The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_dosevasive

Discussion in 'General Discussion' started by beebware, May 12, 2004.

  1. beebware

    beebware Active Member

    Joined:
    Aug 2, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I've just installed mod_dosevasive ( http://www.nuclearelephant.com/projects/dosevasive/ ) on one server to hopefully reduce the "man time" we occasionally need to spend blocking DoS or DDoS attack or brute force attacks against sites ('twas very easy to install in Cpanel BTW: the readme file actually mentions Cpanel!).

    However - the readme also warns:
    Has anybody tried mod_dosevasive on a server hosting existing and new FP based sites ("existing"=the site, using FP was already there before mod_dosevasive, new=site installed afterwards)
     
  2. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    16
    I recently installed it one of our customers servers as well for the very same reasons. However he was/is not using FP. I would love to try it on one of our virtual boxes but in heeding the warning in the readme I have no idea exactly what the conflict with FP is, are and/or were . . . BTW I installed the newset version (8 I believe) which did you install?

    Are you happy with it's results?
     
  3. beebware

    beebware Active Member

    Joined:
    Aug 2, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Installed 1.8 and it's waaay too early to say - I installed it on a relatively "low usage/know what's on it" box where I test things before rolling things out to servers hosting 100-600 customer sites running $DEITY knows what...

    [added]

    Well, I've just tried uploading to a site using Frontpage with a page using a counter and form and all seems to be well.
     
    #3 beebware, May 12, 2004
    Last edited: May 12, 2004
  4. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    16
    I specifically put it to the test on a server which was seeing multiple brute force/proxy attacks daily for ten (10) straight days. Once I got it and apache tweaked just right it worked wonderfully.

    The biggest problem was that the client has a third party script called Investment Guard from realtimescripts.com installed on one of the sites to protect it from brute force, proxy and password traders. This script is not recommended. It uses 2% of the CPU each time someone tries to login in to the protected directory. Now multiply that 2% per process by several hundred attempts to login from a dozen or so IP's per SECOND and you begin to understand the problem. It was driving me crazy . . . alarms, and pages going off all thru the day and night geez. I wanted to disable that script but the client does not. I suspect without that script running the server load will not spike at all. However since it is still being called when ever someone tries to access the protected directory I am stuck with it. In any event I tweaked us a compromise using this module and modified apache settings.

    Now when the site or sites get attacked the server load spikes long enough to block the offending IP's 15-20 mins then it comes back down (<0.15) to earth. Plus the load doesn't shoot up over 100 anymore when the server is under attack and I no longer need to suspend the site during such attacks.

    Thus far I am pleased with it and I will be reading with interest your updates regarding it's use in a FP enviorment . . .

    Thanks
     
    #4 PbG, May 12, 2004
    Last edited: May 12, 2004
  5. beebware

    beebware Active Member

    Joined:
    Aug 2, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Done some testing - working on a FP enabled site directly does not pose any problems. However, doing a "Publish" via FP to a website does - I suspect this is because FP uploads all files via a URL like _vti_bin/author.exe (don't quote me on the exact URL) and hence making a number of requests to that URL to upload/check/process files will incur the wrath of mod_dosevasive (as multiple requests to the same URL from the same host in a short period of time will trigger the 'looks like DoS' system). I'll try looking into it a bit further to see if I can find a way around it...

    Yet another reason to hate Frontpage more than I already do ;)
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I guess that one way around that FP issue would be if you could exclude certain domains. I don't know whether the module does that? Might have a peek too.
     
  7. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    What did you do in Apache? I have a server when someone trys to access a password directory, it just hangs and httpd is using all the CPU. I cannot find the script Investment Guard located on the server. Apache is fine without the protection.

    Thanks
     
  8. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    16
    EH did you suspect or have reason to suspect that Investement guard was/is running on the server. Ours did not hang so I'm not sure the problem was the same. In any event after I thought about it a little more I entered a redirect in the clients root .htaccess sending anyone requesting the login for that script directly to the protected directory and then I edited the .htaccess file in the protected directory so it would no longer call that script.

    Again we did not see an instance of hanging when someone tried to access the protected directory. Unless you consider that a load over 100 hanging lol. You should search for any files begining with nph eg: nph-login, nph-handler, if you suspect Investment Guard is on the server. If it is I recommend disabling it.
     
  9. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    Thanks PbG,

    I found the problem, client had a java menu that was spawning high cpu for some reason. Once we removed it, the site loaded fine.

    Thanks
     

Share This Page