You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Miguel González Castaños <mi...@yahoo.es> on 2012/02/12 20:02:04 UTC
[users@httpd] w00t and Dfind web scanner
Dear all,
I'm the system admin of a web server and I found these errors in my
apache logs:
[Tue Feb 07 10:35:08 2012] [warn] (43)Identifier removed: Failed to
release SSL session cache lock
[Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to
acquire SSL session cache lock
[Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to
release SSL session cache lock
[Tue Feb 07 10:36:05 2012] [warn] child process 21599 still did not
exit, sending a SIGTERM
[Tue Feb 07 10:36:06 2012] [notice] caught SIGTERM, shutting down
also some traces of Dfind web scanner:
[Mon Feb 06 05:54:01 2012] [error] [client 88.46.75.27] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind:)
I have added a rule into my iptables to block this and so far so good
However I don't know how these "failed to release SSL session cache
lock" managed to bring my apache server down and if they are somehow
related to these Dfind scans.
Any ideas?
Regards,
Miguel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] w00t and Dfind web scanner
Posted by Miguel González Castaños <mi...@yahoo.es>.
On 14/02/2012 03:02, Igor Cicimov wrote:
> Check this link
>
> http://httpd.apache.org/docs/2.2/mod/mpm_common.html#acceptmutex
>
> and try to add
>
> AcceptMutex pthread
>
> to your config in case you run mpm_worker.
But in the info it says it can be used with prefork and worker
Since it's a CentOS machine is was build with prefork as default. Is
this option (prefork) causing this issue? Can I set it up for using
AcceptMutex even when I'm using prefork?
Many thanks,
Miguel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] w00t and Dfind web scanner
Posted by Igor Cicimov <ic...@gmail.com>.
Check this link
http://httpd.apache.org/docs/2.2/mod/mpm_common.html#acceptmutex
and try to add
AcceptMutex pthread
to your config in case you run mpm_worker.
2012/2/14 Miguel González Castaños <mi...@yahoo.es>
>
>
>> What OS, kernel, httpd version?
>> If linux, /var/log/messages|kernel_log|**daemon_log can also often
>> give some indication of problems.
>>
>> I have checked /var/log/messages (the other two don't exist) and I don't
> find anything. What can cause those SSL cache locks to bring the server
> down?
>
> Regards,
>
> Miguel
>
> ------------------------------**------------------------------**---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/**userslist.html<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<us...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@**httpd.apache.org<us...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] w00t and Dfind web scanner
Posted by Miguel González Castaños <mi...@yahoo.es>.
>
> What OS, kernel, httpd version?
> If linux, /var/log/messages|kernel_log|daemon_log can also often
> give some indication of problems.
>
I have checked /var/log/messages (the other two don't exist) and I don't
find anything. What can cause those SSL cache locks to bring the server
down?
Regards,
Miguel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] w00t and Dfind web scanner
Posted by Miguel González Castaños <mi...@yahoo.es>.
>
> What OS, kernel, httpd version?
> If linux, /var/log/messages|kernel_log|daemon_log can also often
> give some indication of problems.
>
Yes, it's linux Centos 5.5 kernel 2.6.18-194.3.1.el5 and
httpd-2.2.3-53.el5.centos.3
Regards,
Miguel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] w00t and Dfind web scanner
Posted by Noel Butler <no...@ausics.net>.
On Sun, 2012-02-12 at 20:02 +0100, Miguel González Castaños wrote:
> Dear all,
>
> I'm the system admin of a web server and I found these errors in my
> apache logs:
>
> [Tue Feb 07 10:35:08 2012] [warn] (43)Identifier removed: Failed to
> release SSL session cache lock
> [Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to
> acquire SSL session cache lock
> [Tue Feb 07 10:36:04 2012] [warn] (43)Identifier removed: Failed to
> release SSL session cache lock
> [Tue Feb 07 10:36:05 2012] [warn] child process 21599 still did not
> exit, sending a SIGTERM
> [Tue Feb 07 10:36:06 2012] [notice] caught SIGTERM, shutting down
>
> also some traces of Dfind web scanner:
>
> [Mon Feb 06 05:54:01 2012] [error] [client 88.46.75.27] client sent
> HTTP/1.1 request without hostname (see RFC2616 section 14.23):
> /w00tw00t.at.ISC.SANS.DFind:)
>
Wouldn't worry too much, the world is full of scan scripts, both good,
and some bad.
> I have added a rule into my iptables to block this and so far so good
>
> However I don't know how these "failed to release SSL session cache
> lock" managed to bring my apache server down and if they are somehow
> related to these Dfind scans.
>
What OS, kernel, httpd version?
If linux, /var/log/messages|kernel_log|daemon_log can also often give
some indication of problems.