Salut tout le monde,
Je pense que je suis actuellement attaqué depuis plusieurs jours par plusieurs tentatives à la volée, qui met du coup, mon serveur en KO avec l'erreur
[error] server reached MaxClients setting, consider raising the MaxClients setting et qui par conséquent, bloque l'accès à mon site, avec l'erreur
mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer:
J'ai mis les logs ci-dessous, désolé si c'est long
Exemple :
Extrait du /var/log/apache2/error.log :
Code:
[Mon Oct 05 23:41:41 2015] [error] [client 198.27.86.36] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Mon Oct 05 23:41:41 2015] [error] [client 198.27.86.36] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Tue Oct 06 00:28:26 2015] [error] [client 91.121.166.9] File does not exist: /var/www/script
[Tue Oct 06 00:28:26 2015] [error] [client 91.121.166.9] File does not exist: /var/www/jenkins
[Tue Oct 06 00:28:26 2015] [error] [client 91.121.166.9] File does not exist: /var/www/hudson
[Tue Oct 06 00:28:26 2015] [error] [client 91.121.166.9] File does not exist: /var/www/login
[Tue Oct 06 00:28:26 2015] [error] [client 91.121.166.9] File does not exist: /var/www/jenkins
[Tue Oct 06 00:28:26 2015] [error] [client 91.121.166.9] File does not exist: /var/www/hudson
[Tue Oct 06 00:28:27 2015] [error] [client 91.121.166.9] File does not exist: /var/www/jmx-console
[Tue Oct 06 00:28:27 2015] [error] [client 91.121.166.9] File does not exist: /var/www/manager
[Tue Oct 06 00:28:27 2015] [error] [client 91.121.166.9] File does not exist: /var/www/msd
[Tue Oct 06 00:28:27 2015] [error] [client 91.121.166.9] File does not exist: /var/www/mySqlDumper
[Tue Oct 06 00:28:27 2015] [error] [client 91.121.166.9] File does not exist: /var/www/msd1.24stable
[Tue Oct 06 00:28:27 2015] [error] [client 91.121.166.9] File does not exist: /var/www/msd1.24.4
ça continue
Code:
[Tue Oct 06 03:28:31 2015] [error] [client 185.25.151.159] script '/var/www/testproxy.php' not found or unable to stat
[Tue Oct 06 03:47:48 2015] [error] [client 58.213.123.107] File does not exist: /var/www/apps/manager
[Tue Oct 06 04:11:56 2015] [error] [client 88.198.41.83] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Tue Oct 06 04:11:56 2015] [error] [client 88.198.41.83] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Tue Oct 06 04:46:19 2015] [error] [client 88.198.41.83] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Tue Oct 06 04:46:19 2015] [error] [client 88.198.41.83] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Tue Oct 06 04:49:32 2015] [error] [client 88.198.41.83] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Tue Oct 06 04:49:32 2015] [error] [client 88.198.41.83] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
PHP Warning: Module 'apc' already loaded in Unknown on line 0
[Tue Oct 06 06:04:03 2015] [error] [client 192.99.111.97] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Tue Oct 06 06:04:03 2015] [error] [client 192.99.111.97] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Tue Oct 06 06:12:51 2015] [error] [client 95.213.177.124] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Tue Oct 06 06:14:53 2015] [error] [client 95.213.177.122] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Tue Oct 06 07:13:39 2015] [error] [client 115.239.248.30] File does not exist: /var/www/manager
PHP Warning: Module 'apc' already loaded in Unknown on line 0
[Tue Oct 06 08:25:36 2015] [error] [client 91.121.166.9] File does not exist: /var/www/script
[Tue Oct 06 08:25:36 2015] [error] [client 91.121.166.9] File does not exist: /var/www/jenkins
[Tue Oct 06 08:25:37 2015] [error] [client 91.121.166.9] File does not exist: /var/www/hudson
[Tue Oct 06 08:25:37 2015] [error] [client 91.121.166.9] File does not exist: /var/www/login
[Tue Oct 06 08:25:37 2015] [error] [client 91.121.166.9] File does not exist: /var/www/jenkins
[Tue Oct 06 08:25:37 2015] [error] [client 91.121.166.9] File does not exist: /var/www/hudson
[Tue Oct 06 08:25:37 2015] [error] [client 91.121.166.9] File does not exist: /var/www/jmx-console
[Tue Oct 06 08:25:37 2015] [error] [client 91.121.166.9] File does not exist: /var/www/manager
[Tue Oct 06 08:25:37 2015] [error] [client 91.121.166.9] File does not exist: /var/www/msd
etc...
jusqu'à
Code:
[Tue Oct 06 09:59:07 2015] [error] [client 91.121.166.9] File does not exist: /var/www/phpMyAdmin-4.2.1-all-languages
[Tue Oct 06 09:59:07 2015] [error] [client 91.121.166.9] File does not exist: /var/www/phpMyAdmin-4.2.1-english
[Tue Oct 06 09:59:07 2015] [error] [client 91.121.166.9] File does not exist: /var/www/sqlite
[Tue Oct 06 09:59:07 2015] [error] [client 91.121.166.9] File does not exist: /var/www/SQLite
[Tue Oct 06 09:59:07 2015] [error] [client 91.121.166.9] File does not exist: /var/www/SQLiteManager-1.2.4
[Tue Oct 06 09:59:07 2015] [error] [client 91.121.166.9] File does not exist: /var/www/sqlitemanager
[Tue Oct 06 09:59:07 2015] [error] [client 91.121.166.9] File does not exist: /var/www/SQlite
[Tue Oct 06 09:59:07 2015] [error] [client 91.121.166.9] File does not exist: /var/www/SQLiteManager
[Tue Oct 06 10:40:14 2015] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Tue Oct 06 10:43:01 2015] [error] [client 91.121.166.9] File does not exist: /var/www/script
[Tue Oct 06 10:43:20 2015] [error] [client 91.121.166.9] File does not exist: /var/www/msd
[Tue Oct 06 10:43:20 2015] [error] [client 91.121.166.9] File does not exist: /var/www/phpmyadmin
[Tue Oct 06 10:43:41 2015] [error] [client 91.121.166.9] File does not exist: /var/www/sqlite
[Tue Oct 06 10:43:53 2015] [error] [client 91.121.166.9] File does not exist: /var/www/SQLite
Par conséquent, dans la log de mon site internet, sous /var/www/monsite.fr/log, j'ai les erreurs suivantes, tout de suite après l'erreur "MaxClients"
Code:
[Tue Oct 06 10:40:22 2015] [warn] [client 82.233.227.136] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer: http://www.monsite.fr/page-produit.html
[Tue Oct 06 10:40:22 2015] [warn] [client 82.233.227.136] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer: http://www.monsite.fr/page-produit.html
[Tue Oct 06 10:40:23 2015] [warn] [client 213.44.254.36] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer: http://www.monsite.fr/une-page.html
[Tue Oct 06 10:40:24 2015] [warn] [client 82.233.227.136] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer: http://www.monsite.fr/page-produit.html
[Tue Oct 06 10:40:25 2015] [warn] [client 82.233.227.136] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer: http://www.monsite.fr/page-produit.html
[Tue Oct 06 10:40:25 2015] [warn] [client 82.233.227.136] mod_fcgid: can't apply process slot for /var/ww
L'erreur
[error] server reached MaxClients setting, consider raising the MaxClients setting
Est-ce une coïncidence selon vous ?
J'essaie de redémarrer apache2, mais le serveur reste ensuite toujours inaccessible aux visiteurs :
Code:
[Tue Oct 06 10:46:31 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 06 10:46:31 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 06 10:46:31 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue Oct 06 10:46:31 2015] [notice] Digest: generating secret for digest authentication ...
[Tue Oct 06 10:46:31 2015] [notice] Digest: done
[Tue Oct 06 10:46:31 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 06 10:46:31 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 06 10:46:31 2015] [notice] Apache/2.2.16 (Debian) DAV/2 mod_fcgid/2.3.6 PHP/5.3.3-7+squeeze19 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-08-16) mod_ssl/2.2.16 Open
SSL/0.9.8o configured -- resuming normal operations
[Tue Oct 06 10:47:20 2015] [error] server reached MaxClients setting, consider raising the MaxClients setting
PHP Warning: Module 'apc' already loaded in Unknown on line 0
PHP Warning: Module 'apc' already loaded in Unknown on line 0
PHP Warning: Module 'apc' already loaded in Unknown on line 0
[Tue Oct 06 10:51:05 2015] [error] [client 200.55.187.54] File does not exist: /var/www/phpMyAdmin
[Tue Oct 06 10:51:11 2015] [error] [client 200.55.187.54] File does not exist: /var/www/pma
[Tue Oct 06 10:51:29 2015] [error] [client 200.55.187.54] File does not exist: /var/www/myadmin
[Tue Oct 06 10:53:24 2015] [notice] caught SIGTERM, shutting down
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7871 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7891 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7938 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7941 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7944 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7959 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7960 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7962 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7965 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7968 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7970 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7975 still did not exit, terminating forcefully
[Tue Oct 06 10:53:33 2015] [error] FastCGI process 7977 still did not exit, terminating forcefully
Par conséquent, j'ai effectué les actions suivantes :
- j'ai activé le CrawlProtect (qui a été désactivé suite à une mise à jour)
- j'ai activé le Fail2Ban avec les actions "classiques" avec par exemple
apache-bruteforce.conf qui contient :
Code:
more apache-bruteforce.conf
[Definition]
failregex = [[]client []] File does not exist: /var/www/admin.*
[[]client []] File does not exist: /usr/share/.*
[[]client []] request failed: error reading the headers
[[]client []] File does not exist: /var/www/3rdparty.*
[[]client []] File does not exist: /var/www/PHPMYADMIN.*
[[]client []] File does not exist: /var/www/PMA.*
[[]client []] File does not exist: /var/www/phpMyAdmin.*
[[]client []] File does not exist: /var/www/round.*
[[]client []] File does not exist: /var/www/rc.*
[[]client []] File does not exist: /var/www/mss2.*
[[]client []] File does not exist: /var/www/mail.*
[[]client []] File does not exist: /var/www/rms.*
[[]client []] File does not exist: /var/www/web.*
[[]client []] File does not exist: /var/www/wm.*
[[]client []] File does not exist: /var/www/bin.*
[[]client []] File does not exist: /var/www/cube.*
[[]client []] File does not exist: /var/www/proxy.*
[[]client []] File does not exist: /var/www/ip.*
[[]client []] File does not exist: /var/www/mysql.*
[[]client []] File does not exist: /var/www/myadmin.*
[[]client []] File does not exist: /var/www/bbs.*
[[]client []] File does not exist: /var/www/cpadmin.*
[[]client []] File does not exist: /var/www/blog.*
[[]client []] File does not exist: /var/www/forum.*
[[]client []] File does not exist: /var/www/e107.*
[[]client []] File does not exist: /var/www/www.*
[[]client []] File does not exist: /var/www/SSLMySQLAdmin.*
[[]client []] File does not exist: /var/www/SQL.*
[[]client []] File does not exist: /var/www/~.*
[[]client []] File does not exist: /var/www/db.*
[[]client []] File does not exist: /var/www/sql.*
[[]client []] File does not exist: /var/www/Myadmin.*
[[]client []] File does not exist: /var/www/php.*
[[]client []] File does not exist: /var/www/2phpmyadmin.*
[[]client []] File does not exist: /var/www/tool.*
[[]client []] File does not exist: /var/www/path.*
[[]client []] File does not exist: /var/www/data.*
[[]client []] File does not exist: /var/www/doesnotexist.*
ignoreregex =
En lançant la commande suite,
Code:
root@xxxxxx:/etc/fail2ban/filter.d# fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-bruteforce.conf
Sur deux jours, j'obtiens 1591 lignes correspondantes à ce filtre !
Dans le fichier /etc/fail2ban/jail.local, j'ai rajouté hier soir :
Code:
[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
#mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]
sendmail-whois[name=Apache-w00tw00t, dest=monadressemail@hotmail.com, sender=fail2ban@mail.com]
#action = %(action_mwl)s
logpath = /var/log/apache2/*.log
maxretry = 1
bantime = 3600
[apache-flood]
enabled = true
filter = apache-flood
action = iptables[name=Apache-flood,port=80,protocol=tcp]
mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]
logpath = /var/log/apache2/access*.log
maxretry = 3
bantime = 3600
[apache-ddos]
enabled = true
filter = apache-ddos
action = iptables[name=Apache-ddos,port=80,protocol=tcp]
mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]
logpath = /var/log/apache2/error*.log
maxretry = 3
bantime = 3600
[apache-bruteforce]
enabled = true
filter = apache-bruteforce
action = iptables[name=Apache-bruteforce,port=80,protocol=tcp]
sendmail-whois[name=HTTP, dest=monadressemail@hotmail.com, sender=fail2ban@mail.com]
logpath = /var/log/apache2/error*.log
maxretry = 6
bantime = 3600
Cette nuit, rebelote, je vois encore dans mes logs de mon site internet,
Code:
Tue Oct 06 23:16:55 2015] [warn] [client 87.65.172.66] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer: http://www.monsite.fr/moto-teleguide.html
[Tue Oct 06 23:16:59 2015] [warn] [client 82.233.227.136] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer: http://www.monsite.fr/une-page.html
[Tue Oct 06 23:16:59 2015] [warn] [client 82.233.227.136] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer: http://www.monsite.fr/une-page.html
[Tue Oct 06 23:17:02 2015] [warn] [client 66.249.67.44] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter
[Tue Oct 06 23:17:04 2015] [warn] [client 82.233.227.136] mod_fcgid: can't apply process slot for /var/www/php-fcgi-scripts/web2/.php-fcgi-starter, referer: http://www.monsite.fr/une-page.html
et ce, entre 23h16 et 23h51, mais cela, sans causer cette fois-ci d'erreur MaxClients, et mon site restait donc accessible aux autres visiteurs.
Pour info, il s'agit de la même adresse IP que lors de la première fois (hier matin), où le serveur a été mis KO.
J'ai ainsi l'impression que l'adresse IP 82.233.227.136 provoque (volontairement ? j'en presque sûr...) des actions provoquant le bordel sur mon site.
Aussi, je n'ai pas eu plus de visites que les jours précédents. J'ai le même nombre de visiteurs depuis 5 ans sans problème...
Du coup, ce matin, j'ai mis une règle encore plus stricte sur le
Apache-bruteforce avec maxretry=1
Qu'en pensez-vous ?
Dois-je bannir l'adresse IP repérée ? Si oui, comment éviter que cela se reproduise de nouveau, avec une autre adresse IP ?
Désolé encore, c'était long, mais je voulais avoir vos précieux avis