Is mod_evasive still reliable to prevent DDOS ?

[isputra]

I asked this question because some reason that i read on several article i found when search on google :

1. This is an old module and not maintained anymore
2. This module will block search engine's spider and will lower pagerank
3. This module blocking system can't use to colaborate with CSF
4. By default “/tmp” will be used for locking mechanism, which opens some
security issues if your system is open to shell users
5. DOSEmailNotify will not work if "Prevent the user "nobody" from sending out mail to remote addresses" turn on

So what do you think about that ?

 

[Spiral]

I asked this question because some reason that i read on several article i found when search on google :

1. This is an old module and not maintained anymore

True, they have not updated mod_evassive in a long while but it
presently does all it really needs to do and with the source available,
it is very easy to modify if you want to create custom features.

2. This module will block search engine's spider and will lower pagerank

No, it won't have any effect on search engine spiders that follow
proper protocol and if you have mod_evassive configured correctly.

3. This module blocking system can't use to colaborate with CSF

Where in the world did you get that idea from? It has a trigger hook
built in that can be used to call any system command including block
commands to CSF --- in fact, that's how we got ours setup!

4. By default “/tmp” will be used for locking mechanism, which opens some
security issues if your system is open to shell users

If you allow shell for users, you got other problems to worry about!

However, you can configure mod_evassive to store its trigger and
temporary watch files anywhere you like. It need not be /tmp if you
don't want it to be. Give it it's own folder tree elsewhere!

5. DOSEmailNotify will not work if "Prevent the user "nobody" from sending out mail to remote addresses" turn on

Wrong ... go into Exim config and enable "-f" flag (see config options)

Our servers have SMTP block from CSF enabled, SuExec, and SuPHP and
have restricted all mail to mail server processes only and blocked user
"nobody" from sending mail in Cpanel settings and we have no problems
whatsoever receiving notify messages from mod_evassive.

Sounds like whoever told you all those things about mod_evassive above didn't have a single clue about using mod_evassive properly!

 

[isputra]

Spiral, thank you for your explanation.

Where in the world did you get that idea from? It has a trigger hook
built in that can be used to call any system command including block
commands to CSF --- in fact, that's how we got ours setup!

How i can do that ? Is it just use DOSSystemCommand "csf -d %s" ?

Wrong ... go into Exim config and enable "-f" flag (see config options)

Our servers have SMTP block from CSF enabled, SuExec, and SuPHP and
have restricted all mail to mail server processes only and blocked user
"nobody" from sending mail in Cpanel settings and we have no problems
whatsoever receiving notify messages from mod_evassive.

Yes, i have done that but the email still rejected because from nobody :

-------------------------------
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from nobody by demo.com with local (Exim 4.69)
(envelope-from <[email protected]>)
id 1MjHBa-0000Dr-SS
for [email protected]; Fri, 04 Sep 2009 01:37:30 +0700
To: [email protected]
Message-Id: <[email protected]>
From: Nobody <[email protected]>
Date: Fri, 04 Sep 2009 01:37:30 +0700

To: [email protected]
Subject: HTTP BLACKLIST 66.90.104.20

mod_evasive HTTP Blacklisted 66.90.104.20
---------------------------------

Sounds like whoever told you all those things about mod_evassive above didn't have a single clue about using mod_evassive properly!

That's why i asked here to have right explanation

 

[brianoz]

As far as I recall, mod_evasive (only the one 's' I think, unless we're talking about something different?) has never been particularly useful and has become less so as time has moved on.

Also as far as I recall, it doesn't block DDOS as the attacks come from multiple IPs.

Having said that, it could still be of some use. I'd prefer CSF over it, and be careful to tune the mod_evasive settings if you are getting it to ask CSF to block IPs permanently or you could be opening yourself up for a world of pain from users.

 

[Spiral]

Sorry for the late posting, been very busy this week and d have not been on here much.

Anyway, if you need assistance installing and or properly configuring mod_evasive, I'd be glad to give you a hand with that.

I do try to keep an eye on my private message here and always have
my MSN on using the support address for the company in my signature.