mod-security-users

[mod-security-users] "Peer closed connection: a timeout occurred"

[Stephen S. <beh...@gm...>]

Hi All

I've inherited a project that uses modsecurity (wrapped in
jcmoraisjr/modsecurity-spoa <https://github.com/jcmoraisjr/modsecurity-spoa>
).
Looking at the modsecurity logs...I see plenty of legitimate log messages
when a SecRule is matched, but also
a TON of lines like this:

1679689652.575012 [01] <223243> Peer closed connection: a timeout occurred

There isn't any additional info around these log lines, I'd appreciate if
folks can help a newcomer out and
help give some context about what causes these messages. Does this indicate
a slow client attack?
The need to adjust some config?  Is this normal / expected?

Thanks for your time,
Stephen

Re: [mod-security-users] "Peer closed connection: a timeout occurred"

[Christian F. <chr...@ne...>]

Hey Stephen,

I am not familiar with HAProxy and this integration.

But speaking from a general position, there is always a chance for a
timeout, but the exact message (and the TON of them) is troubling.

https://www.mail-archive.com/search?l=h...@fo...&q=subject:%22Re%5C%3A+doubt+how+to+compile+modsecurity+module+for+HAproxy%22&o=newest&f=1
discusses this, but I am none the wiser now.

I am not sure wether HAProxy closes the connection now or there was a timeout
and HAProxy concludes the client closed the connection. Or whatever.

I would try and do two things:
- Raise the timeout and monitor for a general reduction of the number of
  messages.
- Try to reproduce the error message on separate machine. That way you will
  learn what really is the problem - and if it is one from an operating
  standpoint (users not getting what they want) - or just noise (everybody
  gets their responses OK, but HAProxy is unhappy about connection termination
  and regularly complains.

Good luck,

Christian



On Fri, Mar 24, 2023 at 04:37:03PM -0400, Stephen Schor wrote:
> Hi All
> 
> I've inherited a project that uses modsecurity (wrapped in
> jcmoraisjr/modsecurity-spoa <https://github.com/jcmoraisjr/modsecurity-spoa>
> ).
> Looking at the modsecurity logs...I see plenty of legitimate log messages
> when a SecRule is matched, but also
> a TON of lines like this:
> 
> 1679689652.575012 [01] <223243> Peer closed connection: a timeout occurred
> 
> There isn't any additional info around these log lines, I'd appreciate if
> folks can help a newcomer out and
> help give some context about what causes these messages. Does this indicate
> a slow client attack?
> The need to adjust some config?  Is this normal / expected?
> 
> Thanks for your time,
> Stephen


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/