The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_evasive for DOS attacks - Does it require your logs be enabled?

Discussion in 'General Discussion' started by Vatoloco, Mar 16, 2006.

  1. Vatoloco

    Vatoloco Well-Known Member

    Joined:
    Jun 21, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    I've heard this is a good program to use to stop some DOS attacks but I'm wondering what is required to have it work properly. What is it checking to be able to detect and ban the IP's? Does it require a firewall to be installed?

    I've disabled the CustomLog and BytesLog for my domain because they would grow so large that my server could never rotate them.

    I tried to find out what is required for it to run, but couldn't find much on it other than where to download it: http://www.nuclearelephant.com/projects/mod_evasive/ and how to install it:
    Code:
    cd /usr/local/src
    wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
    tar -xzf mod_evasive*
    cd mod_evasive*
    /usr/local/apache/bin/apxs -cia mod_evasive.c
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You can install Mod Evasive without any pre-requisites. Follow the instructions you provided and don't forget to add Mod Evasive directives in httpd.conf file.
     
  3. Vatoloco

    Vatoloco Well-Known Member

    Joined:
    Jun 21, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the reply. I just installed it and it added two things, that I could find, to my httpd.conf:

    LoadModule evasive_module libexec/mod_evasive.so

    and

    AddModule mod_evasive.c


    I did some more searching and also found suggestions to add the following to httpd.conf

    Code:
    <IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 90
    DOSEmailNotify your_email@example.com
    </IfModule>
    From my understanding that will block IP's for 90 seconds if they request the same page twice within 1 second... or at least that's what I deduced from the description of each variable. I could be way off. :)



    Also, I noticed that in /usr/local/src/mod_evasive/mod_evasive.c the line for the mailer was (define MAILER "/bin/mail -t %s") was commented out so I uncommented it. I've yet to get any e-mails even though /var/log/messages already shows a number of IP's that it says have been blacklisted.
     
    #3 Vatoloco, Mar 17, 2006
    Last edited: Mar 17, 2006
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You won't get any emails as only root has access to the mail app. Other than that, your configuration looks fine. IMX mod_evasive can be helpful for some, but not others, especially if you have a lightening fast access to your server as it will then detect quite a few false-positives. Indication of that is when you load pages and not all the images appear (i.e. they appear to be broken, but aren't) should that happen you're either going to have to play with the configuration parameters more or disable the module.
     
  5. Vatoloco

    Vatoloco Well-Known Member

    Joined:
    Jun 21, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Good to know. Thanks. Lately, things have been moving kind of slow on my site because the forums have become so popular. I doubt I'll have any problems because of super fast access. :) I'll be sure to watch things though to see if anyone is complaing about 403 messages or broken images.
     
  6. FeeReD

    FeeReD Well-Known Member

    Joined:
    Dec 1, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Where are the file logs when a user is black listed?
     
  7. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    they appear in /tmp prefixed as dos- followed by the IP

    e.g. dos-123.123.123.123
     
  8. persianwhois

    persianwhois Well-Known Member

    Joined:
    Apr 18, 2007
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mahallat
    cPanel Access Level:
    Root Administrator
    Hello,
    I install and configure mod_evasive.
    But when my server attacked, not send report mail to me.
    Current configuration is:
    Code:
    <IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 43200
    DOSLogDir "/var/log/httpd"
    DOSEmailNotify ddos@persianwhois.com
    DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
    DOSWhitelist 64.246.22.53
    </IfModule>
    DOSWhitelist 64.246.22.53
    
    How is my config and how can resolved my problem.
    Please help me.
     
  9. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Apart from the fact that that line is incomplete - You cannot do that. You're trying to su from the nobody account. To allow that you'd need to either add them to the wheel group or allow them access through sudo - either of which is a very serious security risk.
     
Loading...
Similar Threads - mod_evasive DOS attacks
  1. hasnisyed
    Replies:
    3
    Views:
    320

Share This Page