我的 VPS 服务器最近出现问题,例如上周末 PHP 模块 Imagemagick 停止了工作,我不得不执行 PERC 卸载/重新安装。
今天我的服务器已经完全没有响应长达 20 分钟。这是关键任务软件,停机时间完全不可接受。以下是停机前的日志。我非常感谢任何建议,我们已经联系了我们的主机,但最终还是要由我来理解和修复。我最终只是希望能够更进一步地理解这个问题!
[THU AUG 13 13:11:24 2015] [notice] SIGUSR1 received. Doing graceful restart
[THU AUG 13 13:11:26 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[THU AUG 13 13:11:26 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[THU AUG 13 13:11:26 2015] [notice] mod_bw : Memory Allocated 0 bytes (each conf takes 48 bytes)
[THU AUG 13 13:11:26 2015] [notice] mod_bw : Version 0.92 - Initialized [0 Confs]
[THU AUG 13 13:11:26 2015] [notice] Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 configured -- resuming normal operations
[THU AUG 13 13:42:51 2015] [error] [client 88.252.32.143] ModSecurity: Access denied with code 406 (phase 1). Operator EQ matched 0 at REQUEST_HEADERS. [file "/opt/mod_security/hg_rules.conf"] [line "91"] [id "900161"] [msg "XMLRPC Request with no UA/Ref"] [hostname "www.REDACTED.com"] [uri "/xmlrpc.php"] [unique_id "VczXGzJ0SbEAAD9dIycAAADI"]
[THU AUG 13 14:33:49 2015] [error] [client 72.27.221.129] ModSecurity: Access denied with code 406 (phase 1). Operator EQ matched 0 at REQUEST_HEADERS. [file "/opt/mod_security/hg_rules.conf"] [line "91"] [id "900161"] [msg "XMLRPC Request with no UA/Ref"] [hostname "www.REDACTED.com"] [uri "/xmlrpc.php"] [unique_id "VczjDTJ0SbEAAD9eJIEAAACR"]
[THU AUG 13 14:40:44 2015] [error] [client 52.13.23.41] ModSecurity: Access denied with code 403 (phase 1). Pattern match "CONNECT" at REQUEST_METHOD. [file "/opt/mod_security/10_asl_rules.conf"] [line "59"] [id "340361"] [rev "2"] [msg "CONNECT method denied"] [data "CONNECT"] [severity "CRITICAL"] [hostname "www.wikipedia.org"] [uri "/"] [unique_id "VczkrDJ0SbEAAD9cIuEAAABX"]
[THU AUG 13 15:09:28 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[THU AUG 13 15:09:28 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[THU AUG 13 15:09:28 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[THU AUG 13 15:09:28 2015] [notice] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[THU AUG 13 15:09:28 2015] [notice] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[THU AUG 13 15:09:28 2015] [notice] ModSecurity: PCRE compiled version="8.36 "; loaded version="8.36 2014-09-26"
[THU AUG 13 15:09:28 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[THU AUG 13 15:09:28 2015] [notice] ModSecurity: LIBXML compiled version="2.9.2"
[THU AUG 13 15:09:28 2015] [notice] Status engine is currently disabled, enable it by set SecStatusEngine to On.
[THU AUG 13 15:09:29 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[THU AUG 13 15:09:29 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[THU AUG 13 15:09:29 2015] [notice] mod_bw : Memory Allocated 0 bytes (each conf takes 48 bytes)
[THU AUG 13 15:09:29 2015] [notice] mod_bw : Version 0.92 - Initialized [0 Confs]
[THU AUG 13 15:09:29 2015] [warn] pid file /usr/local/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[THU AUG 13 15:09:29 2015] [notice] Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 configured -- resuming normal operations Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
[THU AUG 13 15:11:12 2015] [notice] SIGUSR1 received. Doing graceful restart
[THU AUG 13 15:11:13 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[THU AUG 13 15:11:13 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[THU AUG 13 15:11:13 2015] [notice] mod_bw : Memory Allocated 0 bytes (each conf takes 48 bytes)
[THU AUG 13 15:11:13 2015] [notice] mod_bw : Version 0.92 - Initialized [0 Confs]
[THU AUG 13 15:11:13 2015] [notice] Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 configured -- resuming normal operations
答案1
Mod_security 是一款非常出色的应用程序级防火墙。根据您收到的消息,我敢打赌您的网站实际上并没有关闭/崩溃,而是 mod_security 阻止了访问。我曾多次看到它配置错误,导致它只生成空白页。
根据您日志中的行,ModSecurity: Access denied with code 406我们得到了可能有问题的过滤器 900161 的 ID。您应该能够使用主机/虚拟主机中的 SecRuleRemoveById 禁用此功能,假设是一个 Apache 服务器。
您可能还想查看 mod_security 的监控模式。