Apache

How to Enabled mod_rewrite Debug Log in cPanel

If you are using mod_rewrite & find out some problem, you may need to do some debugging with the log write somewhere. For CentOS system with cPanel together with Apache or LiteSpeed, you may enabled mod_rewrite Debug Log as below.

  • Edit Apache configuration located in “/etc/httpd/conf/httpd.conf
  • Find the corresponding VirtualHost for your domain which you want to debug.
  • Add “RewriteLogLevel 9” underneath “UseCanonicalName” as below and save.
<VirtualHost 100.100.100.100:80>
  ...
  ...
  UseCanonicalName Off
  RewriteLogLevel 9
  ...
  ...
</VirtualHost>
  • Restart Apache or LiteSpeed
  • The Debug Log will be written in “/usr/local/apache/logs/error_log” file.

How to find IP Address that Launch DDOS Attack

If your VPS or server load suddenly increases much higher than normal, it could be a DDOS attack.

To find out which IPs did that do the following,

Option 1 :- If you know which domain is attacked. SSH to your server & issue the following command. Make sure you replace “DOMAIN” with your domain name. If you are using cPanel/WHM and the domain is not the primary domain, normally it will be the sub domain of the primary domain.

less /usr/local/apache/domlogs/DOMAIN | awk '{print $1}' | sort | uniq -c | sort -n

Option 2 :- If you don’t know which domain is attacked. SSH to your server & issue the following command. Option 1 if preferable especially if your server is very busy has many domain. It will take quite sometimes to process the log file. You can check by issuing “top -c” command to find out which domain consume the most resources.

less /usr/local/apache/logs/access_log | awk '{print $1}' | sort | uniq -c | sort -n

Both of the option will give the ip and number of connections in the descending order. For example:

.....
.....
.....
.....
17843 56.51.155.156
19234 66.156.66.266
234578 156.56.16.76

In the above case we can see too many connections from those ips and it is abnormal. You can block these ips in the firewall such as ConfigServer Firewall (“csf”).