The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_dosevasive for cPanel/Apache - comments?

Discussion in 'EasyApache' started by K_aneda, Aug 2, 2004.

  1. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sydney, Australia
    Just curious (and hoping this is the right section of the forum to ask)... has
    anyone installed this module into your cPanel servers?

    Interested to know what impact it has upon the server and how effective
    it has been performing for other people.

    Installed it using the prescribed method for cPanel and was happy that it went
    in with no problems too...

    --
    K_aneda

    PS:
    To those of you who wonder what mod_dosevasive (and to stop you from posting questions
    like what is X?):

    WHAT IS MOD_DOSEVASIVE ?

    mod_dosevasive is an evasive maneuvers module for Apache to provide evasive
    action in the event of an HTTP DoS or DDoS attack or brute force attack. It
    is also designed to be a detection tool, and can be easily configured to talk
    to ipchains, firewalls, routers, and etcetera.

    Detection is performed by creating an internal dynamic hash table of IP
    Addresses and URIs, and denying any single IP address from any of the following:

    - Requesting the same page more than a few times per second
    - Making more than 50 concurrent requests on the same child per second
    - Making any requests while temporarily blacklisted (on a blocking list)

    This method has worked well in both single-server script attacks as well
    as distributed attacks, but just like other evasive tools, is only as
    useful to the point of bandwidth and processor consumption (e.g. the
    amount of bandwidth and processor required to receive/process/respond
    to invalid requests), which is why it's a good idea to integrate this
    with your firewalls and routers.
    ..cut..

    (also for those trying to search for all-in-one solutions to DoS attacks, a warning:
    WHAT IS THIS TOOL USEFUL FOR?

    This tool is *excellent* at fending off small to medium-sized request-based
    DoS attacks or script attacks and brute force attacks. Its features will
    prevent you from wasting bandwidth or having a few thousand CGI scripts
    running as a result of an attack. When used in conjunction with other
    preventative measures such as router blackholing, this tool is very
    effective against larger DDoS attacks as well.

    If you do not have an infrastructure capable of fending off any other types
    of DoS attacks, chances are this tool will only help you to the point of
    your total bandwidth or server capacity for sending 403's. Without a solid
    infrastructure and DoS evasion plan in place, a heavy distributed DoS will most
    likely still take you offline.)
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I've installed it numerous times. Some people find it very helpful, others find it a bit too buggy. Me, I installed it and then disabled it ;)
     
  3. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sydney, Australia
    Heh, that much of a pain hey? Might just trial it for a bit on a less used server, then disable it if it proves to be more of a pain than a benefit.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's a good way to go. It may prove very useful, it may not, but unless you try it you wouldn't know :)
     
  5. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    I found it does not work against many http DDoS type attacks, specifically the POST type, does not even pick them up.

    So I have disabled it, due to it not catching DDoS attacks... shrugs.. ( it did catch standard GET type, quite well... but that was not the type of problem i was having at the time )

    But it was fairly easy to install.
     
  6. torwill

    torwill Well-Known Member

    Joined:
    Jun 25, 2002
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    mod_dosevasive + apf

    how could i configure mod_dosevasive to work with APF filewall?

    I have added:

    "DOSSystemCommand "su - root - -c '/usr/sbin/apf -d %s'"

    and watched log file in /var/log/messages, mod_dosevasive seems acting, but apf command isn't excuted, hence, no ip is added to deny_hosts.rules of APF.


    Thank you.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That won't work because su requires the root password. Although the ability to do this is built into mod_dosevasive, it's simply not secure to implement. You either need to run the command as root, or let nobody:nobody make entries in APF which simply is not secure.
     
Loading...

Share This Page