I noticed that today's server sites are not opening. No services are stopped. It's confusing because as soon as you restart Apache for a few moments, the sites become accessible and then crash. I am using the version before the latest version of Ispconfig(3.2.11p1) and Debian 12. In the Apache Log(/var/log/apache2/error.log) it shows: Code: [ N 2024-02-24 18:20:16.2751 34099/T1 age/Wat/WatchdogMain.cpp:1377 ]: Starting Passenger watchdog... [ N 2024-02-24 18:20:16.2931 34110/T1 age/Cor/CoreMain.cpp:1340 ]: Starting Passenger core... [ N 2024-02-24 18:20:16.2932 34110/T1 age/Cor/CoreMain.cpp:256 ]: Passenger core running in multi-application mode. [ N 2024-02-24 18:20:16.3226 34110/T1 age/Cor/CoreMain.cpp:1015 ]: Passenger core online, PID 34110 [Sat Feb 24 18:20:16.323463 2024] [:notice] [pid 33985:tid 139731003795328] mod_python: Creating 8 session mutexes based on 0 max processes and 50 max threads. [Sat Feb 24 18:20:16.323483 2024] [:notice] [pid 33985:tid 139731003795328] mod_python: using mutex_directory /tmp [Sat Feb 24 18:20:16.355076 2024] [mpm_event:notice] [pid 33985:tid 139731003795328] AH00489: Apache/2.4.57 (Debian) OpenSSL/3.0.11 mod_fcgid/2.3.9 Phusion_Passenger/6.0.17 mod_python/3.5.0+git20211031.e6458ec Python/3.11.2 configured -- resuming normal operations [Sat Feb 24 18:20:16.355109 2024] [core:notice] [pid 33985:tid 139731003795328] AH00094: Command line: '/usr/sbin/apache2' [ E 2024-02-24 18:20:19.3391 34110/T5 age/Cor/SecurityUpdateChecker.h:521 ]: A security update is available for your version (6.0.17) of Phusion Passenger(R). We strongly recommend upgrading to version 6.0.20. [ E 2024-02-24 18:20:19.3391 34110/T5 age/Cor/SecurityUpdateChecker.h:526 ]: Additional security update check information: - [Fixed in 6.0.19] [CVE-2023-38545] A vulnerability existed in libcurl before 8.4.0 which was the library used for Passenger proxy functionality. Exploiting this vulnerability would require two preconditions. First a SOCKS5 proxy to be configured for Passenger licensing, anonymous telemetry, or security update check which is not the default but is possible. Second the attacker would need to cause Passenger to use an attacker-controlled URL when performing these requests. Causing Passenger to use non-standard urls requires that the attacker already have code execution on the Passenger host, or control of the Passenger config. If exploited this vulnerability could lead to code execution, due to buffer overflow. [Sat Feb 24 18:20:39.393089 2024] [mpm_event:error] [pid 33985:tid 139731003795328] AH00484: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting In the Ispconfig log it shows nothing. I adjusted the MPM to the format below, but the problem continues. /etc/apache2/mods-available/mpm_event.conf Code: StartServers 4 MinSpareThreads 50 MaxSpareThreads 150 ThreadLimit 128 ThreadsPerChild 50 MaxRequestWorkers 300 MaxConnectionsPerChild 0 Has anyone ever experienced this ? I believe it is a DDOS problem or a problem with the server. I did a test where I changed all DNS records that pointed to the ispconfig hosting server, so theoretically the DDOS would be stopped. I just left my machine pointing to the server and the problem actually continues to say about mpm in the apache log
You could start with https://forum.howtoforge.com/threads/please-read-before-posting.58408/ and post the report in CODE tags.
If the sites are available for a short time and then stop, then the issue can not be a config problem as config does not change unless you alter it during that short time. So its more likely a DOS as you guessed. Check how much memory your server uses and how high the load is until it stops, e.g. by using top command. It might e.g. be that you allow the processes to use up your RAM and when you do not have swap available, then the kernel will start to kill processes.
It really was a DOS or DDOS problem. Today the sites are back to normal. We will look for a solution to avoid similar problems. Thanks.
You can use the Apache mod_evasive module to let Apache block when there are too many requests from one IP. Of course, it helps mostly for DOS and not so much for DDOS, but it's worth a try.
