Does anyone know any good mod_evasive rules that pick up DoS, but not many false positives? Just looking to see what works for everyone out there, been having trouble.
Or if there is better apache module to combat DoS.
I know this can be the most foolishly question on WHT but I'm looking for mod_evasive's download link, I tried googling and searching all forums but all links was dead
anybody can give me a link to get mod_evasive ? Ofcourse If you have a better idea than using of mod_evasive I'll be glad to hear
We installed mod_evasive and ever since we are getting files like: dos-xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is an IP in our /tmp directory. The contents of the file is usually a 4 or 5 digit number and is owned by apache. Can anyone help me understand what this file is? Is it a product of mod_evasive? Can the files be deleted?
I have a file named dos-1.2.13.4 (i changed the IP address in purpose) inside the log and inside the file there is a 4 digit number that is constantly changing. more
We are having problem with installing mod_evasive on our server. We tried installing it on our Virtual Machine that runs Fedora 7 (on our server, we have Fedora core 5), and on Virtual Machine it is fine, we can compile it and put it in our Apache2 conf file.
However, when we try
[root@ mod_evasive]# /usr/local/psa/admin/bin/apxs -i -a -c mod_evasive20.c on the server, we get a
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Code: #!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO::Socket; use strict;
for(0..100) { my($response); my($SOCKET) = new IO::Socket::INET( Proto => "tcp", PeerAddr=> "test.domain.tld:80"); if (! defined $SOCKET) { die $!; } print $SOCKET "GET /?$_ HTTP/1.0
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server.
Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:ocket; use strict;
for(0..100) { my($response); my($SOCKET) = new IO:ocket::INET( Proto => "tcp", PeerAddr=> "test.domain.tld:80"); if (! defined $SOCKET) { die $!; } print $SOCKET "GET /?$_ HTTP/1.0
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:Socket; use strict;
for(0..100) { my($response); my($SOCKET) = new IO:Socket::INET( Proto => "tcp", PeerAddr=> "test.domain.tld:80"); if (! defined $SOCKET) { die $!; } print $SOCKET "GET /?$_ HTTP/1.0
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
Installing mod_evasive after serveral attacks on our server.
but when restarting httpd I get this error,
httpd: Syntax error on line 36 of /usr/local/apache/conf/httpd.conf: API module structure 'evasive20_module' in file /usr/lib/httpd/modules/mod_evasive20.so is garbled - expected signature 41503232 but saw 41503230 - perhaps this is not an Apache module DSO, or was compiled for a different Apache version?
I would like to install the Mod_evasive for Apache 2.0 on RHEL 4 Server(Cpanel Installed). I downloaded the Mod_evasive source and extracted and used the following command.
# cd mod_evasive # /usr/sbin/apxs -cia mod_evasive20.c
We tried to use one software for offline browsing to download our site and test it if it will fail or not. We used 500 threads at once. Program was able to request 56 pages per second. Of course server (site) failed because there were no more available mysql connections. So site went down. Mod_evasive didn't block that.
Here is the copy of text I found on one site about mod_evasive:
Mod_evasive does work relatively well for small to medium sized brute force or HTTP level DoS attacks. There is, however, an important limitation that mod_evasive has that you should be aware of. The mod_evasive module is not as good as it could be because it does not use shared memory in Apache to keep information about previous requests persistent. Instead, the information is kept with each child process or thread. Other Apache children that are then spawned know nothing about abuse against one of them. When a child serves the maximum number of requests and dies, the DoS information goes with it. So, what does this mean? This means that if an attacker sends their HTTP DoS requests and they do not use HTTP Keep-Alives, then Apache will spawn a new child process for every request and it will never trigger the mod_evasive thresholds. This is not good…
Is there any solution for such type of attack with Keep Alive disabled?
The server gets around 25k unique visitors per day, but one website in particular allows hotlinking and uses a lot of bandwidth. Last time I checked...according to whm apache status page, I was getting 180 requests per second. Not sure what time it was though. So it might be higher at a different time of the day.
Recently got mod_evasive installed, but I didn't want it to block out legitimate users. Currently it's set to this...
what a better configuration would be? When I run the log I already see it block out a bunch of IP's. I don't want to lose any visitors to this program, but I do get ddos a lot.
I just started using lighttpd for download purpose.
I limited the number of connection per ip to 5 using mod_evasive .
When a user is downloading with a download manager the number of connection is reached to its maximum. I was wondering if there is a way to allow that same user to be able have 1 additional connection when an index.php is requested . That is, if the user is trying to view an index.php file it would ignore the rule evasive.max-conns-per-ip = 5 .
Each user have their download dir located on [url] in that same dir contains an index.php which contains login tab and integrated directory listing .
I signed up with Lunarpages a while back for a dedicated server for my business. Good price, managed hosting rocks, decent disk space... little problem once with a huge power outage, but **** happens, cool.
All is well until I wake up this morning to an email a minute about a failed cron job. It smells fishy, so I contact LUnar pages support to see whats up.
They inform me that some asswad had managed to brute force into my server using a temporary account I set up a while back for some tech support. (I prefaced this with 'im an idiot', so no you know why) Either way, my server now has a rootkit, plus other **** im sure im not aware of... so they propose to move me to a brand new fresh box. im thinking they are gonna charge me a fee for this, a fee for that... no way. All is free of charge.
Im ****ting kittens now.
so im resetting everything up, and i manage to look myself out of my database...(i told you I was an idiot.. and this was a looooong day already)
they fix it. again. no problem...
If you are looking for a dedicated server, go to lunarpages. otherwise you are a freaking idiot as far as I am concerned... Lunarpages, I love you, I want your babies...
PS: I am in no way affiliated with lunarpages... however, if they want to give me a free year on their servers, i wouldnt complain... *hint hint*
Any good secure rules for mod_security 2 that work well for shared servers?
Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.
how to create rules with ip/5hit/s is black list and auto ban ip with IPSec.
when test attack file .php info test : using code attack files. attack file test.php ( code files : <?php echo "we are test" ; ?> ) Ex : attack files test.php ( http://mydomain.php/test.php ) attack 200hit/s ( all files .php is not run ) php application is hang.
also wherewith code attack. i tested asp, html. it isn't problem. ( 1879hit/s ) ( good working)