Apache2Triad Help, Support and Development

[rocketboy]

Hi all

Hope you lot can help me out here.

I've been using A2T for quite some time now with no problems. And then a few weeks ago I've been getting complete lock up (computer not responding no mouse moving etc) usually happening in the evenings at random times.

Did a complete format reinstall of XP pro and latest A2T. But it's happening again.

I've checked the server logs and nothing unusual.

I runs fine during the day.

Any ideas. I'm losing hair here...

[Vlad Alexa Mancini]

just to make sure you know your options it could be anything from a dos attack to a change to your os trough windows update , or a antivirus for example or other program from it's update.

i am afraid you donot have much options besides considering every seemingly unrelated change , try to disable it, test , reiterate.

[rocketboy]

Thanks for the response Vlad

There is currently no anti-virus software installed on the machine (there was on the old build) to see if it was interfering with anything. Also as it's been a complete reinstall I have only really done XP updates. I might start uninstalling the most recent XP updates to see if that cures anything.

Everyting in my gut says it could well be a dos attack as it's my only other explination for whats going on. But why would anyone bother I keep getting asked!

Is there anyway can I tell where it's coming from if it isa dos?

Is there any solution short of going down the root of some other hosting which would be a very last resort.

The server as gone down again.. Gaa

[Vlad Alexa Mancini]

rocketboy wrote:
Is there anyway can I tell where it's coming from if it isa dos?


depends on the type of attack , but most likely no because of spoofing or distribution

http://en.wikipedia.org/wiki/Denial-of-service_attack

your isp might help you determine the attack if any and maybe even filter it

most dos attacks are towards business that provide services , hence the name , if you are a home user and do not provide any this scenarion is statistically not that likely

[rocketboy]

Yeah it's a site thats used in education. I've done various rollbacks and everything seemed OK but went down again late last night.

Stuck on the latest mod_security and am in the midst of setting that up now.

I've also stuck some port monitoring software on to see if that shows up anything suspect.


May have to contact my ISP and see if they can do anything. Humf

Will keep you posted

[Joshua Meadows (DemoRic)]

Mod DOS evasive may help you. There is a link for apache 2.2.x located at
http://www.apachelounge.com/forum/viewtopic.php?t=917
I've used different versions for the past year - year and a half, and haven't had problems with using it.

If you're using 2.0.x I can find a link for you for it too.
I also use connection limiting by IP, and bandwidth throttling. If you're intrested in those I can add links for those modules too.

[Vlad Alexa Mancini]

just want to point out that mod_evasive is only for a subset of dos attacks , namely HTTP DoS attacks , but that might as well be the type of attack in question here

[Joshua Meadows (DemoRic)]

Mancini is correct, it could be a DOS attack on any service that you are running. You may also want to check your router to see if it has any adaptive DOS prevention tools, or attack prevention. Lastly, of course is limit the open ports to ONLY those services that you use.

[rocketboy]

Thanks Joshua and Vlad

Will give mod_evasive a go.

I've been in touch with my ISP and they say the connection is fine.

The server is still going down in the evenings. I even monitored it one night and all was OK then it went down just afer 12am.

I changed the network card this morning (clutching at straws a bit) thinking that maybe it could be a factor.

I'm interested in the connection limiting by IP and bandwidth throttling. Tell me more.

Will keep you posted. Thanks again Guys!

[Joshua Meadows (DemoRic)]

http://www.gknw.net/development/apache/httpd-2.2/win32/modules/

mod_limitipconn
Be aware this may have a negative impact on networks that proxy their connections, although there also existed a proxy detection patch/feature I don't know if this version is compiled with it I just set the limit to a resonable number for what my server can handle.

mod_bw
(a thread that goes into more detail about mod bandwidth http://apache2triad.net/forums/viewtopic.php?t=4620&highlight=modbw )

[rocketboy]

Good News

The server did'nt go down last night and has been up all day.

The only changes I have made are the network card and mod_evasive.

Now I don't really know which change has made the difference but it is working well so far.

I'm going to do a bit more tweaking with the mod_limitipconn to see if that can improve things further.


Will keep you posted if there is any further developments.

Thanks again for the help


***UPDATE***

Well the sever went down again on Saturday morning. This is after almost 5 days without a problem.

In the logs I had noticed someone was trying their best to gain access to phpmyadmin using an IP of 133.6.75.12 gits. Also a load of ip's with 201.40.18.58 referring to websites that don't exist on my server. I think this has been spoofed in an attempt to do a dos. I've since blocked these addresses.

Oh hum what to do..

[Joshua Meadows (DemoRic)]

If you only access your phpmyadmin account on localhost you could use mod rewrite to allow access to localhost, and redirect other requests to an auto ban script. Thereby automating this process.

Example auto banning script
http://apache2triad.net/forums/viewtopic.php?t=1353

You could set this up easily if you use virtual hosts, just have a vhost for localhost, and one for your public server. Just rewrite all phpmyadmin attempts to a ban script on your public vhost.

[rocketboy]

Thanks Joshua

I will implement. The server is still going down on a daily basis but it seems to have settled on or around 6 - 8am. I don't see anything in the logs that give anything away.

I did a stupid Win32DisableAcceptEx yesterday and it killed mySQL after shot while. So I won't be doing that again :o)

The only other change that I have made to the server is install Microsoft Activesync 4 for syncinbg PDA's. But i've removed that as well.

[Joshua Meadows (DemoRic)]

Do you have any system scanning software that triggers at those times?
Does the server actually crash, or does it just not respond.

Band aid solution
start -> run -> services.msc
right-click on the a2t service that your using
select properties
and set the recovery options.

I use:
1st - Restart Service
2nd - Restart Service
Subsequent - Restart Computer
Reset count - 1 day
Restart Service After - 5 min.

*Sorry for the long delay in response, I have been working on other projects and enjoying other hobbies.

[rocketboy]

Sorry been away for a while myself.

The server does not have any other software installed that scans at any time.

The machine just does not respond ie locks up with no mouse, keyboard or net response.

Just doing another complete reinstall of the OS and wiping the drive to see if that cures anything. Also leaving out the system updates. So the onlything that will be on is A2T.

Here goes nothing!

**UPDATE**

Well i've reinstalled and all seemed fine. Applied Microsoft system updates and behold lockups. Again it was at random times. In the early mornings only. Ran fine during the working day.

Did another complete reinstall of XP and all seems OK again. BTW rolling back updates makes no difference.

So it appears to be one of the system updates causing it. But which one?

I don't think I will be applying any updates anytime soon to see how it goes.