mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
Hello,

we recently installed the mod_evasive and noticed the follow in the /tmp folder now:
Code:
-rw-r--r--    1 nobody   nobody          5 Oct 13 13:45 dos-70.38.132.155
-rw-r--r--    1 nobody   nobody          6 Oct 12 13:23 dos-70.95.139.182
-rw-r--r--    1 nobody   nobody          5 Oct 15 14:25 dos-71.123.161.197
-rw-r--r--    1 nobody   nobody          5 Oct 14 18:20 dos-71.135.44.62
-rw-r--r--    1 nobody   nobody          5 Oct 14 18:59 dos-71.139.185.172
-rw-r--r--    1 nobody   nobody          5 Oct 15 11:16 dos-71.206.175.220
-rw-r--r--    1 nobody   nobody          5 Oct 11 22:56 dos-71.226.14.81
-rw-r--r--    1 nobody   nobody          6 Oct 12 08:02 dos-71.38.78.239
-rw-r--r--    1 nobody   nobody          5 Oct 13 08:50 dos-72.204.85.213
-rw-r--r--    1 nobody   nobody          6 Oct 15 21:25 dos-72.64.222.96
-rw-r--r--    1 nobody   nobody          5 Oct 14 17:02 dos-74.132.147.100
-rw-r--r--    1 nobody   nobody          5 Oct 13 09:56 dos-74.41.70.54
-rw-r--r--    1 nobody   nobody          5 Oct 15 06:03 dos-75.28.97.124
-rw-r--r--    1 nobody   nobody          6 Oct 13 03:22 dos-8.11.2.98
I assume this is created by apache from the mod_evasive. What exactly are these for and they be removed at some point? Are these the IP's that have been blocked or triggered the mod_evasive?

TIA,
Mickalo
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
Those are temporary files used by mod_evasive. They are created when a block is active (defaults to 10 seconds IIRC) and are used by mod_evasive to track the blocks, I believe. mod_evaisve doesn't clean those files up, so that is left to tmpwatch which you should have a cron job for somewhere. Alternatively, you can delete them yourself periodically.
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
chirpy said:
Those are temporary files used by mod_evasive. They are created when a block is active (defaults to 10 seconds IIRC) and are used by mod_evasive to track the blocks, I believe. mod_evaisve doesn't clean those files up, so that is left to tmpwatch which you should have a cron job for somewhere. Alternatively, you can delete them yourself periodically.
yes, the tmpwatch is setup in the /etc/cron.daily folder:
Code:
/usr/sbin/tmpwatch 240 /tmp
/usr/sbin/tmpwatch 720 /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
    if [ -d "$d" ]; then
	/usr/sbin/tmpwatch -f 720 $d
    fi
done
not sure but I assume the "240" and "720" are the settings for time intervals? Is so, what are these time intervals, minutes, seconds, days ...etc ??

Mickalo
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
The setting is in hours. You have the default tmpwatch configuration. You could reduce it, but I wouldn't put it any less than 24 hours.
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
chirpy said:
The setting is in hours. You have the default tmpwatch configuration. You could reduce it, but I wouldn't put it any less than 24 hours.
yea, after a quick search here, I found that out .... which should have been my first step! I reset them to 48 hrs.

as always, thanks for the help :)

Mickalo