Slapper worm does more than infect
I've patched my servers, a long time ago. I've noticed that slapper
worm (or whatver is causing the "HTTP/1.1 request without hostname" and
"GET_CLIENT_MASTER_KEY:key arg too long" lines in apache's error log)
causes another problem:
While it's attempting to infect my servers, it seizes all the apache
processes, and apache waits for TCP_TIMEOUT minutes before hanging up
and accepting new connections. That's 10 minutes of the server being
unreachable.
I've been using a script to watch for slapper attempts and restart the
webserver if it sees it (code below), but this is inefficient, costs
CPU, and unless I run this every minute I will get some downtime. Is
there a more efficient way of getting slapper to not grab my webserver
connections? I've considered recompiling apache to get rid of the
"Server:" HTTP response header line completely, but deploying a
recompiled binary (and recompiling every time) across a web-farm is a
drastic solution. I was hoping for something less disruptive.
Code for worm_watcher.sh (simplified; what I use is actually more
complex for multiple apache instances on the same machine) follows:
#!/bin/sh
MAILTO="mmoore@novator.com"
LOG="/var/log/apache/error_log"
PID="/var/run/apache.pid"
/usr/sbin/logtail $LOG \
|/bin/egrep '(client sent HTTP/1.1 request without hostname|SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long)' \
>$OUT
if [-s $OUT]; then
/bin/cat $OUT |/usr/bin/mail -s "slapper found" $MAILTO
/bin/kill -HUP `/bin/cat $PID`
fi
rm $OUT
Reply to: