Modsecurity: SecConn(Read|Write)StateLimit warning floods errorlog

Created on 26 May 2017  路  3Comments  路  Source: SpiderLabs/ModSecurity

apache 2.2.15, 2.4.6
rhel 6, 7

i guess it has something to do with the following commit #1340

[Fri May 26 12:12:19.354369 2017] [:warn] [pid 13045:tid 140075442624256] [client  x.x.x.251:41630] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.355458 2017] [:warn] [pid 13045:tid 140075442624256] [client  x.x.x.251:41630] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.251
[Fri May 26 12:12:19.387705 2017] [:warn] [pid 13129:tid 140075392268032] [client  x.x.x.94:25222] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.389408 2017] [:warn] [pid 13129:tid 140075392268032] [client  x.x.x.94:25222] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.94
[Fri May 26 12:12:19.393744 2017] [:warn] [pid 13045:tid 140075392268032] [client  x.x.x.94:25226] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.394955 2017] [:warn] [pid 13045:tid 140075392268032] [client  x.x.x.94:25226] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.94
[Fri May 26 12:12:19.400368 2017] [:warn] [pid 13129:tid 140075367089920] [client  x.x.x.251:41636] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.401456 2017] [:warn] [pid 13129:tid 140075367089920] [client  x.x.x.251:41636] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.251
[Fri May 26 12:12:19.405759 2017] [:warn] [pid 13045:tid 140075574433536] [client  x.x.x.94:25232] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.406796 2017] [:warn] [pid 13045:tid 140075574433536] [client  x.x.x.94:25232] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.94
[Fri May 26 12:12:19.410287 2017] [:warn] [pid 13129:tid 140075582826240] [client  x.x.x.251:41638] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.411273 2017] [:warn] [pid 13129:tid 140075582826240] [client  x.x.x.251:41638] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.251
[Fri May 26 12:12:19.439602 2017] [:warn] [pid 13045:tid 140075425838848] [client  x.x.x.251:41650] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.441388 2017] [:warn] [pid 13045:tid 140075425838848] [client  x.x.x.251:41650] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.251
[Fri May 26 12:12:19.441494 2017] [:warn] [pid 13129:tid 140075358697216] [client  x.x.x.251:41654] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.442030 2017] [:warn] [pid 13045:tid 140075325126400] [client  x.x.x.251:41656] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.442911 2017] [:warn] [pid 13045:tid 140075325126400] [client  x.x.x.251:41656] ModSecurity: threads in READ: 2 of 50, WRITE: 0 of 50, IP:  x.x.x.251
[Fri May 26 12:12:19.442911 2017] [:warn] [pid 13129:tid 140075358697216] [client  x.x.x.251:41654] ModSecurity: threads in READ: 2 of 50, WRITE: 0 of 50, IP:  x.x.x.251
[Fri May 26 12:12:19.445522 2017] [:warn] [pid 13129:tid 140075316733696] [client  x.x.x.251:41658] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.446835 2017] [:warn] [pid 13129:tid 140075316733696] [client  x.x.x.251:41658] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.251
[Fri May 26 12:12:19.470089 2017] [:warn] [pid 13045:tid 140075333519104] [client  x.x.x.94:25246] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.471780 2017] [:warn] [pid 13045:tid 140075333519104] [client  x.x.x.94:25246] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.94
[Fri May 26 12:12:19.483665 2017] [:warn] [pid 13129:tid 140075566040832] [client  x.x.x.251:41672] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.485098 2017] [:warn] [pid 13129:tid 140075566040832] [client  x.x.x.251:41672] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.251
[Fri May 26 12:12:19.518477 2017] [:warn] [pid 13045:tid 140075540862720] [client  x.x.x.94:25258] ModSecurity: going to loop through 2050 servers with 64 threads
[Fri May 26 12:12:19.520244 2017] [:warn] [pid 13045:tid 140075540862720] [client  x.x.x.94:25258] ModSecurity: threads in READ: 1 of 50, WRITE: 0 of 50, IP:  x.x.x.94

Most helpful comment

Looking at the logs and as we had this for debug (APLOG_TRACE) prior to the patch I'm thinking this looks like normal behaviour so maybe we should change APLOG_WARNING to APLOG_DEBUG or siblings.

All 3 comments

Looking at the logs and as we had this for debug (APLOG_TRACE) prior to the patch I'm thinking this looks like normal behaviour so maybe we should change APLOG_WARNING to APLOG_DEBUG or siblings.

@victorhora sounds good to me :-)
Because we had 40gb logs after 3 days...

Fixed by @victorhora at #1436.

Was this page helpful?
0 / 5 - 0 ratings