Here is the steps:- 1. Check connections to httpd:- # lsof -i -P -n | grep -i httpNote : x.x.x.x / a.a.a.a means IP addresshttpd 3718 nobody 911u IPv4 272133 0t0 TCP a.a.a.a:443->x.x.x.x:58929 (ESTABLISHED)httpd 3719 nobody 911u IPv4 37472 0t0 TCP a.a.a.a:443->x.x.x.x:58768 (ESTABLISHED)httpd 3720 nobody 911u IPv4 36255 0t0 TCP a.a.a.a:443->x.x.x.x:58735 (ESTABLISHED)httpd 3721 nobody 911u IPv4 36472 0t0 TCP a.a.a.a:443->x.x.x.x:58739 (ESTABLISHED)httpd 3726 nobody 911u IPv4 36317 0t0 TCP a.a.a.a:443->x.x.x.x:58738 (ESTABLISHED)httpd 3784 nobody 911u IPv4 36275 0t0 TCP a.a.a.a:443->x.x.x.x:58737 (ESTABLISHED)httpd 3786 nobody 911u IPv4 36274 0t0 TCP a.a.a.a:443->x.x.x.x:58736 (ESTABLISHED)httpd 3900 nobody 911u IPv4 36814 0t0 TCP a.a.a.a:443->x.x.x.x:58741 (ESTABLISHED)httpd 3901 nobody 911u IPv4 36815 0t0 TCP a.a.a.a:443->x.x.x.x:58742 (ESTABLISHED)httpd 3902 nobody 911u IPv4 36816 0t0 TCP a.a.a.a:443->x.x.x.x:58743 (ESTABLISHED)httpd 3903 nobody 911u IPv4 36813 0t0 TCP a.a.a.a:443->x.x.x.x:58740 (ESTABLISHED)httpd 4044 nobody 911u IPv4 37414 0t0 TCP a.a.a.a:443->x.x.x.x:58751 (ESTABLISHED)httpd 4045 nobody 911u IPv4 37407 0t0 TCP a.a.a.a:443->x.x.x.x:58744 (ESTABLISHED)httpd 4046 nobody 911u IPv4 37412 0t0 TCP a.a.a.a:443->x.x.x.x:58749 (ESTABLISHED)httpd 4047 nobody 911u IPv4 37410 0t0 TCP a.a.a.a:443->x.x.x.x:58747 (ESTABLISHED)httpd 4048 nobody 911u IPv4 37413 0t0 TCP a.a.a.a:443->x.x.x.x:58750 (ESTABLISHED)httpd 4049 nobody 911u IPv4 37411 0t0 TCP a.a.a.a:443->x.x.x.x:58748 (ESTABLISHED)httpd 4050 nobody 911u IPv4 37409 0t0 TCP a.a.a.a:443->x.x.x.x:58746 (ESTABLISHED) … If we count the number of sessions on that IP:- # lsof -i -P -n | grep -i x.x.x.x | wc -l 149149 ~ 150 which is the default MaxClients setting for apache (maximum simultaneous httpd sessions). So we blocked the IP in csf/lfd - service recovered.Thanks.
