Mod_Evasive - Blocking IPs Manually
Oct 26, 2007Is there a way to block ips with mod_evasive by adding the ips to the mod_evasive configuration file?
View 3 RepliesIs there a way to block ips with mod_evasive by adding the ips to the mod_evasive configuration file?
View 3 RepliesI know this can be the most foolishly question on WHT but I'm looking for mod_evasive's download link, I tried googling and searching all forums but all links was dead
anybody can give me a link to get mod_evasive ? Ofcourse If you have a better idea than using of mod_evasive I'll be glad to hear
We installed mod_evasive and ever since we are getting files like: dos-xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is an IP in our /tmp directory. The contents of the file is usually a 4 or 5 digit number and is owned by apache. Can anyone help me understand what this file is? Is it a product of mod_evasive? Can the files be deleted?
View 14 Replies View RelatedI have a file named dos-1.2.13.4 (i changed the IP address in purpose) inside the log and inside the file there is a 4 digit number that is constantly changing. more
[root@myserver]# more dos-1.2.13.4
8726
What is 8726?
We are having problem with installing mod_evasive on our server. We tried installing it on our Virtual Machine that runs Fedora 7 (on our server, we have Fedora core 5), and on Virtual Machine it is fine, we can compile it and put it in our Apache2 conf file.
However, when we try
[root@ mod_evasive]# /usr/local/psa/admin/bin/apxs -i -a -c mod_evasive20.c
on the server, we get a
[root@ mod_evasive]# /usr/local/psa/admin/bin/apxs -i -a -c mod_evasive20.c
gcc -DHARD_SERVER_LIMIT=512 -DDEFAULT_PATH="/usr/local/psa/admin/bin:/bin:/usr/bin" -DLINUX=22 -DTARGET="httpsd" -DHAVE_SET_DUMPABLE -DNO_DBM_REWRITEMAP -DMOD_SSL=208122 -DEAPI -O -pipe -I/usr/include -O3 -fexpensive-optimizations -fstrength-reduce -pipe -DPLESK_Linux -I/home/builder/buildbot/psa-8.2.1-bfc7/build/plesk/lib/dist/include/libxml2 -W -Wall -DPLESK_Linux -I/home/builder/buildbot/psa-8.2.1-bfc7/build/plesk/plesk-utils/include -DBSG_CR -DBSG_MSG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DHAS_RPM -DUSE_SLEEP_ON_IDLE -Wno-unused-parameter -fpic -DSHARED_MODULE -I/usr/local/psa/admin/include -c mod_evasive20.c ....
I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Code:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO::Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO::Socket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
mod_evasive settings?
I cant find out the setting which would ban all bad IPs and will nto ban normal ones.
Does anyone know any good mod_evasive rules that pick up DoS, but not many false positives? Just looking to see what works for everyone out there, been having trouble.
Or if there is better apache module to combat DoS.
i want to install mod on my centos Cpanel server. so i try:
cd /usr/local/src
wget mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c
but when i run /usr/sbin/apxs -cia mod_evasive20.c there is some error for me :
[root@ mod_evasive]#/usr/sbin/apxs -cia mod_evasive20.c
-bash: /usr/sbin/apxs: No such file or directory
and is it good to install or not?[url]
View 5 Replies View RelatedI have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server.
Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:ocket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO:ocket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
I got mod_evasive installed and its working fine. Its detecting the IPs, blocking the IPs and sending me the emails.
The emails I'm getting only have the sender name "Apache" and the content shows the IP address is blocking.
How can I enhance the email report to display the following:
1) get a proper Subject header in the email
2) change the From header to include the hostname - i.e.
apache@web.domain.tld
3) have the program do a reverse lookup on the ip, and include that in the body.
Do I need to include a script using the DOSSystemCommand to do this?
I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO:Socket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
Some times I read in logs
server mod_evasive[24203]: Blacklisting address 84.255.151.xxx: possible attack.
Where can I find this black list and all IP listed
I have a dedicated server. It is a Fedora Core 6. It came with "Plesk 30 domain license". However, this license of Plesk doesn't have SpamAssassin enabled. In order to get the license with SpamAssassin, it costs an extra $30 a month.
I believe SpamAssassin by default is in fact installed on the sever, but some of my users are reporting that they are getting Spam. How can I check is SpamAssassin is running? How do I configure SpamAssassin to filter spam on all the e-mail addresses that are created in Plesk?
I have SSH access to the server.
how to install CentOS by not using the installer. This guide should be great when installing over networks, don't have a graphical console available (for installing over serial), when you're not content with the installer's job, installing CentOS from another distro, or plainly want to learn more about how CentOS works.
Requirements:
* Have a host OS that has the "rpm" package manager available. Some distributions have it in their repositories (even if the package manager for the distro itself is not rpm), and knoppix (a linux live/rescue CD) has it aboard too. You can use the first CentOS ISO CD too (use linux rescue at boot), and it has all the necessairy packages aboard
* Access to the CentOS base repository. It's on the first CentOS ISO CD
* Use your BRAIN. This guide is ment to be interpreted, not copy/pasted
Code:
# First, setup your disks to your liking. You can use whatever you want here,
# RAID, LVM, etc... Remember your disk configuration because you'll need it
# to configure grub, menu.lst and fstab. Using RAID, LVM, or others will require
# more configuration than this guide covers. To keep it simple I'm using a
# single disk. An example:
$ fdisk /dev/sda
$ mount /dev/sda3 /target
$ mkdir /target/boot
$ mount /dev/sda1 /target/boot
# Depending on the host OS you're using, you may need to initialize the rpm db
# on the host OS
$ rpm --initdb
# Use the following command to install the packages. I'll be addressing this
# command as $rpm.
$ rpm --root /target -i
# Use your shell's tab completion to complete the package filenames. I
# deliberatly left out the versions so these instructions apply to a wide range
# of versions
# Let's install some basics
$rpm setup basesystem filesystem
# Install bash first, this is needed for post-install scripts
$rpm bash glibc glibc-common termcap libgcc tzdata mktemp libtermcap
# Install some dependencies (this is mainly to keep the next command smaller)
$rpm grep pcre libstdc++ info ncurses zlib gawk sed ethtool
# Install the bulk of the system
$rpm coreutils libselinux libacl libattr pam audit-libs cracklib-dicts
cracklib libsepol mcstrans libcap chkconfig python db4 openssl readline
bzip2-libs gdbm findutils krb5-libs initscripts util-linux popt udev MAKEDEV
centos-release shadow-utils keyutils-libs iproute sysfsutils SysVinit
net-tools module-init-tools e2fsprogs e2fsprogs-libs glib2 mingetty
device-mapper sysklogd psmisc centos-release-notes procps libsysfs iputils
# Install package manager
$rpm rpm beecrypt elfutils-libelf rpm-libs sqlite
# Install YUM
$rpm yum python-elementtree rpm-python yum-metadata-parser python-sqlite
expat libxml2 python-urlgrabber m2crypto python-iniparse
# You may also want to install your favorite editor
$rpm nano
# This provides /root with some defaults, like color highlighting on `ls`
$rpm rootfiles
# Right now you have system which you can chroot to, so we can start setting up
# the basics
# Mount directories for chroot operation
$ mount --bind /dev /target/dev
$ mount -t proc none /target/proc
$ mount -t sysfs none /target/sysfs
$ chroot /target
# This constructs /etc/shadow
$ pwconv
# Configure fstab
$ nano -w /etc/fstab
# Installing the kernel. Do this back outside the chroot in the host OS system
$ exit
$rpm kernel mkinitrd cpio device-mapper-multipath dmraid gzip kpartx lvm2 nash
tar less device-mapper-event
# Install the bootloader, grub.
$rpm grub diffutils redhat-logos
# Let's chroot again to configure our bootloader
$ chroot /target
# We start by configuring the bootloader. Open /boot/grub/menu.lst, and put the
# following there
<<<MENU.LST
timeout 5
default 0
# (0) CentOS
title CentOS
root (hd0,0)
kernel /vmlinuz-2.6.18-92.el5 root=/dev/sda3 ro
initrd /initrd-2.6.18-92.el5.img
>>>
# If this command gives an error, you can safely ignore this because it's not
# of importance. What is important is that grub-install copied the right files
# to /boot/grub that we need for booting.
$ /sbin/grub-install /dev/sda
# Manually install grub if the previous step failed. - means type it in the grub
# shell
$ grub
$- root (hd0,0)
$- setup (hd0)
# Optional packages
# You may want to install passwd so you can set passwords ;-)
$rpm passwd libuser openldap cyrus-sasl-lib
# These are used to set the keyboard language (loadkeys)
$rpm kbd usermode
# ** Right now you should have a bootable system! Here are some tips to help you
# through your 1st boot ***
# Most of the system configuration happens in /etc/sysconfig. See
/usr/share/doc/initscripts
for full documentation.
Some quick post-install tips:
* Configure your keyboard in
/etc/sysconfig/keyboard
using the KEYTABLE variable
* Configure networking
Take a look at /etc/sysconfig/network-scripts. See ifcfg-lo for an example.
# This recreates the RPM database. If the host OS you used has a different
# version of db, rpm will complain with
# rpmdb: unable to lock mutex: Invalid argument
$ rpmdb --rebuilddb
I do not have control panel, I have suse OS, how do I setup an account manually so I can move my site to this new server?
View 2 Replies View Relatedwe're using a subdomain to point to one of our server's IP. (gaming purposes).
And people use this subdomain to connect to the game server.
However, We are going to move to a new server soon with a different IP.
I know, only thing I have to do is change the IP of the subdomain to point to the new server, however I know this will take like 1 to 48 hours to fully work.
Is there a way to force people who's still connecting to the OLD Ip to go to the new IP?
Installing mod_evasive after serveral attacks on our server.
but when restarting httpd I get this error,
httpd: Syntax error on line 36 of /usr/local/apache/conf/httpd.conf: API module structure 'evasive20_module' in file /usr/lib/httpd/modules/mod_evasive20.so is garbled - expected signature 41503232 but saw 41503230 - perhaps this is not an Apache module DSO, or was compiled for a different Apache version?
Running apache 2.2.8
I would like to install the Mod_evasive for Apache 2.0 on RHEL 4 Server(Cpanel Installed). I downloaded the Mod_evasive source and extracted and used the following command.
# cd mod_evasive
# /usr/sbin/apxs -cia mod_evasive20.c
I am getting folowing message.
-bash: /usr/sbin/apxs: No such file or directory
# whereis apxs
apxs:
We tried to use one software for offline browsing to download our site and test it if it will fail or not. We used 500 threads at once. Program was able to request 56 pages per second. Of course server (site) failed because there were no more available mysql connections. So site went down. Mod_evasive didn't block that.
Here is the config:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 80
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
DOSLogDir "/var/log/httpd"
</IfModule>
Here is the copy of text I found on one site about mod_evasive:
Mod_evasive does work relatively well for small to medium sized brute force or HTTP level DoS attacks. There is, however, an important limitation that mod_evasive has that you should be aware of. The mod_evasive module is not as good as it could be because it does not use shared memory in Apache to keep information about previous requests persistent. Instead, the information is kept with each child process or thread. Other Apache children that are then spawned know nothing about abuse against one of them. When a child serves the maximum number of requests and dies, the DoS information goes with it. So, what does this mean? This means that if an attacker sends their HTTP DoS requests and they do not use HTTP Keep-Alives, then Apache will spawn a new child process for every request and it will never trigger the mod_evasive thresholds. This is not good…
Is there any solution for such type of attack with Keep Alive disabled?
mod_evasive bans some of the legit users (galleries , typo3 etc.) with following settings:
<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 3
DOSBlockingPeriod 10
</IfModule>
Somebody have an idea for some less restrictive but still usefull rules?
How many of you cpanel folks are using the new cpanel 11 "EasyApache 3" to manage apache/php on your servers? (Instead of doing things manually?)
We have always managed our apache and php configs manually, because cpanel was "under-powered" for the task.
However, with this new EasyApache 3 that is included with cpanel 11, it seems cpanel might finally have figured things out.
How many of you have switched over from doing things yourself manually to using EasyApache to manage your PHP config?
Does anyone know how to make sub domains through SSH?
View 4 Replies View RelatedI have put an Access database inside an access_db folder on Godaddy and written some .asp pages that query it. I am trying to make sure that I take necessary precautions against hackers reading or even writing to the database. Maybe someone can give some remarks about whether any of these concerns are realistic, and if so, why and what I could do about it?
1) Could someone somehow navigate directly to the database and read or write to it (the access_db folder seems to have no read/write permissions as set by default by Godaddy, but how secure is that?)
2) I permit entry through use of a a userid and password that are looked up in an mdb in the same folder (not listed in the html itself). If there’s a match, I store the userid as a session cookie. Then, to visit any other pages, each page first checks to see if the cookie is empty before proceeding. Is it possible for someone to set the cookie themselves and thus break through (can a cookie be set manually?) If so, would it help if I mandated that the cookie be set to something specific (right now it just has to be non-blank) or can they find out what the cookie should be set to as well?
Does anyone know the step by step procedure for compiling apache with phpsuexec enabled and making apache recognize php on a non-cpanel server?
View 0 Replies View RelatedThe server gets around 25k unique visitors per day, but one website in particular allows hotlinking and uses a lot of bandwidth. Last time I checked...according to whm apache status page, I was getting 180 requests per second. Not sure what time it was though. So it might be higher at a different time of the day.
Recently got mod_evasive installed, but I didn't want it to block out legitimate users. Currently it's set to this...
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
</IfModule>
what a better configuration would be? When I run the log I already see it block out a bunch of IP's. I don't want to lose any visitors to this program, but I do get ddos a lot.
I just started using lighttpd for download purpose.
I limited the number of connection per ip to 5 using mod_evasive .
When a user is downloading with a download manager the number of connection is reached to its maximum. I was wondering if there is a way to allow that same user to be able have 1 additional connection when an index.php is requested . That is, if the user is trying to view an index.php file it would ignore the rule evasive.max-conns-per-ip = 5 .
Each user have their download dir located on [url] in that same dir contains an index.php which contains login tab and integrated directory listing .
I noticed, that my Plesk install still runs an older Roundcube Installation (somewhere in the 0.9 range) and RoundCube 1.0.3 is currently the latest version available at [URL]
Is it safe to upgrade the Roundcube Installation in psa-roundcube manually from 0.9 to 1.0.x?