Need some httpd.conf advice for mod_evasive

[Optrosk]

Hi,

I have installed mod_evasive and need to insert some lines into /etc/httpd/conf/httpd.conf file. I have seen so many different methods so I'm unsure of the exact method which is relevant for my server.

The readme file for mod_evasive says that I need to add this to the httpd.conf for APACHE v2.0 (I'm using 2.2):

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

I was wondering if I should use the Apache Configuration or just edit the file manually. If I need to edit it manually I really don't know where exactly in the file I have to insert it

But if I do it in cPanel/WHM do I need to insert it in the "Pre VirtualHost Include" in Apache Configuration?


Two other questions for the mod_evasive lines in httpd.conf:

1. Would you recommend to set the DOSBlockingPeriod higher?

2. would you recommend the:

DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"

Do I need to adjust something in this command?

 

[CaMer0n]

I would like to know how to do this also.

 

[Spiral]

I was wondering if I should use the Apache Configuration or just edit the file manually. If I need to edit it manually I really don't know where exactly in the file I have to insert it

But if I do it in cPanel/WHM do I need to insert it in the "Pre VirtualHost Include" in Apache Configuration?

That is really a matter of choice.

I myself inserted it on a lot of servers just before the <Directory /> section
in the main httpd.conf file at /usr/local/apache/bin and ran the update script

Two other questions for the mod_evasive lines in httpd.conf:

1. Would you recommend to set the DOSBlockingPeriod higher?

No, the default 10 seconds is plenty enough and in fact I might even
consider lowering it a bit because that time resets if you attempt to
make any connection during the time you are blocked.

Subsequently, any attacks where you have a high amount of rapid repeating
connection attempts, those IPs would just keep themselves locked out!

2. would you recommend the:

DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"

If you have a firm understanding of IP tables and / or linking up to other
firewall applications, then this is of course a useful additional feature.

If you do not understand it well enough, I would advice not attempting
to try to set this up. Mod_Evasive's internal blocking is generally more
than sufficient for most general flood type attacks.