Some friends told me that the mod_dosevasive was a very great and powerfull mod for Apache that provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.
It works fine in all iworx-cp boxes and there’s actually an EXPERIMENTAL SRPM here if you’d like to install it. We have it running smoothly on all of our shared servers:
As for the iptables link Pascal I’m not sure. We don’t use it in conjunction with iptables but rather just with the default 403 blocking for heavy hitting IPs.
Well, I found tha it is a very high value !!! 20 pages per second for only one client ? is it possible ?
Well, I think I have to do some tweaks and change the value according the results. I’ve setup it to :
DOSPageCount 4
DOSSiteCount 20
I’ll see. If I receive a ton of mail, I’ll set it up.
access_log is not define per vhost but in the general httpd.conf file, right ?
So it only show access_log for default localhost access (http://127.0.0.1/), right ?
If I create a customlog /home/account/var/domaine.tld/logs/access_log combined for a vhost, I’ll have all access for this vhost, right ?
Ok so, how to create an access_log file that show ALL accesses for ALL vhosts ?
(not sure it is recomanded as it will be a very large file ?)
Well, apachetop may be fine, but not sure it is so good to define this Big access log file to only see which file is accessing by who and when :-p
iftop help me more to find who is attacking my box
20 hits is actualy pretty easy to get. One hit for the HTML page, one hit for every frame if there are frames, one hit for every image, external script, style sheet, etc…
DOSPageCount is the number of pages allowed to be loaded for the DOSPageInterval setting.
DOSSiteCount is the number of objects (ie: images, style sheets, javascripts, SSI, etc) allowed to be accessed in the DOSSiteInterval second.
So, In my case, for my setting, I allow 4 pages to be loaded per second for 1 IP and allow 50 images/style sheets, javascripts, etc per second for 1 IP
I suppose it depends on how it keeps track of things and who is doing the connecting. Re-reading the README, it seems your right. It appears it keeps track of full URIs. If not, there would be problems like I mentioned. Though if it does keep track of URIs it would be pretty easy to get around by adding extra junk parameters.
Some software (mine for example) will serve much more than just HTML out of the same file. If it was only keeping track of the objects being served, and not the URIs used to access them, then there would be a problem.
Well it doesn’t work, in fact apachetop start well but when I’m accessing to a site web it doesn’t show any request; but if I launch it with something like
apachetop -f /home/account/var/domaine.tld/logs/transfer.log it works fine.
apachetop seems to use fam to analyse the logs and i’m not sure fam understand multiple log reading by using /*/