HOW TO: mod_evasive

[@how@]

Post move here

[sspt]

Very nice How to @How@ Tks

Just one thing that i should post:

Apache 2.0.xx
cp mod_evasive20.c /usr/local/directadmin/customapache/
Apache 1.3.xx
cp mod_evasive.c /usr/local/directadmin/customapache/

Apache 2.0.xx
/usr/sbin/apxs -cia ./mod_evasive20.c
Apache 1.3.xx
/usr/sbin/apxs -cia ./mod_evasive.c

[@how@]

welcome sspt & thanks for add Apache 2.0.xx , Apache 1.3.xx

[MartijnHOS]

Hello,

I want to install mod_evasive. Already i have installed APF and BFD. Does BFD gives conflicts with mod_evasive? Or do i have to uninstall BFD as it is not necessary anymore?

Kind regards,

Martijn

[@how@]

Quote:

Originally posted by MartijnHOS
Hello,

I want to install mod_evasive. Already i have installed APF and BFD. Does BFD gives conflicts with mod_evasive? Or do i have to uninstall BFD as it is not necessary anymore?

Kind regards,

Martijn

APF & BFD & mod_evasive work fine no need to uninstall BFD.


Wael

[MartijnHOS]

OK, thanks for your reply

[hehachris]

1 thing i m concerning is that will this module add extra loading to the CPU?

[@how@]

Quote:

Originally posted by hehachris
1 thing i m concerning is that will this module add extra loading to the CPU?

No

[@how@]

test

Code:

[root@server1 customapache]# cd /root/mod_evasive
[root@server1 mod_evasive]# chmod 755 test.pl
[root@server1 mod_evasive]# ./test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

Wael

[snaaps]

I have installed this module
people attack my server by http dos,
(see also http://www.directadmin.com/forum/sho...hlight=reading)

The module blocks nothing and I will not recieve a mail.
700 httpd reqest in 1 second!

I placed the code above:

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify info@myexdomain.nl
</IfModule>

ClearModuleList
#AddModule mod_mmap_static.c
blablablabla.........

[@how@]

after install you need to run test
./test.pl
and if you see all HTTP/1.1 200 OK it is mean you need to fix it or lock like this it mean install ok
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden


this mod help you but you need to run anti-dos and mod_security to keep you box safe 80%
there is no 100%



Wael

[yoavz]

I can't get it working.

tried for like 5 times.

i'm always getting "200 OK".

what's the problem?

[@how@]

1- search in /etc/httpd/conf/httpd.conf
did you fine this file mod_evasive.so
2- search in your server for mod_evasive.so

if you find this file in server and you did not find it in httpd.conf you need to install it again or start this tip
upload mod_evasive.so to

Code:

/usr/lib/apache/

and

Code:

/usr/local/directadmin/customapache/

upload mod_evasive.o and mod_evasive.c to

Code:

/usr/local/directadmin/customapache/

then edit httpd.conf

Code:

nano -w /etc/httpd/conf/httpd.conf

after this

Code:

LoadModule perl_module        /usr/lib/apache/libperl.so

add

Code:

LoadModule evasive_module     /usr/lib/apache/mod_evasive.so

after this

Code:

<IfDefine HAVE_PYTHON>
AddModule mod_python.c
</IfDefine>

add

Code:

AddModule mod_evasive.c

after this

Code:

ExtendedStatus On

add

Code:

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>

save and restart httpd

Code:

Run TEST

Wael

[@how@]

mod_evasive.so & mod_evasive.o & mod_evasive.c in Zip file (Attach)

[yoavz]

it's working now!

thanks alot!!

[@how@]

U R welcome


Wael

[telecart]

is there any site i can learn about the parameters?

(DOSHashTableSize,DOSPageCount,DOSSiteCount, etc.)

Daniel.

[telecart]

nevermind,
google is sure helpful

DOSHashTableSize
Size of the hash table. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.

DOSPageCount
Number of requests for the same page within the 'DOSPageInterval' interval that will get an IP address added to the blocking list.

DOSSiteCount
Same as 'DOSPageCount', but corresponds to the number of requests for a given site, and uses the 'DOSSiteInterval' interval.

DOSPageInterval
Interval for the 'DOSPageCount' threshold in second intervals.

DOSSiteInterval
Interval for the 'DOSSiteCount' threshold in second intervals.

DOSBlockingPeriod
Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.

[servertweak]

hello,
mod_evasive HTTP Blacklisted 127.0.0.1

how can i fix this to allow and not to block local address

[rocketcity]

This information came from the README file for mod_evasive.
-----------------------------------------------------------------------
WHITELISTING IP ADDRESSES

IP addresses of trusted clients can be whitelisted to insure they are never
denied. The purpose of whitelisting is to protect software, scripts, local
searchbots, or other automated tools from being denied for requesting large
amounts of data from the server. Whitelisting should *not* be used to add
customer lists or anything of the sort, as this will open the server to abuse.
This module is very difficult to trigger without performing some type of
malicious attack, and for that reason it is more appropriate to allow the
module to decide on its own whether or not an individual customer should be
blocked.

To whitelist an address (or range) add an entry to the Apache configuration
in the following fashion:

DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*

Wildcards can be used on up to the last 3 octets if necessary. Multiple
DOSWhitelist commands may be used in the configuration.