> > > ProxyPass / http://www.mysite.com/
> > > ProxyPassReverse / http://www.mysite.com/
> > >
> > > # ModSecurity specific rules (no additional rules enabled for
> > the moment)
> > > Include conf/rules.d/www.mysite.com.rules
> > > </VirtualHost>
> > >
> > > <VirtualHost 192.168.168.100:443 <http://192.168.168.100:443>
> > <http://192.168.168.100:443>>
> > > ServerName www.mysite.com <http://www.mysite.com>
> > <http://www.mysite.com>
> > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com>
> > >
> > > # Log files
> > > # ErrorLog logs/www.mysite.com-error_log
> > > # CustomLog logs/www.mysite.com-access_log combined
> > >
> > > # SSL config
> > > SSLEngine on
> > > SSLProtocol All -SSLv2
> > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
> > > SSLCertificateFile conf/cert/www.mysite.com.crt
> > > SSLCertificateKeyFile conf/cert/www.mysite.com.key
> > > SSLCertificateChainFile conf/cert/Verisign04.crt
> > >
> > > # Add ClientIP to the Request Headers
> > > RewriteEngine On
> > > RewriteCond %{REMOTE_ADDR} (.*)
> > > RewriteRule .* - [E=R_A:%1]
> > > RequestHeader add ClientIP %{R_A}e
> > >
> > > # Send all pages except the manut one to the internal web server
> > > ProxyPreserveHost On
> > > ProxyPass /manut.html !
> > > ProxyPass / http://www.mysite.com/
> > > ProxyPassReverse / http://www.mysite.com/
> > >
> > > # ModSecurity specific rules (no additional rules enabled for
> the
> > > moment)
> > > Include conf/rules.d/www.mysite.com.rules
> > >
> > > </VirtualHost>
> > >
> > >
> > > In attach the error_log of a test with:
> > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/
> > > Hang after 272 request... (restart of apache needed!)
> > >
> > >
> > > #### top -d 1 (snapshot in the half of test)
> > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, 2
> zombie
> > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, 0.0%hi,
> 0.2%si,
> > > 0.0%st
> > > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k
> > buffers
> > > Swap: 4194296k total, 0k used, 4194296k free, 1130024k
> > cached
> > >
> > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+
> > > COMMAND
> > >
> > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44
> > > httpd
> > >
> > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27
> > > httpd
> > >
> > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32
> > > httpd
> > >
> > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11
> > > httpd
> > >
> > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29
> > > httpd
> > >
> > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13
> > > httpd
> > >
> > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08
> > > httpd
> > >
> > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08
> > > httpd
> > >
> > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20
> > > httpd
> > >
> > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23
> > > httpd
> > >
> > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09
> > > httpd
> > >
> > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81
> > > xfsdatad/0
> > >
> > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30
> > > httpd
> > >
> > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09
> > > httpd
> > >
> > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00
> > > init
> > >
> > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74
> > > migration/0
> > >
> > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05
> > > ksoftirqd/0
> > >
> > >
> > >
> > >
> > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus
> > > <Bri...@br... <mailto:Bri...@br...>
> > <mailto:Bri...@br...
> > <mailto:Bri...@br...>>> wrote:
> > >
> > > Nicola,
> > >
> > > I need to be able to duplicate this problem. Would you please
> > send your
> > > settings for Apache and modsecurity?
> > >
> > > For ModSecurity, I need your config settings (usually in
> > > modsecurity_crs_10_config.conf) and which other files you are
> > including.
> > >
> > > For Apache I at least need these:
> > >
> > > 1. Output from "httpd -V" and "httpd -l"
> > >
> > > 2. Values for the following directives:
> > >
> > > ServerLimit
> > > StartServers
> > > MaxClients
> > > MinSpareThreads
> > > MaxSpareThreads
> > > ThreadsPerChild
> > > MaxRequestsPerChild
> > > MaxRequestsPerThread
> > > KeepAlive
> > > KeepAliveTimeout
> > >
> > > 3. As well as your config for proxying (Balancer, ProxyPass,
> etc)?
> > >
> > > 4. Additionally, your entire error_log at at least level
> > "info" (cleared
> > > before the test), the server-status output during (or near)
> > the hang and
> > > CPU/Mem usage stats during the test would be nice as well.
> > >
> > > thanks,
> > > -B
> > >
> > >
> > > Ivan Ristic wrote:
> > > > Hi Nicola,
> > > >
> > > > We'll have to try to reproduce your problem somehow, as it
> > doesn't
> > > > happen in my tests. I've been using ab constantly over the
> > years for
> > > > testing, and I don't recall any problems either.
> > > >
> > > > Are you using mlogc or any other mechanism to transmit alerts
> > > elsewhere?
> > > >
> > > >
> > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi
> > > > <bia...@gm... <mailto:bia...@gm...>
> > <mailto:bia...@gm... <mailto:bia...@gm...>>>
> > wrote:
> > > >> Hi people,
> > > >> I'm a new modsecurity user and I've a problem which maybe
> > some of
> > > you can
> > > >> resolve ;).
> > > >>
> > > >> My configuration is: reverse proxy (http/https) with apache
> > 2.2.9 and
> > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE
> SLES10.
> > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of
> RAM
> > > >>
> > > >> If I try this benchmark all work fine, without problem:
> > > >> ab -k -c 200 -n 8000 http://www.mysite.com/
> > > >> ab -k -c 200 -n 8000 https://www.mysite.com/
> > > >>
> > > >> ... no lost requests, no particular delay.
> > > >>
> > > >> The problem come out if I try to do a "DOS attack" pointing
> > directly
> > > > to the
> > > >> ip address of mysite in https
> > > >> After few request (~200) apache hang and stop responding ...
> > > >>
> > > >> ab -k -c 200 -n 8000 https://192.168.168.100/).
> > > >>
> > > >
> > >
> >
> #############################################################################
> > > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $>
> > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd,
> > > http://www.zeustech.net/
> > > >> # Licensed to The Apache Software Foundation,
> > http://www.apache.org/
> > > >> #
> > > >> # Benchmarking 192.168.168.100 <http://192.168.168.100>
> > <http://192.168.168.100> (be patient)
> > > >> # Completed 200 requests
> > > >> # apr_poll: The timeout specified has expired (70007)
> > > >> # Total of 272 requests completed
> > > >>
> > > >
> > >
> >
> #############################################################################
> > > >>
> > > >> Here an extract from the logs:
> > > >>
> > > >
> > >
> >
> #############################################################################
> > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client
> > > 192.168.168.168 <http://192.168.168.168> <
> http://192.168.168.168>]
> > > >> ModSecurity: Access denied with code 400 (phase 2). Pattern
> > match
> > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file
> > > >>
> > > >
> > >
> >
> "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> > > >> [line "60"] [id "960017"] [msg "Host header is a numeric IP
> > address"]
> > > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]
> > [hostname
> > > >> "192.168.168.100 <http://192.168.168.100>
> > <http://192.168.168.100>"] [uri "/"] [unique_id
> > > "SF@XssIL0NIAAB@ncMAAAACI"]
> > > >>
> > > >
> > >
> >
> #############################################################################
> > > >>
> > > >> If I turn off modsecurity (SecRuleEngine Off) and I repeat
> > the test I
> > > > don't
> > > >> have problem!
> > > >> If I disable the specific rule (SecRuleRemoveById "960017")
> all
> > > work fine!
> > > >>
> > > >> So, have you some idea about this issue?
> > > >> How can I prevent this kind of "DOS attack"?
> > > >>
> > > >> Thanks a lot! Regards
> > > >> Nick
> > > >>
> > > >> PS: sorry for my ridicolous english ;)
> > > >>
> > > >>
> > >
> >
> -------------------------------------------------------------------------
> > > >> Check out the new SourceForge.net Marketplace.
> > > >> It's the best place to buy or sell services for
> > > >> just about anything Open Source.
> > > >> http://sourceforge.net/services/buy/index.php
> > > >> _______________________________________________
> > > >> mod-security-users mailing list
> > > >> mod...@li...
> > <mailto:mod...@li...>
> > > <mailto:mod...@li...
> > <mailto:mod...@li...>>
> > > >>
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > >>
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > > Ivan Ristic
> > > >
> > > >
> > >
> >
> -------------------------------------------------------------------------
> > > > Check out the new SourceForge.net Marketplace.
> > > > It's the best place to buy or sell services for
> > > > just about anything Open Source.
> > > > http://sourceforge.net/services/buy/index.php
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod...@li...
> > <mailto:mod...@li...>
> > > <mailto:mod...@li...
> > <mailto:mod...@li...>>
> > > >
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > >
> > >
> > >
> > > --
> > > Brian Rectanus
> > > Breach Security
> > >
> > >
> >
> >
> > --
> > Brian Rectanus
> > Breach Security
> >
> >
>
>
> --
> Brian Rectanus
> Breach Security
>
|