fmosse

Well-Known Member
Jan 6, 2002
48
1
308
Hi,

I have EASY APACHE 4 with Apache 2.4, PHP 5.4, PHP 5.5, PHP 5.6, and PHP 7.0


I have some sites with Moodle that give random intermitent 403 error while surfing.

This also happens in some sites in PHP with dozens of images. (Some images, randomly, are not shown... even if I try to enter then directly with the browser, they show 403 error. If I wait some seconds and refresh, they work)

I have read that it´s related to mod_evasive.

Can it be suspended or reconfigurated for some domains hosted in my WHM?

Thanks,
Francisco
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
Hi @fmosse


Are you sure you have mod_evasive installed? You can check by running the following:

Code:
rpm -qa |grep evasive
There could potentially be other reasons this is occurring, what is your OS? When the issue occurs do you see anything related in
Code:
/etc/apache2/logs/error_log
 

fmosse

Well-Known Member
Jan 6, 2002
48
1
308
Hi @fmosse


Are you sure you have mod_evasive installed? You can check by running the following:

Code:
rpm -qa |grep evasive
There could potentially be other reasons this is occurring, what is your OS? When the issue occurs do you see anything related in
Code:
/etc/apache2/logs/error_log

Hi,

I have CENTOS 6.10 standard [host] with WHM

I executed it and I get

ea-apache24-mod_evasive-1.10.1-4.5.53.cpanel.x86_64

Thanks,
Francisco
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
Hi @fmosse

Ok, you do definitely have mod_evasive but unfortunately it can't be disabled per VirtualHost. You can read about this in their FAQ here Mod evasive - Atomicorp Wiki

You could whitelist the offending IP address but because the issue is intermittent it wouldn't be a proactive solution. The only way to stop mod_evasive from doing it's job essentially.
 

fmosse

Well-Known Member
Jan 6, 2002
48
1
308
Hi @fmosse

Ok, you do definitely have mod_evasive but unfortunately it can't be disabled per VirtualHost. You can read about this in their FAQ here Mod evasive - Atomicorp Wiki

You could whitelist the offending IP address but because the issue is intermittent it wouldn't be a proactive solution. The only way to stop mod_evasive from doing it's job essentially.
Hi!

So... what can I do? The only way is to disable the mod_evasive entirely? But this wouldn´t be bad for the server, because it helps to stop DDos attacks?

Thanks,
Francisco
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
Hi @fmosse


Due to the nature of the module VirtualHost exceptions would completely defeat the purpose. You could make modifications to the point at which it begins blocking by modifying one or several of the following:
MODEV_DOSPageCount
This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

MODEV_DOSSiteCount
This is the threshhold for the total number of requests for any object (unlike MODEV_DOSPageCount which is for the same page) by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

MODEV_DOSPageInterval
The interval for the page count threshhold; defaults to 1 second intervals.


MODEV_DOSSiteInterval
The interval for the site count threshhold; defaults to 1 second intervals.


MODEV_DOSBlockingPeriod
The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.
The configuration file to modify is located at
Code:
/etc/apache2/conf.d/300-mod_evasive.conf
 

fmosse

Well-Known Member
Jan 6, 2002
48
1
308
Hi,

Thanks for your reply!

This configuration will afect all the domain hosted in that server.

Can I modify this per domain? So for some sites I activate it and for some don´t?

With is the values that you recommend?

I have sites that in one page they load 50 images for example and some load and some doesn´t. And if you try to enter one image directly you simply get the 403 error. If you wait some seconds and reresh it loads...

Thanks,
Francisco
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
Hi @fmosse

As I've mentioned before and is documented in the mod_evasive documentation you cannot modify this per VirtualHost (domain).

I can't tell you what values to add/change because I don't know your system and the traffic you receive. I would suggest enlisting the assistance of a system administrator to change this if you feel uncomfortable - if you don't have one you might find one here: System Administration Services | cPanel Forums

You may also want to look at other DDoS mitigation solutions if this doesn't work for you - CSF has some features for this, CDN's like CloudFlare also are solutions some in employ successfully.