Forum Moderators: bakedjake
Today I received a mysql error on my php scripts saying 'too many persistet connections',
when I checked my server filesystem with df I found that the partion my server is running on was 100% full and that my /var/log/httpd/error_log file was 1GB big (eating the whole partition). I deleted it and then restarted the server and everything worked again...
Five minutes later i checked the error_log again and found that it had gotten 2mb-big... so now I'm getting pissed...
I checked it and saw that all entries in the log was made by a request from [live365.com...] thousands of them... So now to my questions:
- What this an attack from live365.com?
- How do I prevent attacks from taking my server down?
- Can I somehow restric my log files not getting too big so that the partions gets full?
- What have I missed? :)
Thanks!
/Niels
Well... DOS i'd say. Not from the website mentioned as referrer, the referrer's probably fake. What IP was used?
Quickfix: Redirect all incoming to 127.0.0.0 or localhost, and disable logs.
/claus
I stupidly deleted the error_log so I can't show you a line from it...
The quickfix wasn't a good idea... I wan't the logs, but I don't want them to **** up my server...
I really don't know why your error_log would be filled with entries from a website (an online radio station, sort of) - but if it is requests for your web page they should be in your access_log as well.
link: [httpd.apache.org...]
check out the LogLevel directive to see how to set a "filter" on your error_log.
A DOS attack can be a couple of things... it's all about feeding the server with more requests than it's likely to handle successfully. The quickfix sends all requests right back in the face of those requesting, it was not intended as a permanent measure.
My best advice right now would be to seek advice in a dedicated security/linux forum. I'm a bit concerned that i'm the only one that has answered, knowing my own limits this is not good enough for you at this moment.
Anyway, try to get the IP (or IPs) off the access_log, do a "whois" and contact their security or abuse departments as appropriate.
/claus
HostLead
