Mod_evasive Doesn't Protect From Apache DOS
Feb 6, 2008
We tried to use one software for offline browsing to download our site and test it if it will fail or not. We used 500 threads at once. Program was able to request 56 pages per second. Of course server (site) failed because there were no more available mysql connections. So site went down. Mod_evasive didn't block that.
Here is the config:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 80
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
DOSLogDir "/var/log/httpd"
</IfModule>
Here is the copy of text I found on one site about mod_evasive:
Mod_evasive does work relatively well for small to medium sized brute force or HTTP level DoS attacks. There is, however, an important limitation that mod_evasive has that you should be aware of. The mod_evasive module is not as good as it could be because it does not use shared memory in Apache to keep information about previous requests persistent. Instead, the information is kept with each child process or thread. Other Apache children that are then spawned know nothing about abuse against one of them. When a child serves the maximum number of requests and dies, the DoS information goes with it. So, what does this mean? This means that if an attacker sends their HTTP DoS requests and they do not use HTTP Keep-Alives, then Apache will spawn a new child process for every request and it will never trigger the mod_evasive thresholds. This is not good…
Is there any solution for such type of attack with Keep Alive disabled?
View 4 Replies
ADVERTISEMENT
Oct 30, 2008
I'm on windows vista. I've got an SDSL line into the house with a dedicated IP 62.etc. I've then got a Prestige 791R and all PC's plugged in to that. I've also got a wireless router for my Wii set up.
Basically I've set up this DHCP thingy to start at 192.etc.3 and the Wireless router is at 192.etc.1 and the Prestige is at 192.etc.2 my pc is at 192.etc.9
This is about where my knowledge stops unfortunately.
I have installed apache as the most basic default install I think you can and it seems to be working absolutely fine. I'm assuming I could also install PHP and MySQL etc and wouldn't have too much of a problem, however, my friend cannot seem to access the environment from the WAN IP and when I type in my WAN IP I get the prestige router's control panel.
I read somewhere that I needed to forward port 80, now I can 'open' ports in the prestige control panel but I did try opening port 80 in the control panel and pointing it to my LAN IP (92.etc.9) but it didn't seem to work.
I'm at a bit of a loss so if anyone could point me in the right direction I would be most grateful, just to clarify:
//localhost loads the html file 100%
//192.etc.9 loads the html file 100%
//62.WANIP internally loads my prestige routers control panel
//62.WANIP externally does not load a page (cannot be found)
If you need any more info just let me know and I'll get it.
View 0 Replies
View Related
Oct 24, 2013
Today i was informed that some of Apache instances are vulnerable for serving content while client is constantly pressing F5 button in browsers - once is pressed CPU load is increasing, page became slow etc. (it's dynamic content served by back-end Tomcats). In the same time i see errors with connection between Apache and Tomcats' instances.
Is there any good way to protect Apache against it ?
View 8 Replies
View Related
Feb 19, 2014
Is there a way to protect apache server from overload? For example Nginx has a module called SysGuard when system load or memory use goes too high all subsequent requests will be redirected to the URL specified by the 'action' parameter.
View 1 Replies
View Related
Mar 10, 2014
What is the proper way. to password protect a directory for apache 2.4.7. Information i gather seems to not work.
View 4 Replies
View Related
Mar 4, 2007
i did make a big message on here but it deleted when i back spaced
my website is aviation cafe dot net / sample and i need you to help me with password protecting a webpage, i wanted the address to be / the silver sword and definitly not to look like it does now.
username: webforum
pass: password
View 4 Replies
View Related
Mar 28, 2009
As posted in a previous thread I noted how I have been hosting with GeekStorage. After a little bit of investigation I found that a total of 593 (possibly more) website where being hosted on the same server as mine. I'm not sure if this is overselling but because I'm new to all this but I'm pretty sure it is.
Now, I'm looking on switching from GeekStorage to someone who doesn't oversell. I would be fine with 10-20GB of storage and >150GB bandwidth. Budget is 5-10$ a month.
View 14 Replies
View Related
Jan 28, 2009
so for over 3 weeks now pc-core.net had some problems with their servers and my accounts were just lost and no one answers my support tickets they just erase them, they disabled my account to support so i can only submit support tickets and click the link on the email.
they told me to email cshelpdesk.com to get my account moved to a new server and cshelpdesk is just telling me im SOL. they dont have access to the server i was at and basically to F off.
is there anything i can do? im basically just being ignored and they dont even have a number to them.
View 12 Replies
View Related
Mar 23, 2009
my forum is VB and its doesnt sent any email for users!
i check the options and everything looks fine ..
my vps had csf firewall installed ..
the csf.conf is
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).
# Allow incoming TCP ports
TCP_IN = "53,1116,80"
# Allow outgoing TCP ports
TCP_OUT = "53,80,3306,1116"
# Allow incoming UDP ports
UDP_IN = "1116,53"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "53,1116"
# Allow incoming PING
ICMP_IN = "0"
# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to "0"
ICMP_IN_RATE = "1/s"
# Allow outgoing PING
ICMP_OUT = "1"
# Set the per IP address outgoing ICMP packet rate
# To disable rate limiting set to "0"
ICMP_OUT_RATE = "1/s"
and the version of csf is
[root@www csf]# /usr/sbin/csf -v
csf: v4.56 (generic)
[root@www csf]#
am useing centOS5 and ssh port 1116
am not useing any of control panel or ftp ...
the email i configured it with google.com/a services ..
View 12 Replies
View Related
Jun 17, 2008
my sys admin is currently in vacation and ovh staff cant help me much so i really appreciate if someone could help me tackle down this issue. I cant create ftp account at all heres what ovh said
Good morning,
Thank you to trust us, there is not my point of view or that of my colleague problem of the kernel compilation on your server or a file corrupted, and your Apache web server is functional, Status of the launch; after this command, via ssh:
/ etc / init.d / httpd start
Starting httpd: [OK]
We see that the port is open 80:
netstat-tanpu | grep 80
tcp 0 0 0.0.0.0:7080 0.0.0.0: * LISTEN 3071/lshttpd
tcp 0 0 0.0.0.0:80 0.0.0.0: * LISTEN 14349/httpd
From the outside, at this precise moment, we are able to establish a connection on port 80:
Telnet ks357687.kimsufi.com 80
Trying 91.121.148.X ...
Connected to ks357687.kimsufi.com.
Escape character is'^]'.
Get
<! DOCTYPE HTML PUBLIC "- / / IETF / / DTD HTML 2.0 / / EN">
<html> <head>
<title> 501 Method Not Implemented </ title>
</ head> <body>
<h1> Method Not Implemented </ h1>
<p> get to / not supported. <br />
</ p>
<hr>
<address> Apache/2.2.8 (EL) Server at ks357687.kimsufi.com Port 80 </ address>
</ body> </ html>
Connection closed by foreign host.
If I stop the Apache server:
/ etc / init.d / httpd stop
Stopping httpd: [OK]
More than 80 active port or connection possible from the outside:
In this case the connection of the exterior evidemment is not possible:
Telnet ks357687.kimsufi.com 80
Trying 91.121.148.X ...
telnet: Unable to connect to remote host: Connection refused
View 9 Replies
View Related
Jun 15, 2007
I am using Windows 2003 Enterprise Edition SP1 and i have recently set the computer up to 4GB RAM. I notice a problem occur error :
When I start the computer, Bios detected all 4GB Ram. However, i have checked Total physical memory in General (My Computer-> Properties) doesnot detect all 4GB Ram. it only detect 3GB Ram.
I have checked that this OS support up to 32GB . Why it doesn't detect all 4GB ?
What happen to it?
Mainboard : Intel chipset 915GL
I did following the instruction in internet (exactly is Microsoft) is /PAE in boot.ini file. But, it doesnt work.
View 8 Replies
View Related
Sep 26, 2007
Yesterday we registerd and created 2 domains in our server.
Everything is ok, files uploaded, dns zones created, httpd virtual host created...
The problem is that trying to browse the site trough http://www.site.com redirects me to [url] my main server IP address, this page shows a cPanel Welcome message.
But, using [url], the site is loaded ok, withouth any problems.
DNS zone shows:
Code:
; cPanel 11.11.0-BETA_16977
; Zone file for site.com
$TTL 14400
@ 86400 IN SOA mydns1.wolo.com. admin.hostingserver.com. (
2007092601 ; serial, todays date+todays
86400 ; refresh, seconds
7200 ; retry, seconds
3600000 ; expire, seconds
86400 ) ; minimum, seconds
site.com. 86400 IN NS mydns1.wolo.com.
site.com. 86400 IN NS mydns2.wolo.com.
site.com. IN A IP_ADDRESS
localhost.site.com. IN A 127.0.0.1
site.com. IN MX 0 site.com.
mail IN CNAME site.com.
www IN A IP_ADDRESS
ftp IN A IP_ADDRESS
Apache virtual host code
Code:
<VirtualHost IP_ADDRESS>
ServerAlias www.site.com
ServerAdmin webmaster@site.com
DocumentRoot /home/siteuser/public_html
ServerName site.com
<IfModule mod_suphp.c>
suPHP_UserGroup siteuser siteuser
</IfModule>
<IfModule mod_php4.c>
php_admin_value open_basedir "/home/siteuser:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir "/home/siteuser:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
User siteuser
Group siteuser
BytesLog /usr/local/apache/domlogs/site.com-bytes_log
CustomLog /usr/local/apache/domlogs/site.com combined
Options -ExecCGI -Includes
</VirtualHost>
View 14 Replies
View Related
Jun 26, 2007
The email of my client doesnt receive certain emails from certain accounts, including my yahoo.com.ph account. After several tries I received this error instead.
After trying to send mail unsuccedfully several times, this is the error I am getting.
Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
:
Sorry, I couldn't find any host by that name. (#4.1.2)
I'm not going to try again; this message has been in the queue too
long.
--- Below this line is a copy of the message.
Quote:
Originally Posted by copy of email
Return-Path:
Received: (qmail 90296 invoked by uid 60001); 25 Jun 2007 04:05:27
-0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Receivedate:Fromubject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
b=GYMZ4utbLEJMc+EXHdW5Ng5ZJeCArXAubpEaUtZzZz77STh9HAGNhrFDjgfqNJ5BdE/
SAlCQ78wseeWPTqUFlalE246OSls0L2tnadTvmxHAQiALfIJ/efHw980subD/VVk6c3NZXGKaKn3vQwJ57bHW5a6qsWjazjl6BXp5Q20=;
X-YMail-OSG:
1iaqBZkVM1mfqTKSQPqhJwf61.zXtBuozzwn.p275yXXF_KgFA8taeSyThc.P1xawEKTuVIB
Vgxk18AHBp_TxSZD753CsOSTbU56JD1OgWwBl8GCwZNxI6YhJHPfyg--
Received: from [203.177.91.252] by web32604.mail.mud.yahoo.com via
HTTP; Sun, 24 Jun 2007 21:05:26 PDT
Date: Sun, 24 Jun 2007 21:05:26 -0700 (PDT)
From: *********
Subject: test
To: sales@*********.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="0-357102911-1182744326=:89673"
Content-Transfer-Encoding: 8bit
Message-ID: <979097.89673.qm@web32604.mail.mud.yahoo.com>
--0-357102911-1182744326=:89673
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
test
View 4 Replies
View Related
Mar 11, 2007
After migrating from the old ensim to the new "X", everything is working fine, except for the webalizer, I activated webalizer in one domain a few days ago.. and everyday Im trying to see the webalizer information, and it is always displaying this message:
Could not retrieve the requested site report because the Web server logs have not yet been generated. These are generated once a day. Please check again later.
I also tried forcing the log rotating for that site, but the problem still there.
Server is RHES 4 with EnsimPro X, log generation and webalizer is activated for the domain.
View 2 Replies
View Related
May 9, 2007
I configured monit to send me email alerts when apache is using too many resources but I cannot receive email alerts. I use Qmail.
As for syslog, there is this message:
monit[6473]: Sendmail: error receiving data from the mailserver 'localhost' -- Resource temporarily unavailable
I tried to add for server name the name used in MX record but with the same result.
Btw: other things configured in cron (eg. RKHUNTER) send me alerts OK.
View 0 Replies
View Related
Dec 30, 2007
im using centos and a perl script doesnt seem to work on my system.
it gives an error on this line.
use LWP::UserAgent;
$ua = LWP::UserAgent->new;
$ua->agent("MyApp/0.1 ");
BEGIN failed--compilation aborted at line 8.
is it a problem with my perl or is it an error with the script?
View 6 Replies
View Related
Jun 21, 2007
I know this can be the most foolishly question on WHT but I'm looking for mod_evasive's download link, I tried googling and searching all forums but all links was dead
anybody can give me a link to get mod_evasive ? Ofcourse If you have a better idea than using of mod_evasive I'll be glad to hear
View 2 Replies
View Related
Oct 14, 2007
We installed mod_evasive and ever since we are getting files like: dos-xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is an IP in our /tmp directory. The contents of the file is usually a 4 or 5 digit number and is owned by apache. Can anyone help me understand what this file is? Is it a product of mod_evasive? Can the files be deleted?
View 14 Replies
View Related
Nov 14, 2007
I have a remote XP PC: 172.16.1.5 OpenVPN connection with route added for 192.168.2.0/24 to go via the VPN
Now on the other end the network consists of:
I have a OpenVPN server inside the lan on 192.168.2.245
Its default gateway is 192.168.2.1
I have 3 Windows Servers, 192.168.2.246, 247 and 248. All gateways are set to 192.168.2.1.
I have a ethernet router on the network, 192.168.2.1, it has a route added for 192.168.0.0/16 to go via 192.168.2.245, and route added for 172.16.0.0/24 to go via 192.168.2.245 also). the 192.168.0.0/16 is incase any other LANs are connected at a later date, if computers saw any packets not on the the 192.168.2.x subnet they would be routed to the default gateway which would then pass them to the OpenVPN router.
The trouble is, i can remotely connect and ping to the OpenVPN router fine and also the ethernet router, however when i ping any of the Windows boxes it times out. But i can open up Remote Desktop and connect to the windows box without problem, infact if i am running 'ping 192.168.2.246 -t' it will suddenly come alive but only after the RDP connection is made.
Is this something funny with the routing? I want to keep the OpenVPN server internal to the network and i appreciate it is hitting the ethernet router then being passed to the OpenVPN but something is weird as it fires up RDP fine but not ping. No firewalls are enabled on any of the boxes. If i log into ssh on the OpenVPN router or ethernet router i can ping from that to the windows boxes fine.
Its as if a ICMP redirect is issued, and all is well after the 1st connection. Not too sure but could anyone be kind enough to enlighten me?
View 1 Replies
View Related
Mar 24, 2008
I have a file named dos-1.2.13.4 (i changed the IP address in purpose) inside the log and inside the file there is a 4 digit number that is constantly changing. more
[root@myserver]# more dos-1.2.13.4
8726
What is 8726?
View 1 Replies
View Related
Feb 25, 2008
We are having problem with installing mod_evasive on our server. We tried installing it on our Virtual Machine that runs Fedora 7 (on our server, we have Fedora core 5), and on Virtual Machine it is fine, we can compile it and put it in our Apache2 conf file.
However, when we try
[root@ mod_evasive]# /usr/local/psa/admin/bin/apxs -i -a -c mod_evasive20.c
on the server, we get a
[root@ mod_evasive]# /usr/local/psa/admin/bin/apxs -i -a -c mod_evasive20.c
gcc -DHARD_SERVER_LIMIT=512 -DDEFAULT_PATH="/usr/local/psa/admin/bin:/bin:/usr/bin" -DLINUX=22 -DTARGET="httpsd" -DHAVE_SET_DUMPABLE -DNO_DBM_REWRITEMAP -DMOD_SSL=208122 -DEAPI -O -pipe -I/usr/include -O3 -fexpensive-optimizations -fstrength-reduce -pipe -DPLESK_Linux -I/home/builder/buildbot/psa-8.2.1-bfc7/build/plesk/lib/dist/include/libxml2 -W -Wall -DPLESK_Linux -I/home/builder/buildbot/psa-8.2.1-bfc7/build/plesk/plesk-utils/include -DBSG_CR -DBSG_MSG -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DHAS_RPM -DUSE_SLEEP_ON_IDLE -Wno-unused-parameter -fpic -DSHARED_MODULE -I/usr/local/psa/admin/include -c mod_evasive20.c ....
View 1 Replies
View Related
Apr 2, 2007
I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Code:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO::Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO::Socket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
View 0 Replies
View Related
Mar 30, 2007
mod_evasive settings?
I cant find out the setting which would ban all bad IPs and will nto ban normal ones.
View 0 Replies
View Related
Apr 1, 2007
Does anyone know any good mod_evasive rules that pick up DoS, but not many false positives? Just looking to see what works for everyone out there, been having trouble.
Or if there is better apache module to combat DoS.
View 3 Replies
View Related
Mar 25, 2009
i want to install mod on my centos Cpanel server. so i try:
cd /usr/local/src
wget mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c
but when i run /usr/sbin/apxs -cia mod_evasive20.c there is some error for me :
[root@ mod_evasive]#/usr/sbin/apxs -cia mod_evasive20.c
-bash: /usr/sbin/apxs: No such file or directory
View 8 Replies
View Related
Nov 27, 2008
and is it good to install or not?[url]
View 5 Replies
View Related
Apr 10, 2007
I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server.
Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:ocket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO:ocket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
View 0 Replies
View Related
Jul 30, 2007
Can I turn off mod_evasive in .htaccess or does it have to be done server wide only in httpd.conf?
Or if not, is there a way I can exclude a specific account from it?
View 1 Replies
View Related
Apr 27, 2007
I got mod_evasive installed and its working fine. Its detecting the IPs, blocking the IPs and sending me the emails.
The emails I'm getting only have the sender name "Apache" and the content shows the IP address is blocking.
How can I enhance the email report to display the following:
1) get a proper Subject header in the email
2) change the From header to include the hostname - i.e.
apache@web.domain.tld
3) have the program do a reverse lookup on the ip, and include that in the body.
Do I need to include a script using the DOSSystemCommand to do this?
View 5 Replies
View Related
Apr 11, 2007
I have 2 questions here.
1. I have installed mod_evasive version 1.10.1 on a Cent OS 4.4 server.
I'm using the test.pl script that comes with mod_evasive to test the configuration and when running the script from the same server mod_Evasive is installed. The mod_evasive is able to detect the intrusion and block the IP of the server.
If I use the same test.pl script from an external server the requests come in and are viewable in the access log but mod_evasive doesnt block the IP of the external server. Probably is not blocing the ip of the external server because of latency.
Is there a way to modify the test.pl script to make it more agressive and get results when testing from an external server?
Here I'm pasting the code of the test.pl script:
Quote:
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
use IO:Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO:Socket::INET( Proto => "tcp",
PeerAddr=> "test.domain.tld:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0
";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
2. Also, I have sendmail installed and on the mod_evasive config I have email address specified on DOSEmailNotify. When testing from the internal server with the test.pl script the server is able to block the ip, put in the hash table but it never sends an email to my email address.
View 0 Replies
View Related
Oct 26, 2007
Is there a way to block ips with mod_evasive by adding the ips to the mod_evasive configuration file?
View 3 Replies
View Related
