mod_evasive too aggressive

[Erel]

I've installed mod_evasive on my server.

I'm trying to increase the limits to allow users to open multiple links at once without being blocked.

No matter how high I set the limits they are still blocked after a few links.
I've set 300-mod_evasive.conf to:

LoadModule evasive24_module modules/mod_evasive24.so

DOSPageCount 10000
DOSSiteCount 20000

The result is still the same. I think that I'm updating the correct file as it did start sending emails after I've added DOSEmailNotify.

Any clues?

 

[cPanelMichael]

Hello,

Could you let us know the specific output to the corresponding log file in the /var/log/apache2/mod_evasive/ directory regarding the blocked access attempt?

Thank you.

 

[Erel]

Sorry, I missed your post.

There are many dos-<ip address> files in that directory. I don't see any log file there.
The dos file content is a number (pid maybe).

 

[cPanelMichael]

Hello,

My apologies, it looks like the /var/log/apache2/mod_evasive/ directory is for temporary files related to blocked IP addresses as opposed to logs of blocked access attempts. Could you open a support ticket using the link in my signature so we can take a closer look and see why the limits are not working as expected?

Thank you.

 

[Erel]

Done. I received this error while creating the ticket:

WHM Authorization failed with the following error: The server detected that an SSH key for user “xxx” in Ticket ID “9091211” and Server “1” already exists. Run the following cPanel script and refresh your browser: /scripts/updatesupportauthorizations. You may skip this server or correct the problem and try again.

I haven't ran this script as I don't know where to find it.

 

[Erel]

Issue has been resolved with the help of cPanel support.

I was updating the wrong configuration file.

The correct one is:
/etc/apache2/conf.d/300-mod_evasive.conf

The incorrect one is:
/etc/apache2/conf.modules.d/300-mod_evasive.conf

It was confusing as changes to the incorrect one were partially applied. Probably because the correct configuration file overrides the settings.

 

[Infopro]

The incorrect one is:
/etc/apache2/conf.modules.d/300-mod_evasive.conf

The docs suggest this is correct:
Apache Module: Evasive - EasyApache 4 - cPanel Documentation

 

[Erel]

I guess that the docs should be updated...

 

[Infopro]

Could I have the ticket ID for your ticket about this?

 

[Erel]

Sure: 9091211

 

[Infopro]

Thank you!

 

[cPanelMichael]

Hello,

I've opened a case with our Documentation Team (DOC-9944) to have the correct path reflected in our documentation.

Thanks!

Update: The change was implemented and should be published in the near future.

 

[Kent Brockman]

Hello, thanks for this thread, I was able to configure mod_evasive.

Still, I have to concerns regarding this module:
1) Can I be sure that settings within its configuration file (/etc/apache2/conf.d/300-mod_evasive.conf) won't be ovrwritten by any other cPanel process?
2) May these settings be added using any of the Include Editor present in WHM > Apache Configuration? And if so, what editor would you recommend? Pre Main Include, Pre Virtual Host Include or Post Virtual Host Include?

Thanks!

 

[cPanelMichael]

1) Can I be sure that settings within its configuration file (/etc/apache2/conf.d/300-mod_evasive.conf) won't be ovrwritten by any other cPanel process?
2) May these settings be added using any of the Include Editor present in WHM > Apache Configuration? And if so, what editor would you recommend? Pre Main Include, Pre Virtual Host Include or Post Virtual Host Include?

Hello @Kent Brockman,

I recommend continuing to make changes to the settings via edits to the /etc/apache2/conf.d/300-mod_evasive.conf file as opposed to using WHM >> Home >> Service Configuration >> Apache Configuration >> Include Editor. The is the file we expect administrators to use when editing the Mod_Evasive settings and it's reflected on the document below:

Apache Module: Evasive - EasyApache 4 - cPanel Documentation

documentation.cpanel.net

The entries in this file are preserved through updates.

Thank you.

 

[Kent Brockman]

Great, thanks @cPanelMichael for the clarification. Best regards.