Alright, so I've been fighting my host for well into three months on the use of the UU. What's been going on is that about halfway, maybe more, through the synchronize process with UA the server freaks out and stops all access. I say I've been fighting with her, but truthfully my host is one of the most understanding people I know. With her help we've figured out the issue with the random 403 for the UU.

What is happening is that Apache is seeing the supafly fast data transfer for the multiple calls that UU does one after the other after the other without a pause. When Apache sees this that specific IP gets blocked for a little bit. This is because UU is acting EXACTLY like a standard Brute Force script would. Sending and pulling data faster than a human could with a browser, in essence, trying to overload the server.

This is a bad thing.

My host is understanding, but there are some that are not, and without some sort of throttling mechanism built into UU, I can see people getting yelled at once their server host figures it out (It may take awhile as I found, but eventually they'll figure it out too).

That said, is there a way to throttle the Push/Pull transfer of UU so that there's a, say 5-10 second, pause in between each command sent to UA? This little pause should be enough to have apache not go apeshit on us.

A little backup for show:

Top Process %CPU 26.0 /usr/bin/php update.php

It's eating server resources due to the non throttling and Apache going on the warpath.

In addition, the use, due to the software and the way it is coded, is simulating a brute force attack on apache. We have had to completely remove our Apache Brute Force Evasive security system on that server in order to get rid of those errors - this is something I am absolutely unhappy about doing as you are the only domain with this issue with that security.

She disabled modevasive for me to test both UU and UA to determine if it is, in fact, UU that is doing it, and yes, Apache goes on the warpath whenever UU hollers to talk to the server's UA installation.

She then let me know in no uncertain terms that if a real brute force attack happens while she has disabled modevasive for me, she's gonna have a big case of the ass for me . I can understand her reasons though.

Some sort of thottling mechanism should be in place to avoid this. Please advise.

What POST variables are being transmitted to the server by UU before, during, and after the apache module blocks your ip

by the way I try to make UU as conformant to HTTP 1.1 as possible, and RFC 2616 has no such "delay" imposed on the interval between posts.

Common Sense:

When installing custom modules for Apache, you run the risk of Apache displaying unexpected or unwanted behavior!

MattM wrote:What POST variables are being transmitted to the server by UU before, during, and after the apache module blocks your ip

by the way I try to make UU as conformant to HTTP 1.1 as possible, and RFC 2616 has no such "delay" imposed on the interval between posts.

Common Sense:

When installing custom modules for Apache, you run the risk of Apache displaying unexpected or unwanted behavior!

LOL I don't run the server, I just pay for it and beat it up and drive my host insane with untested code (my php code that is):D

It runs fine for me up to the deleteaddons command. For others it halts at the update addons command.

Code: Select all

[2007/08/22 16:22:47] Retrieving XML data.
[2007/08/22 16:22:47]
[2007/08/22 16:22:47] RetrData: url: http://www.astralorder.com/uniadmin/interface.php
[2007/08/22 16:22:47] RetrData: param1: OPERATION
[2007/08/22 16:22:47] RetrData: val1: GETDELETEADDONS
[2007/08/22 16:22:47] RetrData: Timeout: -1
[2007/08/22 16:22:47] RetrData: ------------------------------------------------------------------------
[2007/08/22 16:22:48] <?xml version="1.0"?>
[2007/08/22 16:22:48]  <addons>
[2007/08/22 16:22:48]   <addon dirname="DuckieBank" />
[2007/08/22 16:22:48]   <addon dirname="DuckNet" />
[2007/08/22 16:22:48]   <addon dirname="CT_RaidAssist" />
[2007/08/22 16:22:48]   <addon dirname="KLHThreatMeter" />
[2007/08/22 16:22:48]  </addons>
[2007/08/22 16:22:48]
[2007/08/22 16:22:48]
[2007/08/22 16:22:48] RetrData: ------------------------------------------------------------------------
[2007/08/22 16:22:48]
[2007/08/22 16:22:48] Beginning the XML document parsing
[2007/08/22 16:22:48] UpdateAddons: Root element is missing

Unfortunately I do not have access to the error logs at this time, so this is the best I can provide you with :'(

right now UU is multithreaded and has no queue for the HTTP traffic it generates, thus no control over the time between requests or "shock absorption"

I think there's more to this problem than that though. If I could see a snip of the apache log that would be great.

I'll see what I can get from me host and post back

Perhaps a better approach to this rather then shutting off the module all together is to configure it. Your host can do this globally or you can add a .htaccess to the directory in question.

For example:

Code: Select all

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        4
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

hmm good idea DS, as the rules were put on the server for a reason it is best to leave them on but being able to configure it is great.