mod_evasive for DOS attacks - Does it require your logs be enabled?

[Vatoloco]

I've heard this is a good program to use to stop some DOS attacks but I'm wondering what is required to have it work properly. What is it checking to be able to detect and ban the IP's? Does it require a firewall to be installed?

I've disabled the CustomLog and BytesLog for my domain because they would grow so large that my server could never rotate them.

I tried to find out what is required for it to run, but couldn't find much on it other than where to download it: http://www.nuclearelephant.com/projects/mod_evasive/ and how to install it:

cd /usr/local/src
wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xzf mod_evasive*
cd mod_evasive*
/usr/local/apache/bin/apxs -cia mod_evasive.c

 

[AndyReed]

I tried to find out what is required for it to run, but couldn't find much on it other than where to download it: http://www.nuclearelephant.com/projects/mod_evasive/ and how to install it:

cd /usr/local/src
wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xzf mod_evasive*
cd mod_evasive*
/usr/local/apache/bin/apxs -cia mod_evasive.c

You can install Mod Evasive without any pre-requisites. Follow the instructions you provided and don't forget to add Mod Evasive directives in httpd.conf file.

 

[Vatoloco]

You can install Mod Evasive without any pre-requisites. Follow the instructions you provided and don't forget to add Mod Evasive directives in httpd.conf file.

Thanks for the reply. I just installed it and it added two things, that I could find, to my httpd.conf:

LoadModule evasive_module libexec/mod_evasive.so

and

AddModule mod_evasive.c


I did some more searching and also found suggestions to add the following to httpd.conf

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 90
DOSEmailNotify [email protected]
</IfModule>

From my understanding that will block IP's for 90 seconds if they request the same page twice within 1 second... or at least that's what I deduced from the description of each variable. I could be way off.

DOSHashTableSize
----------------

The hash table size defines the number of top-level nodes for each child's
hash table. Increasing this number will provide faster performance by
decreasing the number of iterations required to get to the record, but
consume more memory for table space. You should increase this if you have
a busy web server. The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_dosevasive.c for a list
of primes used).

DOSPageCount
------------

This is the threshhold for the number of requests for the same page (or URI)
per page interval. Once the threshhold for that interval has been exceeded,
the IP address of the client will be added to the blocking list.

DOSSiteCount
------------

This is the threshhold for the total number of requests for any object by
the same client on the same listener per site interval. Once the threshhold
for that interval has been exceeded, the IP address of the client will be added
to the blocking list.

DOSPageInterval
---------------

The interval for the page count threshhold; defaults to 1 second intervals.

DOSSiteInterval
---------------

The interval for the site count threshhold; defaults to 1 second intervals.

DOSBlockingPeriod
-----------------

The blocking period is the amount of time (in seconds) that a client will be
blocked for if they are added to the blocking list. During this time, all
subsequent requests from the client will result in a 403 (Forbidden) and
the timer being reset (e.g. another 10 seconds). Since the timer is reset
for every subsequent request, it is not necessary to have a long blocking
period; in the event of a DoS attack, this timer will keep getting reset.

DOSEmailNotify
--------------

If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.

NOTE: Be sure MAILER is set correctly in mod_dosevasive.c
(or mod_dosevasive20.c). The default is "/bin/mail -t %s" where %s is
used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.

Also, I noticed that in /usr/local/src/mod_evasive/mod_evasive.c the line for the mailer was (define MAILER "/bin/mail -t %s") was commented out so I uncommented it. I've yet to get any e-mails even though /var/log/messages already shows a number of IP's that it says have been blacklisted.

 

[chirpy]

You won't get any emails as only root has access to the mail app. Other than that, your configuration looks fine. IMX mod_evasive can be helpful for some, but not others, especially if you have a lightening fast access to your server as it will then detect quite a few false-positives. Indication of that is when you load pages and not all the images appear (i.e. they appear to be broken, but aren't) should that happen you're either going to have to play with the configuration parameters more or disable the module.

 

[Vatoloco]

You won't get any emails as only root has access to the mail app. Other than that, your configuration looks fine. IMX mod_evasive can be helpful for some, but not others, especially if you have a lightening fast access to your server as it will then detect quite a few false-positives. Indication of that is when you load pages and not all the images appear (i.e. they appear to be broken, but aren't) should that happen you're either going to have to play with the configuration parameters more or disable the module.

Good to know. Thanks. Lately, things have been moving kind of slow on my site because the forums have become so popular. I doubt I'll have any problems because of super fast access. I'll be sure to watch things though to see if anyone is complaing about 403 messages or broken images.

 

[FeeReD]

Where are the file logs when a user is black listed?

 

[nickp666]

they appear in /tmp prefixed as dos- followed by the IP

e.g. dos-123.123.123.123

 

[persianwhois]

Hello,
I install and configure mod_evasive.
But when my server attacked, not send report mail to me.
Current configuration is:

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 43200
DOSLogDir "/var/log/httpd"
DOSEmailNotify [email protected]
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSWhitelist 64.246.22.53
</IfModule>
DOSWhitelist 64.246.22.53

How is my config and how can resolved my problem.
Please help me.

 

[nickp666]

Forget This Post - Didnt Read Config

 

[chirpy]

DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"

Apart from the fact that that line is incomplete - You cannot do that. You're trying to su from the nobody account. To allow that you'd need to either add them to the wheel group or allow them access through sudo - either of which is a very serious security risk.