mod_dosevasive

**beebware** · 05-12-2004 04:09 PM

I've just installed mod_dosevasive ( http://www.nuclearelephant.com/projects/dosevasive/ ) on one server to hopefully reduce the "man time" we occasionally need to spend blocking DoS or DDoS attack or brute force attacks against sites ('twas very easy to install in Cpanel BTW: the readme file actually mentions Cpanel!).

However - the readme also warns:

KNOWN BUGS

- This module appears to conflict with the Microsoft Frontpage Extensions

Has anybody tried mod_dosevasive on a server hosting existing and new FP based sites ("existing"=the site, using FP was already there before mod_dosevasive, new=site installed afterwards)

**PbG** · 05-12-2004 04:25 PM

I recently installed it one of our customers servers as well for the very same reasons. However he was/is not using FP. I would love to try it on one of our virtual boxes but in heeding the warning in the readme I have no idea exactly what the conflict with FP is, are and/or were . . . BTW I installed the newset version (8 I believe) which did you install?

Are you happy with it's results?

**beebware** · 05-12-2004 04:29 PM

Installed 1.8 and it's waaay too early to say - I installed it on a relatively "low usage/know what's on it" box where I test things before rolling things out to servers hosting 100-600 customer sites running $DEITY knows what...

[added]

Well, I've just tried uploading to a site using Frontpage with a page using a counter and form and all seems to be well.

**PbG** · 05-12-2004 05:34 PM

I specifically put it to the test on a server which was seeing multiple brute force/proxy attacks daily for ten (10) straight days. Once I got it and apache tweaked just right it worked wonderfully.

The biggest problem was that the client has a third party script called Investment Guard from realtimescripts.com installed on one of the sites to protect it from brute force, proxy and password traders. This script is not recommended. It uses 2% of the CPU each time someone tries to login in to the protected directory. Now multiply that 2% per process by several hundred attempts to login from a dozen or so IP's per SECOND and you begin to understand the problem. It was driving me crazy . . . alarms, and pages going off all thru the day and night geez. I wanted to disable that script but the client does not. I suspect without that script running the server load will not spike at all. However since it is still being called when ever someone tries to access the protected directory I am stuck with it. In any event I tweaked us a compromise using this module and modified apache settings.

Now when the site or sites get attacked the server load spikes long enough to block the offending IP's 15-20 mins then it comes back down (<0.15) to earth. Plus the load doesn't shoot up over 100 anymore when the server is under attack and I no longer need to suspend the site during such attacks.

Thus far I am pleased with it and I will be reading with interest your updates regarding it's use in a FP enviorment . . .

Thanks

**beebware** · 05-13-2004 04:16 PM

Done some testing - working on a FP enabled site directly does not pose any problems. However, doing a "Publish" via FP to a website does - I suspect this is because FP uploads all files via a URL like _vti_bin/author.exe (don't quote me on the exact URL) and hence making a number of requests to that URL to upload/check/process files will incur the wrath of mod_dosevasive (as multiple requests to the same URL from the same host in a short period of time will trigger the 'looks like DoS' system). I'll try looking into it a bit further to see if I can find a way around it...

Yet another reason to hate Frontpage more than I already do

**chirpy** · 05-13-2004 05:03 PM

I guess that one way around that FP issue would be if you could exclude certain domains. I don't know whether the module does that? Might have a peek too.

**easyhoster1** · 07-21-2004 04:45 PM

However since it is still being called when ever someone tries to access the protected directory I am stuck with it. In any event I tweaked us a compromise using this module and modified apache settings.

What did you do in Apache? I have a server when someone trys to access a password directory, it just hangs and httpd is using all the CPU. I cannot find the script Investment Guard located on the server. Apache is fine without the protection.

Thanks

**PbG** · 07-21-2004 05:35 PM

EH did you suspect or have reason to suspect that Investement guard was/is running on the server. Ours did not hang so I'm not sure the problem was the same. In any event after I thought about it a little more I entered a redirect in the clients root .htaccess sending anyone requesting the login for that script directly to the protected directory and then I edited the .htaccess file in the protected directory so it would no longer call that script.

Again we did not see an instance of hanging when someone tried to access the protected directory. Unless you consider that a load over 100 hanging lol. You should search for any files begining with nph eg: nph-login, nph-handler, if you suspect Investment Guard is on the server. If it is I recommend disabling it.

**easyhoster1** · 07-21-2004 06:49 PM

Thanks PbG,

I found the problem, client had a java menu that was spawning high cpu for some reason. Once we removed it, the site loaded fine.

Thanks

LinkBack

Thread Tools

mod_dosevasive

Mod_dosevasive, ¿?¿?

Anyone using Mod_Dosevasive with frontpage o.k. yet?

mod_dosevasive whitelisting

mod_dosevasive vulnerability