Moderator's Note:

This thread has been closed, and replaced with a new thread for mod-evasive, found here (http://www.directadmin.com/forum/showthread.php?s=&threadid=10957).

1 . Download the file MOD_DOSEVASIVE Stable [ Version 1.8 ] first - http://www.nuclearelephant.com/projects/dosevasive/mod_dosevasive.1.8.tar.gz

2 . extract and copy the file to /usr/local/directadmin/customapache/src/modules/dosevasive/mod_dosevasive.c

3) backup your current httpd.conf file

4) Run ./configure --add-module=src/modules/dosevasive/mod_dosevasive.c

5. make, install

6 . Restart Apache

7 . edit your httpd.conf file and add

<IfModule mod_security.c>
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:403"
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit_log
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecUploadDir /tmp
SecUploadKeepFiles Off
SecFilter "\.\./"
SecFilter /etc/password
SecFilter /etc/group
SecFilter /etc/shadow
SecFilter /bin/ls
SecFilter "delete[:space:]+from"
SecFilter "insert[:space:]+into"
SecFilter "update[:space:]+set"
SecFilter "select.+from"
SecFilterSelective OUTPUT "Fatal error:" deny,status:500
</IfModule>



Does any one has any opinion on it ? :D

It is my first time to write installing Guide , hope it can help those of you :p

Good work :), however I believe that you have to restart apache at the end for the changes in httpd.conf to take effect (or at least reload the config file in the DA).

Kind Regards,

Onno Vrijburg

hmm, thats nice
this is anti ddos for apache, not?

Does anyone can do it successfully ?

Looks like you added the wrong rule set. That ruleset is for mod_security

I followed the installation procedure above (except the "mod_security" code) and added the following code into /etc/httpd/conf/httpd.conf

<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>

AddModule mod_dosevasive.c

but when i restart httpd, it shown the error:

Syntax error on line 122 of /etc/httpd/conf/httpd.conf:
Cannot add module via name 'mod_dosevasive.c': not in list of loaded modules


Any idea to fix that? Thanks. :)

wget -c http://www.nuclearelephant.com/projects/dosevasive/mod_dosevasive.1.9.tar.gz
tar -zxf mod_dosevasive.1.9.tar.gz
cd mod_dosevasive
/usr/local/apache/bin/apxs -iac mod_dosevasive.c

Sorry for the cross post but I think this is a much better place to keep these issues.

Any idea why the EmailNotify and DOSSystemCommand parameters will not work? I have tried everything. The DOSSystemCommand I am using runs fine at the command prompt using an IP in substitution of %s but it won't run from apache.

<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSSystemCommand '/usr/local/bin/php /usr/local/etc/blacklist.php %s'
</IfModule>

Thanks for any insight. This could be a really good addition and if I can get it to run that command it would be sweet since it will automatically add the IP of the offender to the IPF rules for any designated period of time.

BigWil

you may have to have it su to root

I tried that too but unfortunately it didn't work either. Tried both:

DOSSystemCommand '/usr/local/bin/php /usr/local/etc/blacklist.php %s'

DOSSystemCommand "su - root -c '/usr/local/bin/php /usr/local/etc/blacklist.php %s'"

Unless you see something in these that wouldn't work?

Could the DA Jailing techniques keep this from running from within Apache? Unfortunately I don't know what alterations the jail build makes to suexec.c but I do notice during compile that it does do something. But I am just guessing at this point.

Maybe John can enlighten us with his DA_Vine presence.

Big Wil

now mod_evasive , any update?

Not much. Just change the instances of mod_dosevasive to mod_evasive.


Big Wil

I think there are few missing steps for the stupid user (me) to make this work.
Please update this How-To with few changes:

1) Goto: http://www.nuclearelephant.com/projects/mod_evasive/
Download the current file:

As of December 8th, 2005:
Stable [ Version 1.10.1 ] mod_evasive for Apache v1.3 and 2.0, and NSAPI (SunONE)


cd /usr/local/directadmin/customapache/
mkdir src
cd src
mkdir modules
cd modules
wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz




2) Once the file has downloaded, Run the following commands:


gunzip mod_evasive_1.10.1.tar.gz

then run:



tar -xvf mod_evasive_1.10.1.tar

This will create a new directory called mod_evasive and will contain the files in it.


3) backup your current httpd.conf file:

cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.B4.mod_evasive


STOP!

4) Run ./configure --add-module=src/modules/dosevasive/mod_dosevasive.c


NOW WHERE ON EARTH IS THAT CONFIGURE FILE?
From where should this command be ran? from which directory?
I don't have a configure file on its own.

/usr/local/directadmin/customapache # ./configure
-bash: ./configure: No such file or directory


and then comes the rest.....


5. make, install

6 . Restart Apache

7 . edit your httpd.conf file and add
.....

Please attempt to clean up this entire post and use the current values of the version to install as well as the step-by-step I've added (well. you could modify them as needed of course).
And.. complete the missing link. I don't know how to continue the steps, I'm stuck in the meadst of this install.

-Alon.

I'm with SupermaninNY, do we use the directadmin build and configure or...?

http://www.directadmin.com/forum/showthread.php?s=&threadid=10957

Is there no Compile involved with the mod_evasive?
I thought there is a need to run make etc.
I'm confused.

before mod_dosevasive
new mod_evasive
here is main site
http://www.nuclearelephant.com

Originally posted by @how@
before mod_dosevasive
new mod_evasive
here is main site
http://www.nuclearelephant.com

sorry for still hammering this.

In the How-To you described, there is not Compile. You only add a file that acts as a module and include it in the httpd.conf.

In the begining of this thread, there is a step that has a

./configure
make
make install

which are part of a compile.

So,. I'm confused.

It the mod_evasive need a compile or is it just a httpd.conf setting and placing a file for it to pick up?

Do you not need to compile anything?

Thanks,

-Alon.

just
/usr/sbin/apxs -c ./mod_evasive.c
;)

Great!!

I followed your instructions and they were very clear!

I'd add just a small change:

In the section of modifying your httpd.conf.


Add this to the instructions:



now add this in httpd.conf

Edit (use vi or pico)
/etc/httpd/conf/httpd.conf

Search (using / or otherwise) for

#Start DirectAdmin Settings
(I use /DirectAdmin)

Just above that, you will see:

###</IfDefine>

I would recommend to Paste the following code just above the

###</IfDefine>

So that it will look 'cleaner'.

##### Mod Evasive Module######
<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify your-email@your-domain.tld
</IfModule>




1. The stupid me doesn't need to figure out where the httpd.conf file is. So why not add the edit location.

2. for a cleaner look for the stupid me, it helps if I know where to paste the code so that it doesn't end up inside of another module.

Other than that,.. this is great!
Now,. someone needs to delete this thread as it is confusing.

-Alon.

yes this old post, now new mod = mod_evasive.c

If there's a new updated thread the original author of this one can delete it.

Or point me to the new one and I'll delete the old one.

Jeff

this post new with how to
http://www.directadmin.com/forum/showthread.php?s=&threadid=10957

****
mod_dosevasive old new one mod_evasive

anyone managed to find a changelog for the new version?

aChryssalis,

I can't delete this thread if you post to it :) .

Can you post to the new thread?

Or do you need this thread?

Perhaps I should just close this thread for a while first, and edit the first post to point to the new one?

Anyone?

Jeff

Just close thread.
Ill post (how to) change to new version mod_evasive soon


Wael

umm changelog I meant whats new in the new version of the module.

Originally posted by jlasman
aChryssalis,

I can't delete this thread if you post to it :) .

Can you post to the new thread?

Or do you need this thread?

Perhaps I should just close this thread for a while first, and edit the first post to point to the new one?

Anyone?

Jeff

Hi Jeff,
Please close this thread and edit it as you suggested.
The new thread is current and works and has less clutter in it.
My thanks to the original poster of this thread and of course to the second thread creator.
Now it is time to close this thread.

-Alon.