Server is 8.1 and sits in a DMZ. Mainly it does mail and basically Apache is there to run Squirrelmail, so I can check mail from outside. I don't use it that frequently, but it's nice to have. I have set it up with ssl and self-signed certificates, in order to use https. Has been running fine for ~150 days. Two days ago I was working in the office, and wanted to check my mail. Couldn't connect to the server. Tried a couple of things (telnet to port 80, a portscan) Port 80 and 443 closed. Got home, logged in, rcapache status dead Looking at the logs, it died at 00:16 that night: error_log says: [Wed May 7 00:16:10 2003] [notice] SIGUSR1 received. Doing graceful restart [Wed May 7 00:16:31 2003] [error] Cannot resolve host name Scum.kinkon --- ignoring! [Wed May 7 00:16:31 2003] [error] mod_ssl: Init: (Scum.kinkon:80) Ops, no RSA or DSA server certificate found?! [Wed May 7 00:16:31 2003] [error] mod_ssl: Init: (Scum.kinkon:80) You have to perform a *full* server restart when you added or removed a certificate and/or key file Now, I haven't changed anything on it for a very long time, so the last mesg seemed a bit odd. I tarred all of /var/log up and copied it off the system, to have it unaffected by any of the next things I'd try. So I tried to restart apache, and ssl_engine_log said: [warn] Init: (Scum.kinkon:80) You configured HTTPS(443) on the standard HTTP(80) port! This is not good. *I* haven't changed that, so I'm unsure of what to make of it. I'd be thankful for any ideas. The hardware is a recycled Compaq, has little RAM; 64MB, and I wouldn't be much surprised if the machine is starting to go bad. OTOH my *first* reaction was that it might've gooten cracked... There was a thread about logrotate recently. And since the time of death is when logrotate is run (IINM), I'm thinking that *that* might've played a part? TIA Jon Clausen -- If we can't be free, at least we can be cheap!
On Fri, May 09, 2003 at 07:33:48AM +0200, Anders Johansson wrote:
On Friday 09 May 2003 07:28, Jon Clausen wrote: <snip>
Has been running fine for ~150 days. <snip> Now, I haven't changed anything on it for a very long time
Does that include security updates?
err... No, and yes... or... No, it doesn't include security updates, meaning; Yes it's up to date. AFAICT anyway: rpm -q apache apache-1.3.26-57 I don't see any updates newer than this at: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/ I haven't changed the *configuration* in a very long time. /Jon -- If we can't be free, at least we can be cheap!
On Fri, May 09, 2003 at 07:28:02AM +0200, Jon Clausen wrote:
error_log says: [Wed May 7 00:16:10 2003] [notice] SIGUSR1 received. Doing graceful restart
Please browse through your logs, to see when the last graceful restart before this one has been!
[Wed May 7 00:16:31 2003] [error] Cannot resolve host name Scum.kinkon --- ignoring! [Wed May 7 00:16:31 2003] [error] mod_ssl: Init: (Scum.kinkon:80) Ops, no RSA or DSA server certificate found?! [Wed May 7 00:16:31 2003] [error] mod_ssl: Init: (Scum.kinkon:80) You have to perform a *full* server restart when you added or removed a certificate and/or key file
Now, I haven't changed anything on it for a very long time, so the last mesg seemed a bit odd.
I tarred all of /var/log up and copied it off the system, to have it unaffected by any of the next things I'd try.
So I tried to restart apache, and ssl_engine_log said: [warn] Init: (Scum.kinkon:80) You configured HTTPS(443) on the standard HTTP(80) port!
This is not good. *I* haven't changed that, so I'm unsure of what to make of it.
I'd be thankful for any ideas.
The hardware is a recycled Compaq, has little RAM; 64MB, and I wouldn't be much surprised if the machine is starting to go bad. OTOH my *first* reaction was that it might've gooten cracked...
I don't think so.
There was a thread about logrotate recently. And since the time of death is when logrotate is run (IINM), I'm thinking that *that* might've played a part?
Surely it triggered it, as the time indicates. But my suspicion is that your apache configuration has been hosed for a long time, and it only showed up now because it was the first time it has been read again. That means, logrotate ran every night to find that the apache log files do not need rotating, until yesterday. At any rate, it is likely that the configuration files have been changed since the last time apache was started. You might want to check the log files, and modification dates of the files below /etc/httpd. Then you could assess whether apache or mod_ssl has been updated since then, and whether there are any .rpmsave or .rpmnew files around in /etc/httpd. If you however find that a graceful restart ("rcapache reload") has been working in the past, and the configuration has not been changed since then, it would be quite suspicious... Peter
On Fri, May 09, 2003 at 11:00:18AM +0200, poeml@cmdline.net wrote:
On Fri, May 09, 2003 at 07:28:02AM +0200, Jon Clausen wrote:
error_log says: [Wed May 7 00:16:10 2003] [notice] SIGUSR1 received. Doing graceful restart
Please browse through your logs, to see when the last graceful restart before this one has been!
grep -i -A 3 grace * error_log:[Sun Jan 5 10:28:23 2003] [notice] SIGUSR1 received. Doing graceful restart error_log-[Sun Jan 5 10:28:32 2003] [notice] Apache/1.3.26 (Linux/SuSE) mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.2 mod_perl/1.27 configured -- resuming normal operations error_log-[Sun Jan 5 10:28:32 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) error_log-[Sun Jan 5 10:28:32 2003] [notice] Accept mutex: sysvsem (Default: sysvsem) -- error_log:[Wed May 7 00:16:10 2003] [notice] SIGUSR1 received. Doing graceful restart error_log-[Wed May 7 00:16:31 2003] [error] Cannot resolve host name Scum.kinkon --- ignoring! error_log-[Wed May 7 00:16:31 2003] [error] mod_ssl: Init: (Scum.kinkon:80) Ops, no RSA or DSA server certificate found?! error_log-[Wed May 7 00:16:31 2003] [error] mod_ssl: Init: (Scum.kinkon:80) You have to perform a *full* server restart when you added or removed a certificate and/or key file <snip>
There was a thread about logrotate recently. And since the time of death is when logrotate is run (IINM), I'm thinking that *that* might've played a part?
Surely it triggered it, as the time indicates. But my suspicion is that your apache configuration has been hosed for a long time, and it only showed up now because it was the first time it has been read again. That means, logrotate ran every night to find that the apache log files do not need rotating, until yesterday.
Hmm. The only log that's been rotated is ssl_engine_log: ll ssl_engine_log* -rw-r--r-- 1 jon users 872 2003-05-07 00:16 ssl_engine_log -rw-r--r-- 1 jon users 52484 2003-05-06 15:01 ssl_engine_log-20030507.gz So I guess you have a point there.
At any rate, it is likely that the configuration files have been changed since the last time apache was started. You might want to check the log files, and modification dates of the files below /etc/httpd.
DAMN! I just destroyed the timestamp on httpd.conf ...went in there to look at the ssl section, and accidentally exited with :wq ...so that's lost. In any case nothing (else) below /etc/httpd has been changed in quite a while: Scum:/etc/httpd # find . -ctime -50 . ./httpd.conf Scum:/etc/httpd #
Then you could assess whether apache or mod_ssl has been updated since then, and whether there are any .rpmsave or .rpmnew files around in /etc/httpd.
no .rpm{new|save}s either.
If you however find that a graceful restart ("rcapache reload") has been working in the past, and the configuration has not been changed since then, it would be quite suspicious...
Dunno whether to suspect foul play here, or what... maybe not, but in any case I'm taking the box offline. This is a good a time as any, to see if any of that RAM I found fits/is good, and then I may as well ZAP the box, and try setting up a more secure machine. Thanks, Jon -- If we can't be free, at least we can be cheap!
participants (3)
-
Anders Johansson -
Jon Clausen -
poeml@cmdline.net