Mod_evasive Settings
Mar 30, 2007mod_evasive settings?
I cant find out the setting which would ban all bad IPs and will nto ban normal ones.
ADVERTISEMENT
Mod_evasive
Jun 21, 2007I know this can be the most foolishly question on WHT but I'm looking for mod_evasive's download link, I tried googling and searching all forums but all links was dead
anybody can give me a link to get mod_evasive ? Ofcourse If you have a better idea than using of mod_evasive I'll be glad to hear
Mod_evasive
Oct 14, 2007We installed mod_evasive and ever since we are getting files like: dos-xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is an IP in our /tmp directory. The contents of the file is usually a 4 or 5 digit number and is owned by apache. Can anyone help me understand what this file is? Is it a product of mod_evasive? Can the files be deleted?
View 14 Replies View RelatedMod_evasive Log Content
Mar 24, 2008I have a file named dos-1.2.13.4 (i changed the IP address in purpose) inside the log and inside the file there is a 4 digit number that is constantly changing. more
[root@myserver]# more dos-1.2.13.4
8726
What is 8726?
Mod_evasive Installation
Feb 25, 2008We are having problem with installing mod_evasive on our server. We tried installing it on our Virtual Machine that runs Fedora 7 (on our server, we have Fedora core 5), and on Virtual Machine it is fine, we can compile it and put it in our Apache2 conf file.
However, when we try
[root@ mod_evasive]# /usr/local/psa/admin/bin/apxs -i -a -c mod_evasive20.c
on the server, we get a
[root@ mod_evasive]# /usr/local/psa/admin/bin/apxs -i -a -c mod_evasive20.c
gcc -DHARD_SERVER_LIMIT=512 -DDEFAULT_PATH="/usr/local/psa/admin/bin:/bin:/usr/bin" -DLINUX=22 -DTARGET="httpsd" -DHAVE_SET_DUMPABLE -DNO_DBM_REWRITEMAP -DMOD_SSL=208122 -DEAPI -O -pipe -I/usr/include -O3 -fexpensive-optimizations -fstrength-reduce -pipe -DPLESK_Linux -I/home/builder/buildbot/psa-8.2.1-bfc7/build/plesk/lib/dist/include/libxml2 -W -Wall -DPLESK_Linux -I/home/builder/buildbot/psa-8.2.1-bfc7/build/plesk/plesk-utils/include -DBSG_CR -DBSG_MSG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DHAS_RPM -DUSE_SLEEP_ON_IDLE -Wno-unused-parameter -fpic -DSHARED_MODULE -I/usr/local/psa/admin/include -c mod_evasive20.c ....
Testing Mod_Evasive
Apr 2, 2007I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Code:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO::Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO::Socket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
Mod_Evasive Rules
Apr 1, 2007Does anyone know any good mod_evasive rules that pick up DoS, but not many false positives? Just looking to see what works for everyone out there, been having trouble.
Or if there is better apache module to combat DoS.
Error On Install Mod_evasive
Mar 25, 2009i want to install mod on my centos Cpanel server. so i try:
cd /usr/local/src
wget mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c
but when i run /usr/sbin/apxs -cia mod_evasive20.c there is some error for me :
[root@ mod_evasive]#/usr/sbin/apxs -cia mod_evasive20.c
-bash: /usr/sbin/apxs: No such file or directory
Mod_evasive Is It Good To Install
Nov 27, 2008and is it good to install or not?[url]
View 5 Replies View RelatedMod_Evasive - Testing Remotely
Apr 10, 2007I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server.
Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:ocket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO:ocket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
Mod_Evasive Enhancing Reporting
Apr 27, 2007I got mod_evasive installed and its working fine. Its detecting the IPs, blocking the IPs and sending me the emails.
The emails I'm getting only have the sender name "Apache" and the content shows the IP address is blocking.
How can I enhance the email report to display the following:
1) get a proper Subject header in the email
2) change the From header to include the hostname - i.e.
apache@web.domain.tld
3) have the program do a reverse lookup on the ip, and include that in the body.
Do I need to include a script using the DOSSystemCommand to do this?
Mod_Evasive - Testing Remotely
Apr 11, 2007I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO:Socket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
Mod_Evasive - Blocking IPs Manually
Oct 26, 2007Is there a way to block ips with mod_evasive by adding the ips to the mod_evasive configuration file?
View 3 Replies View RelatedMod_evasive And Black List
Jul 9, 2007Some times I read in logs
server mod_evasive[24203]: Blacklisting address 84.255.151.xxx: possible attack.
Where can I find this black list and all IP listed
Errror When Restarting Httpd Mod_evasive
May 5, 2008Installing mod_evasive after serveral attacks on our server.
but when restarting httpd I get this error,
httpd: Syntax error on line 36 of /usr/local/apache/conf/httpd.conf: API module structure 'evasive20_module' in file /usr/lib/httpd/modules/mod_evasive20.so is garbled - expected signature 41503232 but saw 41503230 - perhaps this is not an Apache module DSO, or was compiled for a different Apache version?
Running apache 2.2.8
Installing Mod_evasive On Cpanel Server
Jun 23, 2008I would like to install the Mod_evasive for Apache 2.0 on RHEL 4 Server(Cpanel Installed). I downloaded the Mod_evasive source and extracted and used the following command.
# cd mod_evasive
# /usr/sbin/apxs -cia mod_evasive20.c
I am getting folowing message.
-bash: /usr/sbin/apxs: No such file or directory
# whereis apxs
apxs:
Mod_evasive Doesn't Protect From Apache DOS
Feb 6, 2008We tried to use one software for offline browsing to download our site and test it if it will fail or not. We used 500 threads at once. Program was able to request 56 pages per second. Of course server (site) failed because there were no more available mysql connections. So site went down. Mod_evasive didn't block that.
Here is the config:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 80
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
DOSLogDir "/var/log/httpd"
</IfModule>
Here is the copy of text I found on one site about mod_evasive:
Mod_evasive does work relatively well for small to medium sized brute force or HTTP level DoS attacks. There is, however, an important limitation that mod_evasive has that you should be aware of. The mod_evasive module is not as good as it could be because it does not use shared memory in Apache to keep information about previous requests persistent. Instead, the information is kept with each child process or thread. Other Apache children that are then spawned know nothing about abuse against one of them. When a child serves the maximum number of requests and dies, the DoS information goes with it. So, what does this mean? This means that if an attacker sends their HTTP DoS requests and they do not use HTTP Keep-Alives, then Apache will spawn a new child process for every request and it will never trigger the mod_evasive thresholds. This is not good…
Is there any solution for such type of attack with Keep Alive disabled?
Mod_evasive Bans Some Legit Apps
Dec 10, 2007mod_evasive bans some of the legit users (galleries , typo3 etc.) with following settings:
<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 3
DOSBlockingPeriod 10
</IfModule>
Somebody have an idea for some less restrictive but still usefull rules?
Mod_evasive Suggestion For High Traffic Server
Mar 12, 2008The server gets around 25k unique visitors per day, but one website in particular allows hotlinking and uses a lot of bandwidth. Last time I checked...according to whm apache status page, I was getting 180 requests per second. Not sure what time it was though. So it might be higher at a different time of the day.
Recently got mod_evasive installed, but I didn't want it to block out legitimate users. Currently it's set to this...
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
</IfModule>
what a better configuration would be? When I run the log I already see it block out a bunch of IP's. I don't want to lose any visitors to this program, but I do get ddos a lot.
Lighttpd Mod_evasive Setting Up A Specific Conditional
Oct 24, 2007I just started using lighttpd for download purpose.
I limited the number of connection per ip to 5 using mod_evasive .
When a user is downloading with a download manager the number of connection is reached to its maximum. I was wondering if there is a way to allow that same user to be able have 1 additional connection when an index.php is requested . That is, if the user is trying to view an index.php file it would ignore the rule evasive.max-conns-per-ip = 5 .
Each user have their download dir located on [url] in that same dir contains an index.php which contains login tab and integrated directory listing .
How To Install Mod_security, Suhosin, Mod_Evasive On Server Plesk (apache2, Php5)
Jul 26, 2007how to install mod_security, suhosin, Mod_Evasive on server plesk (apache2, php5)?
win I loacate apxs I have empty results
Dns Settings
Jul 1, 2007how to set up dns correctly as I have been trying for over a day now and not succeeded!
The situation is that I am using whm/cpanel. I have a domain hosted with godaddy that I want to point at my vps space. I have entered the nameservers into godaddy, and it now shows the placeholder page when I go to my domain.
I have set-up a user with ftp access to my main domain in whm, and uploaded an index page to test.
If I type in my domain name it goes to the godaddy placeholder page, if I type in the IP address it goes to an apache 'great success' page, and if I go to the same IP but with the users name added, it goes to the index file I uploaded.
I have played around with dns zones and A records but cannot get the index page to show when I enter my main domain name.
PHP Settings
Aug 20, 2007Does the following setting of PHP look normal in a shared hosting environment?
disable_functions ini_alter,system,passthru,shell_exec,leak,listen,chgrp,apache_setenv,define_syslog_variables,openlog,syslog,ftp_exec ini_alter,system,passthru,shell_exec,leak,listen,chgrp,apache_setenv,define_syslog_variables,openlog,syslog,ftp_exec
DNS Settings
Jun 25, 2007Our business is in the middle of changing to a Exchange based Email Platform which will be take effect in a few months, NOT NOW but planning ahead I'm trying to help with the DNS issues behind the scene. The current Host and Registerar is flarehosting. However I have just transferred the Domain Name to my NAMECHEAP account and need to take over the DNS Controls. I want to make SURE this is done without ANY downtime for the company (website, current email system). After contacting the current host for correct settings I have 3 things I need help with.
newerafinance.com 208.21.164.25 (Used for Domain)
mail.newerafinance.com 208.21.167.4 (Used for WebBased Email AND pop/smtp)
MX is mail2.uploadmysite.com
I was told with the above info I need to setup ARecords, CNAME, and URL Redirect and MX records. Before I try this myself I’d like some help with how this should be setup.
Exchange server will up at a future date so we need the current Email system to remain the same. Half of our users use pop/smtp and other half web based email.
Max Client Settings
Jan 15, 2008Now my site online users went more that 200,my max client is 200 now server load slow can i increase the max client to 250,
View 5 Replies View RelatedChanging Settings For Php.ini On IIS
Jan 29, 2008I have IIS on my computer and I want to start using a php driven forum (SMF) on my web site. Before I upload the files I need to check the following settings are on:
the engine directive must be On.
the magic_quotes_sybase directive must be set to Off.
the session.save_path directive must be set to a valid directory, or empty.
the file_uploads directive must be On.
the upload_tmp_dir must be set to a valid directory, or empty.
I cant find anywhere within IIS where these directions maybe found. Can anyone point me in the right direction?
How To Set The SPF Correctly Settings For My VPS
Jan 28, 2008I am being rejected by Hotmail when sending mail from my VPS. I want to send mails from punbb and OSCommerce, with various website hosted on one VPS/Cpanel/LAMP solution. And with sendmail or SMTP, it'a always the same : passing almost every ISP except Hotmail/Gmail. I also always get this part in my email header regardless of which website i'm sending email from :
Code:
Received: from host.locker4adream.com ([74.200.75.7])
by host.locker4adream.com with esmtpa (Exim 4.68)
So I think it's the host.locker4adream.com part that makes me rejected. Because it's almost the only line in the email header that is different when I am using Outlook/Thunderbird to send mail. This ip (74.200.75.7]) is mine and I never spammed or anything.
So i asked my host ro add rDNS. And I added this line to my DNS zone on my mail domain:
Code:
lockeradream TXT "v=spf1 mx a ptr ip4:74.200.75.7/32 ip4:74.200.81.156/32?all"
I am really out of solutions! Can anyone tell me if the SPF record stated above is ok?
Csf Recommend Settings
Mar 8, 2008I'm running a pretty large site that brings in about 80k unique each month, what would be a good setting to lower sync floods settings in csf configuration?
View 1 Replies View RelatedDNS Settings In Cpanel
Apr 7, 2008I have a dedicated server and have 5 IP addresses in all.
3 IP addresses i am using already.
I want to give 2 IP address to a site, i have created DNS for that site:
ns1.domainname.com
ns2.domainname.com
for both NS i have given 2 spare IPs.
Now i want to edit the DNS of that domain name, which section i edit of the DNS in WHM and in which field what i write?
Whmcs Settings?
Jul 12, 2007Is there a way to make it only paypal verified people can order?
View 5 Replies View Related