mod_evasive And Moodle

[fmosse]

Hi,

I have EASY APACHE 4 with Apache 2.4, PHP 5.4, PHP 5.5, PHP 5.6, and PHP 7.0


I have some sites with Moodle that give random intermitent 403 error while surfing.

This also happens in some sites in PHP with dozens of images. (Some images, randomly, are not shown... even if I try to enter then directly with the browser, they show 403 error. If I wait some seconds and refresh, they work)

I have read that it´s related to mod_evasive.

Can it be suspended or reconfigurated for some domains hosted in my WHM?

Thanks,
Francisco

 

[cPanelLauren]

Hi @fmosse


Are you sure you have mod_evasive installed? You can check by running the following:

rpm -qa |grep evasive

There could potentially be other reasons this is occurring, what is your OS? When the issue occurs do you see anything related in

/etc/apache2/logs/error_log

 

[fmosse]

Hi @fmosse


Are you sure you have mod_evasive installed? You can check by running the following:

rpm -qa |grep evasive

There could potentially be other reasons this is occurring, what is your OS? When the issue occurs do you see anything related in

/etc/apache2/logs/error_log

Hi,

I have CENTOS 6.10 standard [host] with WHM

I executed it and I get

ea-apache24-mod_evasive-1.10.1-4.5.53.cpanel.x86_64

Thanks,
Francisco

 

[cPanelLauren]

Hi @fmosse

Ok, you do definitely have mod_evasive but unfortunately it can't be disabled per VirtualHost. You can read about this in their FAQ here Mod evasive - Atomicorp Wiki

You could whitelist the offending IP address but because the issue is intermittent it wouldn't be a proactive solution. The only way to stop mod_evasive from doing it's job essentially.

 

[fmosse]

Hi @fmosse

Ok, you do definitely have mod_evasive but unfortunately it can't be disabled per VirtualHost. You can read about this in their FAQ here Mod evasive - Atomicorp Wiki

You could whitelist the offending IP address but because the issue is intermittent it wouldn't be a proactive solution. The only way to stop mod_evasive from doing it's job essentially.

Hi!

So... what can I do? The only way is to disable the mod_evasive entirely? But this wouldn´t be bad for the server, because it helps to stop DDos attacks?

Thanks,
Francisco

 

[cPanelLauren]

Hi @fmosse


Due to the nature of the module VirtualHost exceptions would completely defeat the purpose. You could make modifications to the point at which it begins blocking by modifying one or several of the following:

MODEV_DOSPageCount
This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

MODEV_DOSSiteCount
This is the threshhold for the total number of requests for any object (unlike MODEV_DOSPageCount which is for the same page) by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

MODEV_DOSPageInterval
The interval for the page count threshhold; defaults to 1 second intervals.


MODEV_DOSSiteInterval
The interval for the site count threshhold; defaults to 1 second intervals.


MODEV_DOSBlockingPeriod
The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.

The configuration file to modify is located at

/etc/apache2/conf.d/300-mod_evasive.conf

 

[fmosse]

Hi,

Thanks for your reply!

This configuration will afect all the domain hosted in that server.

Can I modify this per domain? So for some sites I activate it and for some don´t?

With is the values that you recommend?

I have sites that in one page they load 50 images for example and some load and some doesn´t. And if you try to enter one image directly you simply get the 403 error. If you wait some seconds and reresh it loads...

Thanks,
Francisco

 

[cPanelLauren]

Hi @fmosse

As I've mentioned before and is documented in the mod_evasive documentation you cannot modify this per VirtualHost (domain).

I can't tell you what values to add/change because I don't know your system and the traffic you receive. I would suggest enlisting the assistance of a system administrator to change this if you feel uncomfortable - if you don't have one you might find one here: System Administration Services | cPanel Forums

You may also want to look at other DDoS mitigation solutions if this doesn't work for you - CSF has some features for this, CDN's like CloudFlare also are solutions some in employ successfully.