Apache logs: checking a slowloris attack

Asked

Viewed 300 times

3

I’m simulating an attack slowloris to a Debian server running Apache.

The attacking machines are Debian as well.

In order to make sure that the attack slowloris was effective, would like to access the logs Apache and check if the denial of service occurred, that is, if he ever stopped accepting connections, the state of buffers and so on. The time of the attacks are known.

Does Apache provide such information? Where to check in Debian? Any suggestions what else to check?

Is it possible to "clean the logs" (after backing up) to restart the experiments? How to do this?

1 answer

4


There are two relevant logs you might want to check:

  • error.log, all errors that may have occurred in the service, usually in /var/log/apache2/error.log
  • access.log, access logs (hours, source ip, HTTP method, url you accessed, User-Agent), usually at /var/log/apache2/access.log

To restart the logs (delete the contents), if you want to backup first:

cd /var/log/apache2
cp access.log access.backup1.log
cp error.log error.backup1.log

And to delete the content:

cd /var/log/apache2
sudo cp /dev/null access.log
sudo cp /dev/null error.log

Tip:
What I do mostly with the error.log is to follow you in real time in a terminal:

tailf -10 caminho/para/error.log

this means:
tailf: follow (follow) last file contents
-10: last 10 lines

  • If I delete these logs, it creates the files again or can give problems in Apache?

  • Do not delete, what I do is delete the content only, I edited this part @Eds

  • "reached server Maxrequestworkers Setting, consider Raising the Maxrequestworkers Setting" is a good indicative of denial of service?

  • I’ve never seen this mistake, but it makes sense that it’s one of the symptoms of ddos @Eds

  • I don’t know much about Apache but it has a command "apachectl fullstatus |more" It lists connections, if you are accepting, etc.... Does this then get stored somewhere? In the logs above, I didn’t find!

  • @Eds see if this helps: https://www.liquidweb.com/kb/use-httpd-fullstatus-to-monitor-apache-status/

Show 2 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.