PDA

View Full Version : Installing mod_dosevasive

elix
08-07-2005, 12:24 PM
I found this quite useful for blocking DoS attacks when you're being attacked heavily. You may want to tweak the settings around slightly, I have descriptions of the settings included below. Also note that this will break Frontpage extensions, if you use them.

Here are the commands in order:

wget http://dll.elix.us/mod_dosevasive_1.10.tar.gz
tar zxvf mod_dosevasive_1.10.tar.gz
cd mod_dosevasive
/usr/local/apache/bin/apxs -i -a -c mod_dosevasive.c

If you're using Apache 2, use this command instead of ^:
/usr/local/apache/bin/apxs -i -a -c mod_dosevasive20.c

Add the following to httpd.conf

<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify you@email.com
DOSSystemCommand "su - user -c '/sbin/... %s ...'"
</IfModule>

Descriptions:

- DOSHashTableSize: the size of the table of URL and IP combined
- DOSPageCount: the number of same page requests from the same IP during an interval that will cause that IP to be added to the block lt.
- DOSSiteCount: the number of pages requested of a site by the same IP during an interval which will cause the IP to be added to the block lt.
- DOSPageInterval: the interval that the hash table for IPs and URLs erased (in seconds)
- DOSSiteInterval: the intervale that the hash table of IPs erased (in seconds)
- DOSBlockingPeriod: the time the IP blacked (in seconds)
- DOSEmailNotify: can be used to notify by sending an email everytime an IP blocked
- DOSSystemCommand: the command used to execute a command when an IP blocked. It can be used to add a block the user from a firewall or router.
- DOSWhiteLt: can be used to whitelt IPs such as 127.0.0.1

hth :)
Tony
08-07-2005, 12:54 PM
note: using DOSSystemCommand "su - user -c '/sbin/... %s ...'" can be very resource intensive and is not recommended.
elix
08-07-2005, 01:01 PM
note: using DOSSystemCommand "su - user -c '/sbin/... %s ...'" can be very resource intensive and is not recommended.
Interesting. What would you suggest, Tony?

edit: nvm, anybody who installs this can just edit that part out.

Thanks
Hvu
08-07-2005, 01:23 PM
You might want to do a whereis apxs into your guide since apache install locations are different per control panel install. For instance my apxs is located at /usr/sbin/apxs

whereis apxs
elix
08-07-2005, 07:48 PM
You might want to do a whereis apxs into your guide since apache install locations are different per control panel install. For instance my apxs is located at /usr/sbin/apxs

whereis apxs
ahh okay. Sorry about that.
jpetrov
08-08-2005, 11:10 AM
weird - /usr/sbin/apxs (the place where whereis told me is apxs) produced errors, while the /usr/local/apache/bin/apxs worked...
jpetrov
08-08-2005, 11:41 AM
By the way - test the install (after successful finish and httpd restart) with the following commands:

chmod 0700 ./test.pl
./test.pl
StingRay
08-26-2005, 01:30 PM
Just for the next person reading this how to:

Be aware that:
<IfModule mod_dosevasive20.c>


Should be:
<IfModule mod_dosevasive.c>

If using Apache 1.3.x


jpetrov,
Does that test.pl just check that it was installed correctly, or that it is actually working?
I installed it, but I'm not not getting a warm fuzzy feeling that it's actually doing it's job :)
jpetrov
08-26-2005, 04:33 PM
I've started it before installing mod_dosevasive and all requests went out with OK. After dosevasive install, on half run apache started rejecting the requests.
StingRay
08-28-2005, 05:47 PM
Jsut tied it and it seems to work great.
What the test does is sends out lots of requests in a couple seconds. If you have mod_dosevasive setup right it should say OK for a few lines, then Forbidden.
In my case I had it set for 50 attempts in 2 secs. I counted each request and sure enough it cut out around 50 (ok, so I didn't count that accurately) :P
blueface
08-31-2005, 06:13 PM
Do you know what parameter should be used in DOSSystemCommand to block the attacking IP with iptables? Thanks.
elix
08-31-2005, 07:00 PM
I believe you can just use:

DOSSystemCommand "iptables -I INPUT -s 1.2.3.4 -j DROP

edit: I'm not sure what to replace 1.2.3.4 with.
netrider
10-07-2005, 11:02 AM
I get errors after an install :(

root@host [/usr/local/apache/libexec]# /usr/sbin/httpd configtest
Syntax error on line 230 of /usr/local/apache/conf/httpd.conf:
Cannot load /usr/local/apache/libexec/mod_dosevasive20.so into server: /usr/local/apache/libexec/mod_dosevasive20.so: undefined symbol: apr_pool_cleanup_null

root@host [/usr/local/apache/libexec]# ls -la /usr/local/apache/libexec
[...]
-rwxr-xr-x 1 root root 60960 Oct 8 00:08 mod_dosevasive20.so*
[...]

root@host [/usr/local/apache/libexec]# cat /usr/local/apache/conf/httpd.conf
[...]
LoadModule dosevasive20_module libexec/mod_dosevasive20.so
<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
DOSEmailNotify root
</IfModule>
[...]

Any idea's?
elix
10-07-2005, 03:34 PM
I'm sure if you ask support they'll be happy to install it for ya.
BornOnline
10-15-2005, 01:47 AM
DOSSystemCommand "iptables -I INPUT -s %s -j DROP" - Going to try this
Sergey
10-16-2005, 07:51 AM
If you want to disable that IP for ages try this

DOSSystemCommand "/etc/apf/apf -d %s"

Be sure that APF is installed.