The service httpd appears to be down.
Woke up this morning to countless emails telling me the httpd service appears to be done. I am not understanding what is going wrong in the logs and not sure exactly what to share as nothing calls out as being a problem. At first I couldn't access any web pages, could access via FTP and made sure to get a copy of the system and user backups. I could not access WHM but did notice in the email that one of my users had excessive usage, after suspending that user I was able to access WHM again and restart the server. After the restart everything seemed to work but about a minute later I could not access any webpages again. Email, ftp, ssh, everything else is functioning normally.
This was in the startup log from the email:
[QUOTE]
Apr 03 17:19:07 vps2.ormt.ca systemd[1]: Can't open PID file /run/apache2/httpd.pid (yet?) after start: No such file or directory
Apr 03 17:19:09
-
The best thing to do in this scenario is likely to check the Apache logs from around the time you received the message. Those can be found at /etc/apache2/logs/error_log in SSH on the system. Can you see if there is anything useful there? 0 -
This is what I find around the same time as the first email. [QUOTE] [Sat Apr 02 19:23:35.715145 2022] [:error] [pid 12401:tid 46957607937792] [client 204.12.215.61:62265] [client 204.12.215.61] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"> [line "368"> [id "920340"> [rev "3"> [msg "Request Containing Content, but Missing Content-Type header"> [severity "NOTICE"> [ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "9"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-protocol"> [hostname ""> [uri "/xmlrpc.php"> [unique_id "YkkFJ62Zt0YdcftWQF9oMAAAAEA">, referer: Google [Sat Apr 02 19:55:41.798324 2022] [mpm_worker:notice] [pid 6853:tid 46957366084672] AH00295: caught SIGTERM, shutting down [Sat Apr 02 19:55:43.617700 2022] [core:notice] [pid 20345:tid 47529501979712] SELinux policy enabled; httpd running as context system_u:system_r:unconfined_service_t:s0 [Sat Apr 02 19:55:43.643244 2022] [ssl:warn] [pid 20345:tid 47529501979712] AH01909: :443:0 server certificate does NOT include an ID which matches the server name [Sat Apr 02 19:55:43.713275 2022] [:notice] [pid 20345:tid 47529501979712] ModSecurity for Apache/2.9.3 (:443:0 server certificate does NOT include an ID which matches the server name [Sat Apr 02 19:55:44.097862 2022] [mpm_worker:notice] [pid 20348:tid 47529501979712] AH00292: Apache/2.4.53 (cPanel) OpenSSL/1.1.1n mod_bwlimited/1.4 configured -- resuming normal operations [Sat Apr 02 19:55:44.098095 2022] [core:notice] [pid 20348:tid 47529501979712] AH00094: Command line: '/usr/sbin/httpd' [Sat Apr 02 19:55:50.108430 2022] [mpm_worker:error] [pid 20348:tid 47529501979712] AH00287: server is within MinSpareThreads of MaxRequestWorkers, consider raising the MaxRequestWorkers setting [Sat Apr 02 19:55:54.113896 2022] [mpm_worker:error] [pid 20348:tid 47529501979712] AH00286: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting [Sat Apr 02 20:11:42.562237 2022] [mpm_worker:notice] [pid 20348:tid 47529501979712] AH00295: caught SIGTERM, shutting down 0 -
Thanks for posting that - unfortunately it doesn't tell us much as it just shows a "sigterm" and then the process restarts. What does this command show? grep "server reached MaxRequestWorkers" /etc/apache2/logs/error_log | wc -l
I would expect the output to be a whole number.0 -
Yes it did, it said 180. 0 -
Alrighty...and one more thing. If you run this: head /etc/apache2/logs/error_log
how far back does the log go?0 -
[QUOTE][Tue Feb 09 13:35:23.035298 2021] [core:notice] [pid 14831] SELinux policy enabled; httpd running as context system_u:system_r:unconfined_service_t:s0 [Tue Feb 09 13:35:23.037378 2021] [ssl:warn] [pid 14831] AH01909: :443:0 server certificate does NOT include an ID which matches the server name [Tue Feb 09 13:35:23.037997 2021] [ssl:warn] [pid 14831] AH01909: :443:0 server certificate does NOT include an ID which matches the server name [Tue Feb 09 13:35:23.038220 2021] [:notice] [pid 14831] ModSecurity for Apache/2.9.3 (
That is what I get.0 -
Alright, so over a year. I was wondering if the server was reaching the MaxRequestWorkers value so frequently that the server monitoring tools interpreted that as the service being offline, but that doesn't seem to be the case. With the details I have here I'm really not sure what may have happened. You're always welcome to open a ticket with our team so we can take a look at the system directly. 0 -
So my server host investigated the issue and discovered it was an excess of apache sessions and is associating it with a DDoS attack. Installed ConfigServ Firewall (CSF) as a protection. Seems to have resolved the issue so far. Suppose I will need to now deal with the prior issues I had with CSF. Please mark as resolved. 0 -
So my server host investigated the issue and discovered it was an excess of apache sessions and is associating it with a DDoS attack. Installed ConfigServ Firewall (CSF) as a protection. Seems to have resolved the issue so far. Suppose I will need to now deal with the prior issues I had with CSF. Please mark as resolved.
cPanel forums is the best place to ask if you have problems with CSF/LFD.0
Please sign in to leave a comment.
Comments
11 comments