# [error] server reached MaxClients

## SoylentGreen

i (rarely) find this in my apache2 errorlog (about once a week):

```

[Mon Apr 24 11:17:44 2006] [error] server reached MaxClients setting, consider raising the MaxClients setting

```

additionally, dmesg spits this out:

```

TCP: drop open request from 84.175.254.169/1646

TCP: drop open request from 84.175.254.169/1647

TCP: drop open request from 84.175.254.169/1648

TCP: drop open request from 84.175.254.169/1649

TCP: drop open request from 84.175.254.169/1650

TCP: drop open request from 84.175.254.169/1651

TCP: drop open request from 84.175.254.169/1652

TCP: drop open request from 84.175.254.169/1653

TCP: drop open request from 84.175.254.169/1654

TCP: drop open request from 84.175.254.169/1655

```

a dynamic ip, unfortunately ;(

whats that? i realized my forum is slow, so i ssh'ed to my rootserver to see this. is this a DOS attack or what?

i have already set maxclients to 256, but this still happens about once a week ;(

using hardened sources, hardened php and apache.

hmm..

----------

## neouser99

you could try adding that host to the host.deny file or explicitly blocking it in your firewall rules.  i would guess that it is some kind of DOS, misconfigured proxy, or some client who keeps pressing the refresh button because the forum won't load.

-neo

----------

## Janne Pikkarainen

I've seen this kind of behaviour with buggy PHP scripts (ok, whatever dynamic script will do the same) and broken redirections. This is how the story usually goes: a buggy script X tries to include another file, but is unable to do so. To make it worse, script does not use include like <?php include("data.inc"); ?>, but instead like <?php include("http://yourhost/data.inc"); ?>. And to let the hell break loose, data.inc is not in place AND web server has some custom 404 page defined, which also is not in place, and some kind of infinite loop is ready to roll. Few seconds later poor Apache has reached its process limits.

Also a broken .htaccess file is a great way to achieve this kind of server torturing.

Or perhaps this remote host is trying to suck your whole site with wget or similar program, and is doing if faster than your server actually can handle? That happens very rarely, but still can happen and that would lead to similar symptoms.

Do you have sysstat, snmp or some other monitoring system installed? How's your server doing during those peaks? Swapping? CPU screaming for help? Other bad things?

----------

## SoylentGreen

 *neouser99 wrote:*   

> you could try adding that host to the host.deny file or explicitly blocking it in your firewall rules. 
> 
> 

 

i already mentioned:

 *Quote:*   

> 
> 
> a dynamic ip, unfortunately ;( 
> 
> 

 

so that would not help much.

----------

## SoylentGreen

 *Janne Pikkarainen wrote:*   

> How's your server doing during those peaks? Swapping? CPU screaming for help? Other bad things?

 

~95% idle   :Shocked: 

if i look right now:

```

22:03:16 up 9 days,  6:17,  1 user,  load average: 0.00, 0.00, 0.00

```

OTOH i have none of the monitoring tools installed you mentioned, sorry, so i am unable to check. the only php apps running here are phpBB, coppermine and wordpress.

and as i mentioned, this happens rarely - maybe 1 in 7 days. and it is not google, i know those IPs, it works fine (even if i have 32 visits simultanioulsy by google infact running about a dozen of vhosts).

hmm..

----------

## neouser99

the address is dynamic because it is from a dialup host. dialin.net or something like that in particular. if you have no known users coming from there, try blocking that domain, or an entire subnet.

-neo

----------

## SoylentGreen

 *neouser99 wrote:*   

> the address is dynamic because it is from a dialup host.
> 
> 

 

yes, i am aware about this.

 *neouser99 wrote:*   

> 
> 
> dialin.net or something like that in particular. if you have no known users coming from there, try blocking that domain, or an entire subnet.
> 
> 

 

<lol>, this would exclude half of germany including myself <g>

84.136.0.0 - 84.191.255.255

anyway, i like to know how i could fix this in apache, nothing more nothing less.

thx anyway, though - it was a good one for a laugh.

excluding telekom is - well, pretty funny over here   :Laughing: 

dunno where you live, but - it is like blocking every user by the biggest ISP in your very own country.  :Wink: 

----------

## Corona688

 *SoylentGreen wrote:*   

> dunno where you live, but - it is like blocking every user by the biggest ISP in your very own country. 

  Like blocking AOL then, which oddly enough does happen, often out of necessity, but annoys tons of users anyway.

----------

## Janne Pikkarainen

Before we can decide how to make Apache behave, we must find out what causes those load spikes. Does /var/log/apache2/error.log reveal anything suspicious? Do you have error logging enabled in PHP? If you don't, please enable it in /etc/php/apache2-php4/php.ini (or apache2-php5, if you have PHP 5 installed), restart Apache and wait for the next lag. Then check out the error log again.

----------

## neouser99

i apologize then. your first post left a little for me to be desired in the networking aspect. by you just saying it was dynamic didn't offer that you have gone that far. i am afraid though that if you aren't seeing anything in your apache logs or php logs, as you have indicated, and also the kernel is spitting out that rapid succession of errors coming from one host, there was not must else i could base my analysis off of.

i am led to understand that if you do in fact believe that this is a DOS issue, as which i would guess, your best option might be some sort of active IDS that only monitors your http traffic.  this might alleviate the intermitent attacks (if we are calling them that) that are being seen.

now, if in fact your site is a high trafficed sight, it is possible that the software and database that you are using is just not written to handle this type of traffic. insufficent db calls left open and looping threads within php could very easily kills things. i guess it is just difficult to tell what really is going on without having more of the config and what not, and it could be possible that this would be a better suited question to direct to an apache users group. you seem to know what is going on and have an specific question... i guess i just don't know.

-neo

----------

## SoylentGreen

well, the problem is, the errors dont show in *any* of my virtual serverlogs (i have separated logfiles). they just show in the default errorlog (/var/log/apache). so i *guess* this is somehow a direct attack to port80 (?). also i dont see where php might come in then (hardened-php), but i will check this in a few days and make a phplog.

----------

