This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_Evasive

Discussion in 'Security' started by hostnex, May 29, 2012.

hostnex Well-Known Member

Joined:

May 2, 2008

Messages:

77

Likes Received:

1

Trophy Points:

58

Location:

Islamabad, Pakistan, Pakistan

cPanel Access Level:

Root Administrator

we installed Mod evasive on our testing server and followed the article

/http://systembash.com/content/how-to-stop-an-apache-ddos-attack-with-mod_evasive/

Can anyone tell us how we can test Mod_Evaisve with CSF firewall. when we try to refresh pages again and again CSF does not seem to block the IP.

HostNext Web Solutions

#1 hostnex, May 29, 2012
hostnex Well-Known Member

Joined:

May 2, 2008

Messages:

77

Likes Received:

1

Trophy Points:

58

Location:

Islamabad, Pakistan, Pakistan

cPanel Access Level:

Root Administrator

is there anyone who can comment on it please.

HostNext Web Solutions

#2 hostnex, May 31, 2012
Infopro cPanel Sr. Product Evangelist
Staff Member

Joined:

May 20, 2003

Messages:

15,419

Likes Received:

285

Trophy Points:

433

Location:

Pennsylvania

cPanel Access Level:

Root Administrator

Twitter:

Follow @InfoprosNetwork

hostnex said: ↑

is there anyone who can comment on it please.
Click to expand...

Sure thing. This old post should still be accurate, AFAIK:

There's no relationship between mod_evasive and an iptables firewall as the blocks mod_evasive place are entirely within apache.
- Chirpy
Click to expand...

csf+lfd and mod_evasive - ConfigServer Forums

____________________________

Join us for the 2017 cPanel Conference!
Sept. 26th & 27th in Fort Lauderdale, Florida
https://conference.cpanel.net/

#3 Infopro, May 31, 2012
voshka Active Member

Joined:

Apr 4, 2010

Messages:

30

Likes Received:

0

Trophy Points:

56

Mod_evasive is an old outdated apache module
it does not any real protection against dos attacks

#4 voshka, Jul 14, 2012
cPanelTristan Quality Assurance Analyst
Staff Member

Joined:

Oct 2, 2010

Messages:

7,622

Likes Received:

24

Trophy Points:

238

Location:

somewhere over the rainbow

cPanel Access Level:

Root Administrator

It would be better to install mod_qos, which is in EasyApache. Here are details on it:

mod_qos

cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
-- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

Submit a ticket | Check an existing ticket

#5 cPanelTristan, Jul 14, 2012
voshka Active Member

Joined:

Apr 4, 2010

Messages:

30

Likes Received:

0

Trophy Points:

56

trying to use fcgi and getting use to it is much better
as it cache every compiled php into memory with a period and serve every thing from the memory will more usefull
try compiling apache with fcgi Ea-accelerator mem-cache mpm_worker

and change apache handler after the compilation to the fcgi

that would do much better in case of bot net or usual dos attacks
in the case of a dos flood it wouldn't be any thing you could do with the server level nore you could do on the firewall just need additional port to handle

Thanks

#6 voshka, Jul 15, 2012
NetMantis BANNED

Joined:

Apr 22, 2012

Messages:

116

Likes Received:

1

Trophy Points:

66

Location:

Utah

cPanel Access Level:

DataCenter Provider

It would be extremely difficult to trip mod_evasive via page refreshes unless you set the limits
on your mod_evasive configuration ridiculously low.

You did remember to actually configure mod_evasive, right?

mod_evasive is more for higher massive automated requests and is old but still has some practical use but is of no value whatsoever if you fail to configure the module.

A better rate throttle control for Apache however would be the newer mod_qos module which does a lot more.

If you want to look into a bit lower level control, it is possible to rate limit control access at the TCP/IP level using iptables though this gets into a little bit more advanced firewall rules and configurations.

CSF/LFD also has a great many features built in for controlling excessive or abusive traffic. However, just like mod_evasive these features are not working by default and you need to actually configure them in /etc/csf/csf.conf.

#7 NetMantis, Jul 15, 2012
NixTree Well-Known Member

Joined:

Aug 19, 2010

Messages:

404

Likes Received:

2

Trophy Points:

143

Location:

Gods Own Country

cPanel Access Level:

Root Administrator

Twitter:

Follow @NixTree

mod_qos + CSF can work together based on the rate of DDOS attack. I know a DDOS victim on which I had configure mod_qos and configured CSF to work with it. But it cannot generate any firewall rules due to the apache logs ( for qos ) was generated faster than CSF could read...so CSF couldn't help me during that situation.

Per Server and Shared Team Support Specialists
ntPHPselector - Multi PHP Solution per directory
Managed Backups & Server Monitoring Plans

#8 NixTree, Jul 15, 2012
NetMantis BANNED

Joined:

Apr 22, 2012

Messages:

116

Likes Received:

1

Trophy Points:

66

Location:

Utah

cPanel Access Level:

DataCenter Provider

DDoS attack? Yes, those generally suck for lack of a better word!

Packet analysis should help you identify the unique characteristics of the attack and once you have that, you can just simply drop those packets regardless of IP originating source. I've killed more than a few DDoS attacks that way and the cool thing is there is no option for adding on new attack servers or changing IPs for the attacker.

The added SPI layer does slow the server a bit but no where near as much as letting the DDoS attack through.

#9 NetMantis, Jul 15, 2012