The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod Evasive

Discussion in 'General Discussion' started by mickalo, Oct 16, 2006.

  1. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Hello,

    we recently installed the mod_evasive and noticed the follow in the /tmp folder now:
    Code:
    -rw-r--r--    1 nobody   nobody          5 Oct 13 13:45 dos-70.38.132.155
    -rw-r--r--    1 nobody   nobody          6 Oct 12 13:23 dos-70.95.139.182
    -rw-r--r--    1 nobody   nobody          5 Oct 15 14:25 dos-71.123.161.197
    -rw-r--r--    1 nobody   nobody          5 Oct 14 18:20 dos-71.135.44.62
    -rw-r--r--    1 nobody   nobody          5 Oct 14 18:59 dos-71.139.185.172
    -rw-r--r--    1 nobody   nobody          5 Oct 15 11:16 dos-71.206.175.220
    -rw-r--r--    1 nobody   nobody          5 Oct 11 22:56 dos-71.226.14.81
    -rw-r--r--    1 nobody   nobody          6 Oct 12 08:02 dos-71.38.78.239
    -rw-r--r--    1 nobody   nobody          5 Oct 13 08:50 dos-72.204.85.213
    -rw-r--r--    1 nobody   nobody          6 Oct 15 21:25 dos-72.64.222.96
    -rw-r--r--    1 nobody   nobody          5 Oct 14 17:02 dos-74.132.147.100
    -rw-r--r--    1 nobody   nobody          5 Oct 13 09:56 dos-74.41.70.54
    -rw-r--r--    1 nobody   nobody          5 Oct 15 06:03 dos-75.28.97.124
    -rw-r--r--    1 nobody   nobody          6 Oct 13 03:22 dos-8.11.2.98
    
    I assume this is created by apache from the mod_evasive. What exactly are these for and they be removed at some point? Are these the IP's that have been blocked or triggered the mod_evasive?

    TIA,
    Mickalo
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Those are temporary files used by mod_evasive. They are created when a block is active (defaults to 10 seconds IIRC) and are used by mod_evasive to track the blocks, I believe. mod_evaisve doesn't clean those files up, so that is left to tmpwatch which you should have a cron job for somewhere. Alternatively, you can delete them yourself periodically.
     
  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    yes, the tmpwatch is setup in the /etc/cron.daily folder:
    Code:
    /usr/sbin/tmpwatch 240 /tmp
    /usr/sbin/tmpwatch 720 /var/tmp
    for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
        if [ -d "$d" ]; then
    	/usr/sbin/tmpwatch -f 720 $d
        fi
    done
    
    not sure but I assume the "240" and "720" are the settings for time intervals? Is so, what are these time intervals, minutes, seconds, days ...etc ??

    Mickalo
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The setting is in hours. You have the default tmpwatch configuration. You could reduce it, but I wouldn't put it any less than 24 hours.
     
  5. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    yea, after a quick search here, I found that out .... which should have been my first step! I reset them to 48 hrs.

    as always, thanks for the help :)

    Mickalo
     
Loading...

Share This Page