Quote:
Originally Posted by fabi_aldana
Code:
Mar 14 14:32:50 vmhttpd1 collectd[3309]: apache: curl_easy_perform failed: couldn't connect to host
Mar 14 14:32:50 vmhttpd1 collectd[3309]: read-function of plugin `apache' failed. Will suspend it for 10 seconds.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: connect failed: Connection refused
|
Note the process in question is collectd, the statistics package daemon. Apparently it wasn't able to connect to your webserver. From these lines it is however not clear if it is a remote web server or a local one and what the cause for failure was.
Quote:
Originally Posted by fabi_aldana
Inside this file I get the following
Code:
Mar 14 16:24:55 vmhttpd1 kernel: possible SYN flooding on port 80. Sending cookies.
|
See
4.17.2 Configuring syncookies (and reference) for a basic understanding of SYN cookies. Basically when it is enabled protection will kick in when the table with half-open SYN connections fills up.
Quote:
Originally Posted by fabi_aldana
want to know if it was an attack, what type and from where.
|
It may have been an attack but your log excerpts only indicate a large amount of HTTP requests. Where the requests originate from or if they are not valid for your hosted content does not show from your logs: see your web servers access_log and error_log. Whether these requests are spoofed or invalid at the TCP/IP level can not be gathered from your logs: only if you have the appropriate ruleset (dropping bogons and invalid packets) and related logging rules enabled they would show in syslog.