I've patched my servers, a long time ago. I've noticed that slapper worm (or whatver is causing the "HTTP/1.1 request without hostname" and "GET_CLIENT_MASTER_KEY:key arg too long" lines in apache's error log) causes another problem:
While it's attempting to infect my servers, it seizes all the apache processes, and apache waits for TCP_TIMEOUT minutes before hanging up and accepting new connections. That's 10 minutes of the server being unreachable. I've been using a script to watch for slapper attempts and restart the webserver if it sees it (code below), but this is inefficient, costs CPU, and unless I run this every minute I will get some downtime. Is there a more efficient way of getting slapper to not grab my webserver connections? I've considered recompiling apache to get rid of the "Server:" HTTP response header line completely, but deploying a recompiled binary (and recompiling every time) across a web-farm is a drastic solution. I was hoping for something less disruptive. Code for worm_watcher.sh (simplified; what I use is actually more complex for multiple apache instances on the same machine) follows: #!/bin/sh MAILTO="[EMAIL PROTECTED]" LOG="/var/log/apache/error_log" PID="/var/run/apache.pid" /usr/sbin/logtail $LOG \ |/bin/egrep '(client sent HTTP/1.1 request without hostname|SSL routines:GET_CLIENT_MASTER_KEY:key arg too long)' \ >$OUT if [-s $OUT]; then /bin/cat $OUT |/usr/bin/mail -s "slapper found" $MAILTO /bin/kill -HUP `/bin/cat $PID` fi rm $OUT
