Can't connect on port 80 and other problems.

Gus

Verified User
Joined
Jan 28, 2007
Messages
10
My server is currently running apache-2.0.59 on FreeBSD. I upgraded to 2.0.59 this morning and everything went fine, no errors. I could access the sites on port 80. However, we have been experiencing what seems to be a DOS attack, so I installed mod_evasive and modsecurity.
Problem #1:
Can't access any sites on port 80, but ports 443 (SSL), 22 (SSH) and 21(FTP) all respond normally.
Problem #2: When I try to test mod_evasive by running the test script, I get a "Operation timed out at test.pl line 12" error, which I assume is because it can't connect either.

My httpd.error logs show the DOS attack previous to installing mod_evasive and modsecurity on apache-1.3.36 (before I upgraded) but not after.

I'm guessing that something in either my mod_evasive or modsecurity is keeping me out, but I'm at a loss as to what it could be. My httpd.conf file looks like this:

ServerRoot "/etc/httpd"

PidFile /var/run/httpd.pid

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15


##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>



# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75 mod_evasive
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>

# perchild MPM
# NumServers: constant number of server processes
# StartThreads: initial number of worker threads in each server process
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# MaxThreadsPerChild: maximum number of worker threads in each server process
# MaxRequestsPerChild: maximum number of connections per server process
<IfModule perchild.c>
NumServers 5
StartThreads 5
MinSpareThreads 5
MaxSpareThreads 10
MaxThreadsPerChild 20
MaxRequestsPerChild 0
</IfModule>

Listen 0.0.0.0:80

#
# Dynamic Shared Object (DSO) Support
#
LoadModule php4_module /usr/lib/apache/libphp4.so
LoadModule frontpage_module /usr/lib/apache/mod_frontpage.so
LoadModule perl_module /usr/lib/apache/mod_perl.so
LoadModule security_module /usr/lib/apache/mod_security.so
LoadModule evasive20_module /usr/lib/apache/mod_evasive20.so


User apache
Group apache

ServerAdmin admin@localhost
UseCanonicalName Off
DocumentRoot "/var/www/html"

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

<Directory "/var/www/html">
Options -Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

#this is setup, but via alternate means
UserDir disabled

AddHandler cgi-script .cgi .pl
<Directory /home/*>
AllowOverride All
Options -MultiViews -Indexes FollowSymlinks IncludesNoExec +Includes
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

DirectoryIndex index.html index.html.var index.htm index.shtml index.php index.php4 index.php3 index.phtml index.cgi

AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

TypesConfig /etc/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>




#begin dos_evasive
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
</IfModule>
#end dos_evasive






#begin modsecurity
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly

SecFilterEngine On

# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1

#SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Microsoft-IIS/5.0"

#SecUploadDir /tmp
#SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log

# You normally won't need debug logging
#SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

# Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
#Include /etc/modsecurity/modsecurity_crs_20_protocol_violations.conf
# Mini Rules
Include /etc/modsecurity/mini.conf
#Custom Rules
Include /etc/modsecurity/custom.conf
</IfModule>
#end modsecurity





HostnameLookups Off

EnableMMAP on
EnableSendfile on

ErrorLog /var/log/httpd/error_log
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%b" bytes

CustomLog /var/log/httpd/access_log combined

# Set to one of: Full | OS | Minor | Minimal | Major | Prod
ServerTokens Full
ServerSignature On

Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>


IndexOptions FancyIndexing VersionSort

#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions. These are only displayed for
# FancyIndexed directories.
#
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#
DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

# DefaultLanguage en

AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
ForceLanguagePriority Prefer Fallback
#AddDefaultCharset ISO-8859-1 #was causing issues for some clients, thus removed

AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8
# See http://www.iana.org/assignments/character-sets
AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis

AddType application/x-tar .tgz
AddType application/x-httpd-php .inc .php .php4 .php3 .phtml
AddType application/x-httpd-php-source .phps



#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing
# to do with the FancyIndexing customization directives above.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddHandler cgi-script .cgi
AddHandler imap-file map
AddHandler type-map var
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully

#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Location>

#<Location /server-info>
# SetHandler server-info
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Location>

<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>


#Start DirectAdmin Settings
Alias /config /var/www/html/redirect.php
Alias /phpMyAdmin /var/www/html/phpMyAdmin/
Alias /phpmyadmin /var/www/html/phpMyAdmin/
Alias /webmail /var/www/html/webmail/
Alias /squirrelmail /var/www/html/squirrelmail/

ErrorDocument 400 /400.shtml
ErrorDocument 401 /401.shtml
ErrorDocument 403 /403.shtml
ErrorDocument 404 /404.shtml
ErrorDocument 500 /500.shtml

#All NameVirtualHost lines are in this file
#Don't remove this line or apache will generate errors.
Include /etc/httpd/conf/ips.conf

LogFormat "%b \"%r\"" homedir
#The default site for the server.
<VirtualHost 223.72.56.202:80>
ServerAdmin webmaster@localhost
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /var/www/html
ServerName localhost
ScriptAlias /cgi-bin/ /var/www/cgi-bin/

CustomLog /var/log/httpd/homedir.log homedir
</VirtualHost>

<VirtualHost 223.72.56.202:443>
ServerName localhost
ServerAdmin webmaster@localhost
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /var/www/html
ScriptAlias /cgi-bin/ /var/www/cgi-bin/

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

CustomLog /var/log/httpd/homedir.log homedir
</VirtualHost>

Include /usr/local/directadmin/data/users/tshostru/httpd.conf
Include /usr/local/directadmin/data/users/talk2w/httpd.conf
Include /usr/local/directadmin/data/users/ruud/httpd.conf
Include /usr/local/directadmin/data/users/igniteds/httpd.conf
Include /usr/local/directadmin/data/users/sam/httpd.conf
Include /usr/local/directadmin/data/users/idocon/httpd.conf
Include /usr/local/directadmin/data/users/irad/httpd.conf
Include /usr/local/directadmin/data/users/bluemic/httpd.conf
Include /usr/local/directadmin/data/users/scilab/httpd.conf
Include /usr/local/directadmin/data/users/dls/httpd.conf
Include /usr/local/directadmin/data/users/realiteit/httpd.conf
Include /usr/local/directadmin/data/users/oziriz/httpd.conf
Include /usr/local/directadmin/data/users/ethicalh/httpd.conf
 
Last edited:
First thing was to redirect the DOS attack so I could see if that was my biggest issue or if one of the .confs were causing the issue. It was a domain name attack, so I re-directed the dns pointers for the server, which sent the attack elsewhere. However, I still couldn't connect, although it wasn't timing out, I was receiving a 500 internal server error. One problem down. So, I evaluated the mod_security rules, made 2 changes to the .conf that I had setup and got ipfw installed and configured correctly and was able to connect on all ports. Then, I was able to run the test.pl successfully for mod_evasive. Next, the dns pointers were set back the way they were. Site was up, despite the ongoing attack, and I was able to connect (although more slowly than usual, which I attribute to the DOS attack) on all ports. Still working on editing the modsecurity rules, as I keep getting 403'ed on some pages, but at least we're up and running. ;)
 
Back
Top