[Owasp-board] FYI-Status Only --- Update on wiki server issues

Paul Ritchie paul.ritchie at owasp.org
Tue Mar 8 23:08:38 UTC 2016

To OWASP Board:    Here is quick update from Matt T on some research & work
he had to do the past couple days on the WIKI do to HIGH Loads.

FYI Only - This is the kind of work Matt "should" be doing.  We spent time
this weekend at the Staff Summit identifying some areas that can be
off-loaded to other IT resource so Matt can focus on these mission critical

Best Regards, Paul Ritchie
OWASP Executive Director
paul.ritchie at owasp.org

---------- Forwarded message ----------
From: Matt Tesauro <matt.tesauro at owasp.org>
Date: Tue, Mar 8, 2016 at 4:42 PM
Subject: Update on wiki server issues
To: Paul Ritchie <paul.ritchie at owasp.org>, Kate Hartmann <
kate.hartmann at owasp.org>, Noreen Whysel <noreen.whysel at owasp.org>, Laura
Grau <laura.grau at owasp.org>, Claudia Casanovas <
claudia.aviles-casanovas at owasp.org>, Kelly Santalucia <
kelly.santalucia at owasp.org>

Paul and company,

There continue to be brief periods of high CPU & load on the OWASP wiki
server. I've been digging through the 8.4+ million lines of the March log
files for the last 2 hours and have discovered 3 contributing factors:

(1) Internet putzes running SSL configuration scanners against us.
       These are hard to deal with as they don't appear in the log files
depending on which scanner someone chooses to use.
    *What to do*:  Nothing for the time being - this is already dying down
(those I can see) and I expect it to continue to lesson as we get father
from the latest SSL vulnerability we get.

(2) Internet putzes running web crawlers on the wiki
       Web crawlers start on the main page of a web site and follow every
link they find.  Beyond just being annoying, these crawlers will 'view'
every change on every page for the wiki.  Each crawler can generate several
thousand requests to the server.  One crawler from Taiwan requested 7,000
pages in under 10 minutes.
    What to do:  I will either write a fail2ban rule or add an Apache
module that will restrict or ban for ~10 minutes any person that makes too
many requests per minute.  The threshold will be set far faster than any
normal user would click on links.

(3) The wiki is taking to itself - a lot
          I also noticed a large number of requests in a short period where
the wiki is making requests to itself.  These are requests that come from
the wiki server to the wiki server.  Logging in MediaWiki isn't very good
so I cannot tell exactly why these requests are being made.  It appears
that there is 1 or more MediaWiki extension that is having problems and
probably needs an update.
     What to do:  Unfortunately, there's no automated process to keep
MediaWiki extensions updated so I'll need to manually verify the version of
each of our extensions to see which has updates.

I've also adjusted some settings on Apache and our DB which should give us
some breathing room while I continue to work on this issue.


-- Matt Tesauro
OWASP AppSec Pipeline Lead
OWASP WTE Project Lead
http://AppSecLive.org <http://appseclive.org/> - Community and Download site
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160308/7e4cea44/attachment.html>

More information about the Owasp-board mailing list