On Thu, Aug 01, 2013 at 10:49:59PM -0700, Grant wrote:
> Do you do this only when under DoS attack or all the time?
All the time.
> Won't you potentially prevent legitimate users from making a single
> connection if they're connecting with a shared IP from a university
> campus (for example)?
Ye
You could potentially deny legitimate users access. I limit so many
connections per second per source IP. If I knew I were getting a ton of
traffic from a University I would have to adjust it accordingly.
The setting in pfsense is Maximum new connections / per second(s) -
that's per IP. My
> Truthfully, I've always limited connections from the source IP via a
> firewall before the traffic is even passed to apache.
Do you do this only when under DoS attack or all the time?
Won't you potentially prevent legitimate users from making a single
connection if they're connecting with a sha
Truthfully, I've always limited connections from the source IP via a
firewall before the traffic is even passed to apache.
On 08/01/2013 04:39 AM, Grant wrote:
Two different things come to mind. Kingcope found an Apache
byterange
vulnerability and the PoC code he wrote for it exhausts the
res
> Two different things come to mind. Kingcope found an Apache byterange
> vulnerability and the PoC code he wrote for it exhausts the resources on a
> server running Apache. Only 1 instance of his perl script had to be ran.
> LOIC is another that could possible DoS your server from one source. W
>> ModSecurity looks good and I think it works with nginx as well as
>> apache. Is everyone who isn't running OSSEC HIDS or ModSecurity
>> vulnerable to a single client requesting too many pages and
>> interrupting the service?
>
> Not everyone, no. There are other alternatives such as mod_limitip
On Mon, Jul 29, 2013 at 11:25:26PM -0700, Grant wrote:
> ModSecurity looks good and I think it works with nginx as well as
> apache. Is everyone who isn't running OSSEC HIDS or ModSecurity
> vulnerable to a single client requesting too many pages and
> interrupting the service?
Not everyone, no.
Two different things come to mind. Kingcope found an Apache byterange
vulnerability and the PoC code he wrote for it exhausts the resources on
a server running Apache. Only 1 instance of his perl script had to be
ran. LOIC is another that could possible DoS your server from one
source. What
> You wouldn't keep a syn proxy rule enabled all the time; only under a DoS
> attack. You could also implement ModSecurity.
ModSecurity looks good and I think it works with nginx as well as
apache. Is everyone who isn't running OSSEC HIDS or ModSecurity
vulnerable to a single client requesting t
You wouldn't keep a syn proxy rule enabled all the time; only under a
DoS attack. You could also implement ModSecurity.
On 07/29/2013 02:07 PM, Grant wrote:
Also, you should be able to limit simultaneous client connections
with your
firewall and pass the traffic in a syn proxy state. There are
> Also, you should be able to limit simultaneous client connections with your
> firewall and pass the traffic in a syn proxy state. There are numerous ways
> to achieve this.
Is that the best way to go besides OSSEC HIDS? I can imagine that
sort of thing could cause problems.
- Grant
>> You ca
> You can always compile from source ;)
> What version of Apache are you running?
I'm running 2.2.25.
- Grant
>>> Was it just an IP exhausting the apache service with too many
>>> connections? What do you see in the access logs? I use OSSEC HIDS on my
>>> apache servers to mitigate this.
>>
>
Also, you should be able to limit simultaneous client connections with
your firewall and pass the traffic in a syn proxy state. There are
numerous ways to achieve this.
On 07/29/2013 03:18 AM, Michael D. Wood wrote:
You can always compile from source ;)
What version of Apache are you running?
You can always compile from source ;)
What version of Apache are you running?
On 07/29/2013 02:59 AM, Grant wrote:
Was it just an IP exhausting the apache service with too many
connections? What do you see in the access logs? I use OSSEC HIDS on
my apache servers to mitigate this.
In the ac
> Was it just an IP exhausting the apache service with too many connections?
> What do you see in the access logs? I use OSSEC HIDS on my apache servers to
> mitigate this.
In the access log I see the same IP made many requests during the
service interruption and I think that exhausted the apa
Was it just an IP exhausting the apache service with too many connections?
What do you see in the access logs? I use OSSEC HIDS on my apache servers to
mitigate this.
--
Sent from my mobile device
Michael D. Wood
www.itsecuritypros.org
Grant wrote:
>> My server has 4GB RAM and uses nginx as
> My server has 4GB RAM and uses nginx as a reverse proxy to apache. A
> little while ago my website became inaccessible for about 30 minutes.
> I checked my munin graphs and it looks like apache processes spiked to
> about 29 during this time which is many times greater than usual. I
> have MaxC
17 matches
Mail list logo
