Hi. On one of the servers I administer we occasionally get an access attempt from /w00tw00t.isc.sans.dfind I'm sure you've all seen this at one time or another. Fortunately for us, it usually doesn't get anywhere. Apache sends back a 400 and I think it moves on. The problem is when this happens, Apache opens a child process that never gets closed by the client (obviously), so after a few hours, Apache tries to shut it down. It sends a series of SIGTERMs and then finally a SIGKILL. None of the SIGTERMs work, but the SIGKILL does. Then immediately after the SIGKILL, apache itself catches a SIGTERM and shuts down. I'd like to prevent this (obviously), but I'm not sure how. There are two options I can think of, and I'd like to do both if possible: 1) Block access attempts from that string completely so the child process is never even opened. I've already blocked the IP, but I'd imagine that that kind of request can come from multiple IP's so I don't know if that would really help. 2) Configure apache to either ignore that SIGTERM it catches or to restart itself when it gets one. Any advice would be greatly appreciated. Thanks in advance!
You running a fresh box or with a control panel? afaik, cpanel automatically restarts upon apache going down.
I use this configuration on my httpd.conf and I never had problem with child pròcess Timeout 10 KeepAlive On MaxKeepAliveRequests 80 KeepAliveTimeout 2 <IfModule prefork.c> StartServers 3 MinSpareServers 3 MaxSpareServers 10 ServerLimit 50 MaxClients 30 MaxRequestsPerChild 600 </IfModule>
Ilajas, thanks for the tip. I implemented this a while back and it seems to have worked until now. The server just went down again. It would seem that I need to double check for the existence of the prefork.c module. Can you give me a tip on how to do this? Thanks.
do you mean next time I need to reboot the apache service? Would that mean I have to completely reboot the server?