Is the agent calling the stop port? https://docs.basex.org/wiki/Options#STOPPORT
On Mon, 3 Apr 2023 at 17:38, ykhabins@bellsouth.net wrote:
"You mentioned that the Jetty server “goes down”. What does that mean?
Does it simply block any further requests? Do you have a 100% CPU workload?" It doesn't accept any further requests. Just launching the basexhttp.bat revives it.
"Does Jetty stall if you disable all REST, RESTXQ, and/or WebDAV?"
We never tried to disable anything. The Qualys Agent runs once every two weeks on a schedule. So, it is not easy to run on demand for testing.
" Which BaseX services are enabled in your web.xml?"
We never modified anything in the web.xml. Please see it below.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-app_4_0.xs..."
version="4.0">
<display-name>BaseX: The XML Database and XQuery Processor</display-name> <description>HTTP Services</description>
<!-- A BaseX option can be overwritten by prefixing the key with "org.basex." and specifying it in <context-param/> elements, as shown below. Check out https://docs.basex.org/wiki/Options for a list of all options. <context-param> <param-name>org.basex.restxqpath</param-name> <param-value>.</param-value> </context-param> <context-param> <param-name>org.basex.dbpath</param-name> <param-value>WEB-INF/data</param-value> </context-param> <context-param> <param-name>org.basex.repopath</param-name> <param-value>WEB-INF/repo</param-value> </context-param> <context-param> <param-name>org.basex.user</param-name> <param-value>admin</param-value> </context-param> <context-param> <param-name>org.basex.authmethod</param-name> <param-value>Digest</param-value> </context-param> <context-param> <param-name>org.basex.httplocal</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>org.basex.timeout</param-name> <param-value>5</param-value> </context-param> <context-param> <param-name>org.basex.log</param-name> <param-value>false</param-value> </context-param> -->
<!-- Global session and servlet listener -->
<listener> <listener-class>org.basex.http.SessionListener</listener-class> </listener> <listener> <listener-class>org.basex.http.ServletListener</listener-class> </listener>
<!-- CORS in Jetty: Access-Control-Allow-Origin: * <filter> <filter-name>cross-origin</filter-name> <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class> <init-param> <param-name>allowedOrigins</param-name> <param-value>*</param-value> </init-param> </filter> <filter-mapping> <filter-name>cross-origin</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
<!-- RESTXQ Service (can be disabled by removing this entry) -->
<servlet> <servlet-name>RESTXQ</servlet-name> <servlet-class>org.basex.http.restxq.RestXqServlet</servlet-class> <init-param> <param-name>org.basex.user</param-name> <param-value>admin</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>RESTXQ</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping>
<!-- WebSocket Service (can be disabled by removing this entry) -->
<servlet> <servlet-name>WebSocket</servlet-name> <servlet-class>org.basex.http.ws.WsServlet</servlet-class> <!-- Limits of the WebSocket connection <init-param> <param-name>maxIdleTime</param-name> <param-value>100000</param-value> </init-param> <init-param> <param-name>maxTextMessageSize</param-name> <param-value>3000</param-value> </init-param> <init-param> <param-name>maxBinaryMessageSize </param-name> <param-value>3000</param-value> </init-param> --> </servlet> <servlet-mapping> <servlet-name>WebSocket</servlet-name> <url-pattern>/ws/*</url-pattern> </servlet-mapping>
<!-- REST Service (can be disabled by removing this entry) -->
<servlet> <servlet-name>REST</servlet-name> <servlet-class>org.basex.http.rest.RESTServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>REST</servlet-name> <url-pattern>/rest/*</url-pattern> </servlet-mapping>
<!-- WebDAV Service (can be disabled by removing this entry) -->
<servlet> <servlet-name>WebDAV</servlet-name> <servlet-class>org.basex.http.webdav.WebDAVServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>WebDAV</servlet-name> <url-pattern>/webdav/*</url-pattern> </servlet-mapping>
<!-- Mapping for static resources (may be restricted to a sub path) -->
<servlet> <servlet-name>default</servlet-name> <init-param> <param-name>useFileMappedBuffer</param-name> <param-value>false</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>/static/*</url-pattern> </servlet-mapping>
</web-app>
-----Original Message----- From: Christian Grün christian.gruen@gmail.com Sent: Monday, April 3, 2023 11:27 AM To: ykhabins@bellsouth.net Cc: BaseX basex-talk@mailman.uni-konstanz.de Subject: Re: [basex-talk] BaseX HTTP service goes down due to Qualys Agent
The logs look inconspicuous indeed. Some more questions:
• You mentioned that the Jetty server “goes down”. What does that mean? Does it simply block any further requests? Do you have a 100% CPU workload? • Which BaseX services are enabled in your web.xml? Does Jetty stall if you disable all REST, RESTXQ, and/or WebDAV?
Best, Christian
On Mon, Apr 3, 2023 at 4:44 PM ykhabins@bellsouth.net wrote:
Hi Christian,
IMO, it is just the number of requests. I attached the .log file.
-----Original Message----- From: Christian Grün christian.gruen@gmail.com Sent: Monday, April 3, 2023 10:32 AM To: ykhabins@bellsouth.net Cc: BaseX basex-talk@mailman.uni-konstanz.de Subject: Re: [basex-talk] BaseX HTTP service goes down due to Qualys Agent
Hi Yitzhak,
have you checked the resulting log files in the data/.logs directory? Are there specific requests that take too much time, or is it the plain
number of incoming requests that eventually slows down the system?
Best, Christian
On Mon, Apr 3, 2023 at 4:29 PM ykhabins@bellsouth.net wrote:
Hello,
We are using BaseX 10.5 via its HTTP service in a corporate
environment.
We have an automated Qualys Agent that does a vulnerability scan of
that server with the BaseX.
Qualys Agent scan process includes web sites related tests such as
Cross-Site Scripting, SQL Injection, etc.
The rapid nature of the Qualys Agent requests effectively gives us a
DoS attack on the eclipse.jetty.server.
It cannot process so many requests and goes down.
In the meantime, our solution is to restart BaseX HTTP service
manually via basexhttp.bat.
Question: is it possible to somehow configure the eclipse.jetty.server
so it will be able to sustain the Qualys Agent vulnerability scan?
Regards, Yitzhak Khabinsky