Hello,
Some friends told me that the mod_dosevasive was a very great and powerfull mod for Apache that provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.
http://www.nuclearelephant.com/projects/dosevasive/
Do some of you know it ?
Do you know if it can give to iptables some parameters to drop packets ?
I don’t think there will have pbms to install it on an interworx box, but I prefer ask before.
All you returns, advises are welcome.
Pascal
It works fine in all iworx-cp boxes and there’s actually an EXPERIMENTAL SRPM here if you’d like to install it. We have it running smoothly on all of our shared servers:
http://updates.interworx.info/iworx/SRPMS/nexcess/mod_dosevasive-1.9-1.iworx.src.rpm
rpmbuild --rebuild --with <your arch> URL
As for the iptables link Pascal I’m not sure. We don’t use it in conjunction with iptables but rather just with the default 403 blocking for heavy hitting IPs.
Chris
h?h?, so cool, I didn’t see it in your experimental SRPM, it is new ?
cool, so I’ll install it asap 
Thanks Chris
Pascal
Chris,
Do you have an example for the dosevasive.conf file ? is the default value ar ok.
I find them very high, it’s why I ask you 
DOSPageCount 20
DOSSiteCount 20
DOSPageInterval 1
DOSSiteInterval 1
I’d easily give these parameters :
DOSPageCount 5 ??
DOSSiteCount 50 or 100 ??
What do you think ?
And for your information, I found a way to speak to iptables and have more log : check this php/mysql script : http://www.linuxforum.com/linux_tutorials/66/3.php
There is also an other tool I’ll try it’s apachetop : http://clueful.shagged.org/apachetop/
So if interworx has the source rpm it will be welcome :-p
Thanks
Pascal
I’m pretty liberal with the settings Pascal and the defaults seem to work fine. I even notice 403’s sometimes when I’m debugging and I hit the limits.
Regarding apachetop I actually grabbed the bin (and source rpm) from DAG and it works well: http://dag.wieers.com/home-made/apt/
Chris
Well, I found tha it is a very high value !!! 20 pages per second for only one client ? is it possible ?
Well, I think I have to do some tweaks and change the value according the results. I’ve setup it to :
DOSPageCount 4
DOSSiteCount 20
I’ll see. If I receive a ton of mail, I’ll set it up.
Regarding apachetop I actually grabbed the bin (and source rpm) from DAG and it works well: http://dag.wieers.com/home-made/apt/
Chris
I’ve also grabbed the bin for EL3 but for me it doesn’t work.
I had a first message :
cannot connect to fam: Connection refused
I’ve started portmapper, checked fam in xinetd, then retried but I had an other message :
cannot connect to fam: Address already in use
If I do a rpcinfo -p it works :
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
I can’t figure out what is going bad.
I’vel retried by compiling the source but it’s same.
Maybe you have an idea ?
do you know what process / daemon has to be started to have apachetop running ?
Thanks
Pascal
Ok I found a solution to have the apachetop working.
So I start the portmap, then I absolutly have to launch fam manually so I do :
fam -f
Then with another session I start apachetop
Maybe my xinetd sgi_fam is not good :
service sgi_fam
{
type = RPC UNLISTED
socket_type = stream
user = root
group = root
server = /usr/bin/fam
wait = yes
protocol = tcp
rpc_version = 2
rpc_number = 391002
bind = 127.0.0.1
}
as everytime I launch apachetop without having launched fam before I have an erro (cannot connect to fam: Connection refused)
Pascal
Ok a last think.
access_log is not define per vhost but in the general httpd.conf file, right ?
So it only show access_log for default localhost access (http://127.0.0.1/), right ?
If I create a customlog /home/account/var/domaine.tld/logs/access_log combined for a vhost, I’ll have all access for this vhost, right ?
Ok so, how to create an access_log file that show ALL accesses for ALL vhosts ?
(not sure it is recomanded as it will be a very large file ?)
Well, apachetop may be fine, but not sure it is so good to define this Big access log file to only see which file is accessing by who and when :-p
iftop help me more to find who is attacking my box
Pascal
20 hits is actualy pretty easy to get. One hit for the HTML page, one hit for every frame if there are frames, one hit for every image, external script, style sheet, etc…
No.
DOSPageCount is the number of pages allowed to be loaded for the DOSPageInterval setting.
DOSSiteCount is the number of objects (ie: images, style sheets, javascripts, SSI, etc) allowed to be accessed in the DOSSiteInterval second.
So, In my case, for my setting, I allow 4 pages to be loaded per second for 1 IP and allow 50 images/style sheets, javascripts, etc per second for 1 IP
Pascal
I suppose it depends on how it keeps track of things and who is doing the connecting. Re-reading the README, it seems your right. It appears it keeps track of full URIs. If not, there would be problems like I mentioned. Though if it does keep track of URIs it would be pretty easy to get around by adding extra junk parameters.
Some software (mine for example) will serve much more than just HTML out of the same file. If it was only keeping track of the objects being served, and not the URIs used to access them, then there would be a problem.
If apachetop takes logs on the command line you could do:
apachetop /home//var//logs/transfer.log
Chris
You right, but what I understand is :
DOSPageCount keep tracks of the URI
DOSSiteCount keep tracks of all accessed objects
It’s why, after a lot of tuning, I did set DOSPageCount low (4) and DOSSiteCount high (75).
With this setup it seems to work fine.
Thanks for your comments
Pascal
Well it doesn’t work, in fact apachetop start well but when I’m accessing to a site web it doesn’t show any request; but if I launch it with something like
apachetop -f /home/account/var/domaine.tld/logs/transfer.log it works fine.
apachetop seems to use fam to analyse the logs and i’m not sure fam understand multiple log reading by using /*/
Anyway, thanks Chris
Pascal
Hello,
Does this works with version 3 of iworx?
Is there any solution for dos attacks for the version of interworx