Installing mod_evasive after serveral attacks on our server.
but when restarting httpd I get this error,
httpd: Syntax error on line 36 of /usr/local/apache/conf/httpd.conf: API module structure 'evasive20_module' in file /usr/lib/httpd/modules/mod_evasive20.so is garbled - expected signature 41503232 but saw 41503230 - perhaps this is not an Apache module DSO, or was compiled for a different Apache version?
Running apache 2.2.8
How can I prevent the httpd from timeout so much? the server recovers which is prefectly fine but there seems to be a problem some where.
httpd failed @ Sat Oct 31 17:47:53 2009. A restart was attempted automagically.
Service Check Method: [tcp connect]
Failure Reason: Timeout while trying to get data from service
Can you restart the httpd to get the server online again while you are under an DDoS attack?
The reason for asking is that I was told that when restarting the httpd it should start to work again instantly, and so it seems.
But why? doesnt the attack "continue" after the restart?
We're on Apache and when I insert a handful of 301 redirect statements, the 500 internal server error comes up.
Example:
Redirect 301 /products/tech.html /products/technology.html
It doesn't matter if I used the absolute URL or not for the new destination.
Im having trouble restarting apache. I have a program which executes command lines and it runs as a system service (on windows). when i tell it to restart it loads apache up (i see another httpd.exe appear in task manager) but it doesnt restart it. the command line i used is "httpd.exe -k restart" i have added an environment variable but i have also tried the full path to the exe and still no luck.
If i run the exact same line from a batch file as local admin then it works fine. I also tried getting my program to run that batch file but again it didnt work.
Is there a reason why this would happen? Can only Admin restart it and not SYSTEM? Is there another command i should be using?
Ive had this problem numerous times (website failed to connect error) before and the web management team tell me that apache2 needs to be restarted, seeing as they are not replying to my emails im gona try and do it myself.
i open up putty, login as root user, then what?
I have installed CSF on a VPS with WHM and when i try to restart i get this:
Code:
Restarting csf...
Flushing chain `INPUT'Flushing chain `FORWARD'Flushing chain `OUTPUT'Flushing chain `acctboth'Deleting chain `acctboth'Restarting bandmin acctboth chains for cPanelDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513 DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520 iptables: Unknown error 4294967295LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' Error: iptables command [/sbin/iptables -v -A LOGDROPIN -p tcp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '] failed, at line 280
...Done.
Restarting lfd...
Stopping lfd:[ OK ][ OK ]Starting lfd:Error: You have an unresolved error when starting csf. You need to restart csf successfully before starting lfd[ OK ]
...Done.
dont know where is the error on the iptables, i didn't change any config on iptables.How can I config iptables for CSF?
i have one site on vps host with 256 ram burst untill 768 ram...
every day i watch my site it alwasy consume CPU usage avareage 60%++ consume ..for daily usage its average 60% - 80% ..sometime its get 99% ...
if this situation happend to high..i used to restart service for the bind, apache, mysql and more serivice..i use cpanel and whm,,,..
my question is :
is there bad effect if i run the restart serivice everyday?
I know this can be the most foolishly question on WHT but I'm looking for mod_evasive's download link, I tried googling and searching all forums but all links was dead
anybody can give me a link to get mod_evasive ? Ofcourse If you have a better idea than using of mod_evasive I'll be glad to hear
We installed mod_evasive and ever since we are getting files like: dos-xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is an IP in our /tmp directory. The contents of the file is usually a 4 or 5 digit number and is owned by apache. Can anyone help me understand what this file is? Is it a product of mod_evasive? Can the files be deleted?
View 14 Replies View RelatedI can't start the server with my php enabled 5.2.I've the following error reports.
The Apache2.2 service terminated with service-specific error 1 (0x1).
[Reviewed at the event viewer]
[Sat Jul 20 20:25:52 2013] [warn] pid file C:/Program Files/Apache Software Foundation/Apache2.2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Reviewed the error log file of Apache 2.2]
I resolved this problem earlier by re-installing both php and apache and configuring them all over again.But when i restart my pc ,i get the same error....
I have a file named dos-1.2.13.4 (i changed the IP address in purpose) inside the log and inside the file there is a 4 digit number that is constantly changing. more
[root@myserver]# more dos-1.2.13.4
8726
What is 8726?
We are having problem with installing mod_evasive on our server. We tried installing it on our Virtual Machine that runs Fedora 7 (on our server, we have Fedora core 5), and on Virtual Machine it is fine, we can compile it and put it in our Apache2 conf file.
However, when we try
[root@ mod_evasive]# /usr/local/psa/admin/bin/apxs -i -a -c mod_evasive20.c
on the server, we get a
[root@ mod_evasive]# /usr/local/psa/admin/bin/apxs -i -a -c mod_evasive20.c
gcc -DHARD_SERVER_LIMIT=512 -DDEFAULT_PATH="/usr/local/psa/admin/bin:/bin:/usr/bin" -DLINUX=22 -DTARGET="httpsd" -DHAVE_SET_DUMPABLE -DNO_DBM_REWRITEMAP -DMOD_SSL=208122 -DEAPI -O -pipe -I/usr/include -O3 -fexpensive-optimizations -fstrength-reduce -pipe -DPLESK_Linux -I/home/builder/buildbot/psa-8.2.1-bfc7/build/plesk/lib/dist/include/libxml2 -W -Wall -DPLESK_Linux -I/home/builder/buildbot/psa-8.2.1-bfc7/build/plesk/plesk-utils/include -DBSG_CR -DBSG_MSG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DHAS_RPM -DUSE_SLEEP_ON_IDLE -Wno-unused-parameter -fpic -DSHARED_MODULE -I/usr/local/psa/admin/include -c mod_evasive20.c ....
I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Code:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO::Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO::Socket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
mod_evasive settings?
I cant find out the setting which would ban all bad IPs and will nto ban normal ones.
Does anyone know any good mod_evasive rules that pick up DoS, but not many false positives? Just looking to see what works for everyone out there, been having trouble.
Or if there is better apache module to combat DoS.
We've been thinking about writing our own hosting control panel for our own
"tight" hosting setup, so that can alter the panel just to our needs without relying on updates from anybody else.
To read new configurations in Lighttpd or Apache, as far as I know, requires the software to be restarted (for example service apache restart). Are there any negative effects of this, I'm assuming that whilst being restarted there is a small amount of time during which the software is "down" and websites can't be accessed during that period (probably <1 second). Am I correct?
What is the best way to reload configurations into these http servers without service interruption? I notice that DirectAdmin seems to just restart Apache on any function that alters the configuration file - for example adding a new user.
I thought everything was fine after setting up my new VPS with WHM/cPanel - however it turns out I was very, very wrong. I was trying to work out why email wasn't able to send or receive - so I tried to restart the mail service from WHM. This is where the problems started.
I tried to restart different services (all of them) some worked fine - some failed (the ones which are in red below are the ones which failed). The results are below. If anyone has any information or wouldn't mind helping me to resolve this I would appreciate it.
DNS Server (BIND/NSD):
Waiting for named to restart..............finished.
named (/usr/sbin/named -u named) running as named with PID 25824
named started ok
--------------------------------------------------------------
FTP Server (ProFTPd/PureFTPd):
Waiting for ftpserver to restart..............finished.
pure-authd (/usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth) running as root with PID 30596
ftpserver started ok
--------------------------------------------------------------
HTTP Server (Apache):
Waiting for httpd to restart..............finished.
httpd (/usr/local/cpanel/whostmgr/bin/whostmgr ./reshttpd) running as root with PID 3145
httpd (/usr/local/apache/bin/httpd -k start -DSSL) running as root with PID 3171
httpd (/usr/local/apache/bin/httpd -k start -DSSL) running as root with PID 3177
httpd started ok
--------------------------------------------------------------
IMAP Server (Courier/Dovecot):
Waiting for imap to restart..............finished.
authdaemond (/usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -facility=mail -start /usr/libexec/courier-authlib/authdaemond) running as root with PID 7668
authdaemond (/usr/libexec/courier-authlib/authdaemond) running as root with PID 7669
authdaemond (/usr/libexec/courier-authlib/authdaemond) running as root with PID 7670
authdaemond (/usr/libexec/courier-authlib/authdaemond) running as root with PID 7671
imap has failed, please contact the sysadmin (result was "couriertcpd is not running").
--------------------------------------------------------------
Mail Server (Exim):
Waiting for exim to restart..............finished.
exim: [ != 220]
exim has failed, please contact the sysadmin.
--------------------------------------------------------------
POP3 Server (cPPOP):
Waiting for cppop to restart..............finished.
authdaemond (/usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -facility=mail -start /usr/libexec/courier-authlib/authdaemond) running as root with PID 11869
authdaemond (/usr/libexec/courier-authlib/authdaemond) running as root with PID 11870
authdaemond (/usr/libexec/courier-authlib/authdaemond) running as root with PID 11871
authdaemond (/usr/libexec/courier-authlib/authdaemond) running as root with PID 11872
cppop started ok
--------------------------------------------------------------
SQL Server (MySQL):
Waiting for mysql to restart..............finished.
mysqld_safe (/bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/server.rawpromo.com.pid) running as root with PID 15401
mysqld (/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.rawpromo.com.pid --skip-external-locking) running as mysql with PID 15435
mysql has failed, please contact the sysadmin (result was "mysql has failed").
--------------------------------------------------------------
SSH Server (OpenSSH):
Waiting for sshd to restart..............finished.
sshd (/usr/local/cpanel/whostmgr/bin/whostmgr ./ressshd) running as root with PID 19921
sshd (/usr/sbin/sshd) running as root with PID 19949
sshd started ok
--------------------------------------------------------------
way to restart mysql and named if they drop. I'm on cpanel.
I've searched and found the following:
For mysql:
Code:
NUMBER=`ps --no-heading --user mysql | wc -l`;
[ $NUMBER -eq 0 ] && service mysql restart;
For named:
Code:
NUMBER=`ps --no-heading --user named | wc -l`;
[ $NUMBER -eq 0 ] && service named restart;
I have these set to run every 5 minutes, just to check if mysql/named are running. I found out that it doesn't work: I woke up to a whole bunch of sql errors and realized that mysql dropped while I was asleep... I type in "service mysql restart" manually and it restarts as usual, so I know that the command to restart sql works fine, but the restarts aren't triggering in the first place.
Apache Version: 2.2.29
OS Version: Windows 2012 R2 64 bit OS
Restart of apache is happening continuously .... below is snippet of the same.....
Fri Jan 16 11:22:53 2015] [notice] Parent: child process exited with status 3221225477 -- Restarting.
[Fri Jan 16 11:22:53 2015] [notice] Apache/2.2.29 (Win32) configured -- resuming normal operations
[Fri Jan 16 11:22:53 2015] [notice] Server built: Sep 10 2014 11:38:25
[Fri Jan 16 11:22:53 2015] [notice] Parent: Created child process 11440
[Fri Jan 16 11:22:53 2015] [notice] Child 11440: Child process is running
[Fri Jan 16 11:22:53 2015] [notice] Oracle WebLogic plugin build date/time: Feb 9 2011 11:49:26. Change Number: 1386101
[Fri Jan 16 11:22:53 2015] [notice] Child 11440: Acquired the start mutex.
[Fri Jan 16 11:22:53 2015] [notice] Child 11440: Starting 64 worker threads.
[Fri Jan 16 11:22:53 2015] [notice] Child 11440: Starting thread to listen on port 80.
[Fri Jan 16 11:22:53 2015] [notice] Child 11440: Starting thread to listen on port 80.
[Fri Jan 16 11:22:54 2015] [notice] Parent: child process exited with status 3221225477 -- Restarting.
[Fri Jan 16 11:22:54 2015] [notice] Apache/2.2.29 (Win32) configured -- resuming normal operations
i want to install mod on my centos Cpanel server. so i try:
cd /usr/local/src
wget mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c
but when i run /usr/sbin/apxs -cia mod_evasive20.c there is some error for me :
[root@ mod_evasive]#/usr/sbin/apxs -cia mod_evasive20.c
-bash: /usr/sbin/apxs: No such file or directory
and is it good to install or not?[url]
View 5 Replies View RelatedI have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server.
Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:ocket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO:ocket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
I got mod_evasive installed and its working fine. Its detecting the IPs, blocking the IPs and sending me the emails.
The emails I'm getting only have the sender name "Apache" and the content shows the IP address is blocking.
How can I enhance the email report to display the following:
1) get a proper Subject header in the email
2) change the From header to include the hostname - i.e.
apache@web.domain.tld
3) have the program do a reverse lookup on the ip, and include that in the body.
Do I need to include a script using the DOSSystemCommand to do this?
I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO:Socket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
Is there a way to block ips with mod_evasive by adding the ips to the mod_evasive configuration file?
View 3 Replies View RelatedSome times I read in logs
server mod_evasive[24203]: Blacklisting address 84.255.151.xxx: possible attack.
Where can I find this black list and all IP listed
yesterday i setup my first vps system and now its hosting 2 forums of my. Thing is in evry 10 mints Mysql & courier-imap are restarting..? I know this from the lxadmin alert email. So is it normal or is it a problem in my configuration..? Im running cent os 5 now. And i also check the log.. there is entry like below in it..
Oct 6 13:43:07 vps_10013 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Oct 6 13:43:07 vps_10013 xinetd[8020]: EXIT: ftp status=255 pid=21638 duration=0(sec)
Oct 6 13:43:13 vps_10013 xinetd[8020]: EXIT: smtp status=1 pid=21637 duration=6(sec)
Oct 6 13:43:48 vps_10013 xinetd[8020]: START: smtp pid=21679 from=63.247.94.194
Oct 6 13:43:49 vps_10013 xinetd[8020]: EXIT: smtp status=1 pid=21679 duration=1(sec)
Oct 6 13:44:48 vps_10013 xinetd[8020]: START: smtp pid=21901 from=63.247.94.194
Oct 6 13:44:49 vps_10013 xinetd[8020]: EXIT: smtp status=1 pid=21901 duration=1(sec)
Oct 6 13:45:49 vps_10013 xinetd[8020]: START: smtp pid=22163 from=63.247.94.194
Oct 6 13:45:50 vps_10013 xinetd[8020]: EXIT: smtp status=1 pid=22163 duration=1(sec)
Oct 6 13:46:49 vps_10013 xinetd[8020]: START: smtp pid=22499 from=63.247.94.194
Oct 6 13:46:50 vps_10013 xinetd[8020]: EXIT: smtp status=1 pid=22499 duration=1(sec)
Oct 6 13:47:49 vps_10013 xinetd[8020]: START: smtp pid=23668 from=63.247.94.194
Oct 6 13:47:50 vps_10013 xinetd[8020]: EXIT: smtp status=1 pid=23668 duration=1(sec)
Oct 6 13:48:49 vps_10013 xinetd[8020]: START: smtp pid=23920 from=63.247.94.194
Oct 6 13:48:52 vps_10013 xinetd[8020]: EXIT: smtp status=1 pid=23920 duration=3(sec)
Oct 6 13:49:49 vps_10013 xinetd[8020]: START: smtp pid=24173 from=63.247.94.194
Oct 6 13:49:53 vps_10013 xinetd[8020]: EXIT: smtp status=1 pid=24173 duration=4(sec)
Oct 6 13:50:49 vps_10013 xinetd[8020]: START: smtp pid=26117 from=63.247.94.194
Oct 6 13:50:53 vps_10013 xinetd[8020]: EXIT: smtp status=1 pid=26117 duration=4(sec)
