Search the Community

We recently moved our site to a new hosting company. Since moving, our traffic stats are about 10% of what they were previously. I've been trying to figure this out for while, but I'm at a loss. I'm hoping some Apache guru can spot the issue. I ran this command to see who was accessing the server. # netstat -tn 2>/dev/null | grep :443 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head 22 138.201.194.181 18 156.26.45.19 8 104.28.85.11 4 85.237.194.119 3 167.94.195.128 2 98.156.0.18 2 46.161.11.28 2 193.218.190.123 2 173.242.192.184 2 157.55.39.49 Then I greped the logs for the IPs. grep "138.201.194.101" /var/log/httpd/stovebolt/* # grep "156.26.45.19" /var/log/httpd/stovebolt/* | wc -l 235 grep -l "156.26.45.19" /var/log/httpd/stovebolt/* /var/log/httpd/stovebolt/ssl_request_log So, one IP isn't in any logs, even though it has the most connections. The next IP is in the logs, but only in the ssl_request.log, not the access.log. That makes no sense to me at all. I've engaged the support staff at the hosting company but so far they've come up with nothing. My IP doesn't show up in the logs, and I'm on the site every day doing moderation work, accepting new registrations on the forum, approving posts of new members, etc. grep -l "70.121.63.82" /var/log/httpd/stovebolt/* /var/log/httpd/stovebolt/access.log-20220619 /var/log/httpd/stovebolt/error.log-20220619 /var/log/httpd/stovebolt/ssl_access_log /var/log/httpd/stovebolt/ssl_request_log /var/log/httpd/stovebolt/ssl_request.log-20220619 grep "70.121.63.82" /var/log/httpd/stovebolt/ssl_access_log 70.121.63.82 - - [05/Jul/2022:15:19:07 -0400] "-" 408 - 70.121.63.82 - - [05/Jul/2022:15:19:08 -0400] "-" 408 - 70.121.63.82 - - [05/Jul/2022:15:20:20 -0400] "-" 408 - 70.121.63.82 - - [05/Jul/2022:15:20:20 -0400] "-" 408 - This is my log info. The server is on EDT, which is where the owners are located. (The server itself is located in CDT.) date Tue Jul 5 15:39:11 EDT 2022 ls /var/log/httpd/stovebolt/ access.log access.log-20220626 error.log error.log-20220626 ssl_access_log ssl_request.log ssl_request.log-20220626 access.log-20220619 access.log-20220703 error.log-20220619 error.log-20220703 ssl_request_log ssl_request.log-20220619 ssl_request.log-20220703 # grep -A1 ".log" /etc/httpd/conf.d/stovebolt.conf TransferLog /var/log/httpd/stovebolt/access.log ErrorLog /var/log/httpd/stovebolt/error.log # LogLevel alert rewrite:trace3 -- CustomLog "/var/log/httpd/stovebolt/ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Hi, Apologies if this isn't the right forum for this question. I couldn't find the perfect forum for my question, but I'm hoping someone can help. Basically, I've been having problems with a site I manage, with the site going down regularly, 401 Forbidden error pages cropping up reguarly, as well as Server Configuration Error pages, although only ever sporadically. I've been trying everything to work out the issue but no luck as of yet. However, one thing that seems strange is the following messages that I'm getting in the access logs. Now, this shouldn't be a problem as Facebook often creates messages like these when it's accessing files from a server. However, there are thousands of messages like this that reference files that don't exist. Honestly, it's constantly trying to access .jpg files that don't exist, and so I suspect this is what's causing the server to keep crashing. Has anyone had anything similar to this before? comono.co.uk 173.252.88.88 - - [20/Nov/2015:13:13:46 +0000] "GET /uploads/2009/9/28/873128bf77.jpg HTTP/1.1" 403 379 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)" Thanks, Russ