If we want tu run some benchmark, the following
/ab.exe -n 500 -c 300 -v 1000 -k http://server:port/test.html
lead to an "connection refused":
Test aborted after 10 failures
apr_socket_connect(): Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte. (730061)
It is possible to deactive the "limit"? Which limit is applied? We see nothing in the Windows event log.
If we call less connections it works:
./ab.exe -n 500 -c 257 -k http://server:port/test.html
Does anyone knows ho to find the corresponding limit? And mabe how to deactivate, because we have not enough hosts to use different IPs for the request.
The solution is to uncomment the MPM config include in httpd.conf
# Server-pool management (MPM specific)
Include conf/extra/httpd-mpm.conf
Then locate the mpm_winnt_module and change the thread count from the current value to whatever you want.
<IfModule mpm_winnt_module>
ThreadsPerChild 1000
MaxRequestsPerChild 0
</IfModule>
Related
I find it costs one more seconds that ssh exec a simple command, does it normal? if not, how to speed up it?
[root#ops-test-vm-154:~]# time ssh root#10.17.1.155 'echo "hello,world!"'
hello,world!
real 0m1.805s
user 0m0.009s
sys 0m0.005s
there is low latency between vm-154 and vm-155
[root#ops-test-vm-154:~]# ping 10.17.1.155
PING 10.17.1.155 (10.17.1.155) 56(84) bytes of data.
64 bytes from 10.17.1.155: icmp_seq=1 ttl=64 time=0.142 ms
64 bytes from 10.17.1.155: icmp_seq=2 ttl=64 time=0.136 ms
64 bytes from 10.17.1.155: icmp_seq=3 ttl=64 time=0.129 ms
64 bytes from 10.17.1.155: icmp_seq=4 ttl=64 time=0.110 ms
^C
--- 10.17.1.155 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4421ms
rtt min/avg/max/mdev = 0.110/0.128/0.142/0.014 ms
BTW: I need check service status real time by executing a script in vm-155, so vm-154 execute command ssh vm-155 status.sh every second. But even a simple command echo helloworld cost one more second. So the solution is terrible. I hope speed up it, or may be a better solution.
Best Wishes!
There is vm-155 /etc/ssh/sshd_config, I add UseDNS no and execute service sshd restart, but still need one more second to echo hello,world!
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
One thing that you could try is to run SSH in verbose mode and see at which stage it wastes the most time.
ssh -vvv root#10.17.1.155 'echo "hello,world!"'
And then based on your findings adopt your ssh config file to exclude slow cipher suites and other CPU intensive things. Some tips about that here.
However, you will not be able to achieve close to real-time performance over ssh if you establish a new connection every time. You could put your script/command into a loop and set seep value to 1s.
ssh root#10.17.1.155 'while true; do echo "Hello, world!"; sleep 1s; done'
But I would use something that is designed for such application like SNMP protocol. Here is an example configuration:
https://www.incredigeek.com/home/snmp-and-shell-script/
One source of delays during the SSH connection process is DNS lookups by the server. When a client connects to the server, the server can optionally look up the IP address of the client to get its hostname. Depending on a variety of issues, the query may take anywhere from a fraction of a second to ten seconds or more to complete.
The most widely deployed SSH server is OpenSSH. The OpenSSH sshd server has a setting named UseDNS which controls whether it performs DNS queries on incoming connections or not:
UseDNS
Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address.
You should check that UseDNS is set to "no" on the server which you're connecting to.
When i run this command on my VPS:
netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more
i get this result:
207 222.73.144.194
89 191.96.249.54
58 191.96.249.53
21 2400
15 51.255.64.23
6 143.137.103.251
3 103.27.72.36
1 89.180.150.168
1 66.102.7.137
1 5.189.170.167
1 191.181.39.208
1 183.2.246.218
I think this command is showing the number of connections per IP to port 80.
Is this a DDoS atack?
Have you check another aspect (eg. cpu load, network throughput to specific ip(s) using iftop or iptraf)? If there's normal, maybe it's just web/http scanner to your web.
If you're use nginx, you can use limit_conn module, to queue the rest of ip(s) if didn't obey your policy.
I am trying to get a local LDAP proxy cache running. The idea is this:
Currently a computer (A) is sending all ldap requests to a remote ldap server (L)
Instead of that, there should be a proxy cache "server" running on A to act as an intermediate between A and L. The cache would store all queries and all their attributes (until it is filled up and then it starts "recycling").
OpenLDAP's Proxy Cache Engine looks pretty good, but there is not much information about how to set it up. There is an example config file, but I cannot get it to work.
When connected to the internet, running this command will successfully bind me.
ldapwhoami -vvv -h localhost -D "CN=Melka Martin,OU=something,OU=else,(...),DC=int,DC=somedomain,DC=com" -x -w <passwd>
However, each following request will still pool the remote LDAP server (as shown by sniffing the connection, and when the machine is disconnected from the internet, the local bind fails).
In the slapd output there is a lot of stuff, but the elligible:
56449abd QUERY NOT ANSWERABLE
56449abd QUERY CACHEABLE
This is the current config file, which should cache all the bind requests
database ldap
suffix "dc=int,dc=somedomain,dc=com"
rootdn "cn=admin,dc=int,dc=somedomain,dc=com"
rootpw <something>
uri ldap://dc-04.int.somedomain.com:389
overlay pcache
pcache hdb 100000 1 1000 100
pcacheAttrset 0 *
pcacheTemplate (sn=) 0 3600
pcacheBind (sn=) 0 3600 sub dc=int,dc=somedomain,dc=com
cachesize 200
directory /var/lib/ldap
index objectClass eq
index cn eq,sub
I have created the /var/lib/ldap directory, added a default DB_CONFIG file in there and then edited the slapd.conf file. If there are more things to do to set it up properly, could you instruct me?
I am a little confused about the rootdn/rootpw directives. They are used to write into the remote LDAP server, correct?
Edit: Below here is the original issue, which was resolved by using the full proper DN.
As this is supposed to only be a proxy cache, I shouldn't need to set up a local database. So the config file looks like this:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
moduleload pcache.la
database ldap
suffix "dc=int,dc=somedomain,dc=com"
rootdn "dc=int,dc=somedomain,dc=com"
uri ldap://dc-04.int.somedomain.com:389
overlay pcache
pcache hdb 100000 1 1000 100
pcacheAttrset 0 *
pcacheTemplate (sn=) 0 3600
cachesize 20
directory /var/lib/ldap
index objectClass eq
index cn eq,sub
Now I would expect that any request to ldap://localhost would mirror to the remote LDAP, if not in the cache.
I use this command to test the auth on the remote server:
ldapwhoami -vvv -h dc-04.int.somedomain.com -p 389 -D melka#somedomain.com -x -w <passwd>
Which works well, I get the auth.
However, when I try to run the same command on localhost:
ldapwhoami -vvv -h localhost -p 389 -D melka#somedomain.com -x -w <passwd>
It fails, saying
ldap_initialize( ldap://localhost:389 )
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Slapd is listening on localhost, netstat contains this line:
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 10352/slapd
Is there something I am missing?
Thanks
melka#somedomain.com
That may be a DN in the target LDAP system, who knows, but it certainly isn't in OpenLDAP. You need to provide a proper Distinguished Name.
So, I'm running proFTPD (should be the newest one from www.webmin.com)(with webmin1.760),on Ubuntu 14.04.3 LTS Server (32-bit).
With the admin username and password,
I can use FileZilla to access the FTP server from another home PC, but I'm not permitted to upload/modify/create files.
Below is the error showed on the FileZilla, on delete :
Status: Deleting "/var/www/html/index.html"
Command: DELE index.html
Response: 550 index.html: Permission denied
, on create :
Status: Retrieving directory listing of "/var/www/html"...
Status: Directory listing of "/var/www/html" successful
Response: 421 No transfer timeout (600 seconds): closing control connection
Error: Connection closed by server
I've tried googling, but it doesn't seem to be a common error,
and I don't either find any permission option for admin in the "etc/proftpd/proftpd.conf"
This is my proftpd.conf:
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
ServerName Debian
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
# DefaultRoot ~
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534
# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4
# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 007 007
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off
# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on
# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime. If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf
#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf
#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf
# A basic anonymous configuration, no upload directories.
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
# Include other custom configuration files
Include /etc/proftpd/conf.d/
AccessGrantMsg "Successful login"
<Global>
</Global>
It's very confusing to handle on my own because I can't even find any clue except the error shown on FileZilla.
FTP is important for me to config my server, it would be a big help if you can give any clue, thank you.
Also, I may as well use another FTP server, any suggestion?
sudo chown -R user:root /var/www/
then
chown -R user:www-data /var/www
change user
And I finally come up with a solution - changing the permission of my folder
Which can be found here
I'm running a stress test on a websocket server to measure how many clients it can serve simultaneously and on what depends that number.
The server implementation I'm using is pywebsocket, the extension for apache server.
Apparently, this creates a new thread for every new client.
The problem is I can only go up to 378 clients, always the same number (and pretty low), and for the next one I receive the following trace:
[2013-08-22 07:47:09,454] [ERROR] __main__.WebSocketServer: Exception in processing request from: ('::ffff:10.36.154.147', 41509, 0, 0)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 284, in _handle_request_noblock
self.process_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 594, in process_request
t.start()
File "/usr/lib/python2.7/threading.py", line 495, in start
_start_new_thread(self.__bootstrap, ())
**error: can't start new thread**
I really don't know where this limit might come from, it seems to low to be the number of maximum threads for the process, which I just set to unlimited, or the maximum number of processes for the user, also now set to unlimited.
I also checked the apache2 configuration files and this is what I have in apache2.conf, should be enough:
MaxKeepAliveRequests 0
KeepAliveTimeout 5
<IfModule mpm_prefork_module>
StartServers 50
ServerLimit 2000
MinSpareServers 50
MaxSpareServers 2000
MaxClients 2000
MaxRequestsPerChild 2000
</IfModule>
<IfModule mpm_worker_module>
StartServers 50
ServerLimit 2000
MinSpareThreads 50
MaxSpareThreads 2000
ThreadLimit 0
ThreadsPerChild 2000
MaxClients 2000
MaxRequestsPerChild 2000
</IfModule>
<IfModule mpm_event_module>
StartServers 50
ServerLimit 2000
MinSpareThreads 50
MaxSpareThreads 2000
ThreadLimit 0
ThreadsPerChild 2000
MaxClients 2000
MaxRequestsPerChild 2000
</IfModule>
The server is an Amazon EC2 t1.micro instance with ubuntu.
What else can be causing this limit?
Try reducing ulimit -s to a much lower value than unlimited/default for whatever piece of code will create many threads, and make sure /proc/sys/kernel/threads-max is not lower then six figures.