HOW TO: mod_evasive

sspt

Verified User
Joined
Oct 27, 2005
Messages
63
Very nice How to @How@ :) Tks

Just one thing that i should post:

Apache 2.0.xx
cp mod_evasive20.c /usr/local/directadmin/customapache/
Apache 1.3.xx
cp mod_evasive.c /usr/local/directadmin/customapache/

Apache 2.0.xx
/usr/sbin/apxs -cia ./mod_evasive20.c
Apache 1.3.xx
/usr/sbin/apxs -cia ./mod_evasive.c
 

MartijnHOS

Verified User
Joined
Jun 18, 2005
Messages
58
Location
Netherlands
Hello,

I want to install mod_evasive. Already i have installed APF and BFD. Does BFD gives conflicts with mod_evasive? Or do i have to uninstall BFD as it is not necessary anymore?

Kind regards,

Martijn
 

@how@

Verified User
Joined
Mar 2, 2005
Messages
962
Location
Kingdom of Bahrain
MartijnHOS said:
Hello,

I want to install mod_evasive. Already i have installed APF and BFD. Does BFD gives conflicts with mod_evasive? Or do i have to uninstall BFD as it is not necessary anymore?

Kind regards,

Martijn
APF & BFD & mod_evasive work fine no need to uninstall BFD.


Wael
 

@how@

Verified User
Joined
Mar 2, 2005
Messages
962
Location
Kingdom of Bahrain
test
Code:
[root@server1 customapache]# cd /root/mod_evasive
[root@server1 mod_evasive]# chmod 755 test.pl
[root@server1 mod_evasive]# ./test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
:)


Wael
 

snaaps

Verified User
Joined
Jan 29, 2005
Messages
230
Location
Netherlands
I have installed this module
people attack my server by http dos,
(see also http://www.directadmin.com/forum/showthread.php?s=&threadid=11316&highlight=reading)

The module blocks nothing and I will not recieve a mail.
700 httpd reqest in 1 second!

I placed the code above:

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify info@myexdomain.nl
</IfModule>

ClearModuleList
#AddModule mod_mmap_static.c
blablablabla.........
 

@how@

Verified User
Joined
Mar 2, 2005
Messages
962
Location
Kingdom of Bahrain
after install you need to run test
./test.pl
and if you see all HTTP/1.1 200 OK it is mean you need to fix it or lock like this it mean install ok
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden


this mod help you but you need to run anti-dos and mod_security to keep you box safe 80%
there is no 100%



Wael
 

yoavz

Verified User
Joined
Jul 26, 2005
Messages
10
I can't get it working.

tried for like 5 times.

i'm always getting "200 OK".

what's the problem?
 

@how@

Verified User
Joined
Mar 2, 2005
Messages
962
Location
Kingdom of Bahrain
1- search in /etc/httpd/conf/httpd.conf
did you fine this file mod_evasive.so
2- search in your server for mod_evasive.so

if you find this file in server and you did not find it in httpd.conf you need to install it again or start this tip
upload mod_evasive.so to
Code:
/usr/lib/apache/
and
Code:
/usr/local/directadmin/customapache/
upload mod_evasive.o and mod_evasive.c to
Code:
/usr/local/directadmin/customapache/
then edit httpd.conf
Code:
nano -w /etc/httpd/conf/httpd.conf
after this
Code:
LoadModule perl_module        /usr/lib/apache/libperl.so
add
Code:
LoadModule evasive_module     /usr/lib/apache/mod_evasive.so
after this
Code:
<IfDefine HAVE_PYTHON>
AddModule mod_python.c
</IfDefine>
add
Code:
AddModule mod_evasive.c
after this
Code:
ExtendedStatus On
add
Code:
<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
save and restart httpd
Code:
Run TEST
:) :)


Wael
 

telecart

Verified User
Joined
Apr 13, 2005
Messages
15
Location
Israel
is there any site i can learn about the parameters?

(DOSHashTableSize,DOSPageCount,DOSSiteCount, etc.)

Daniel.
 

telecart

Verified User
Joined
Apr 13, 2005
Messages
15
Location
Israel
nevermind,
google is sure helpful :)

DOSHashTableSize
Size of the hash table. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.

DOSPageCount
Number of requests for the same page within the 'DOSPageInterval' interval that will get an IP address added to the blocking list.

DOSSiteCount
Same as 'DOSPageCount', but corresponds to the number of requests for a given site, and uses the 'DOSSiteInterval' interval.

DOSPageInterval
Interval for the 'DOSPageCount' threshold in second intervals.

DOSSiteInterval
Interval for the 'DOSSiteCount' threshold in second intervals.

DOSBlockingPeriod
Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.
 

servertweak

Verified User
Joined
Feb 3, 2005
Messages
294
hello,
mod_evasive HTTP Blacklisted 127.0.0.1

how can i fix this to allow and not to block local address
 

rocketcity

Verified User
Joined
Aug 18, 2005
Messages
162
This information came from the README file for mod_evasive.
-----------------------------------------------------------------------
WHITELISTING IP ADDRESSES

IP addresses of trusted clients can be whitelisted to insure they are never
denied. The purpose of whitelisting is to protect software, scripts, local
searchbots, or other automated tools from being denied for requesting large
amounts of data from the server. Whitelisting should *not* be used to add
customer lists or anything of the sort, as this will open the server to abuse.
This module is very difficult to trigger without performing some type of
malicious attack, and for that reason it is more appropriate to allow the
module to decide on its own whether or not an individual customer should be
blocked.

To whitelist an address (or range) add an entry to the Apache configuration
in the following fashion:

DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*

Wildcards can be used on up to the last 3 octets if necessary. Multiple
DOSWhitelist commands may be used in the configuration.
 
Top