GithubHelp home page GithubHelp logo

mod_evasive's Issues

I can not install mod_evasive

Hi, I have plesk installed on your version onyx 17.5.3 but it does not have mod_evasive osea that I have to install via ssh but never install anything with just ssh and I have tried and it gives me many errors I need to install it correctly.

OS: CentOS Linux 7.3.1611 (Core)
Server version: Apache / 2.4.6 (CentOS)

Someone can help me with the correct installation.
regards

Apache 2.4 - ignoring .conf file

I'm having issues with this fork ignoring my .conf files. It continues to log to /tmp and whitelisted IPs get blocked. I'm on Ubuntu 14.04 LTS and Apache 2.4.

Relevant configs + permissions:

ryan@ip-10-0-5-164:~$ sudo cat /etc/apache2/mods-available/evasive20.conf
<IfModule mod_evasive24.so>
    DOSHashTableSize    3097
    DOSPageCount        1
    DOSSiteCount        1
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   90

    DOSWhitelist    127.0.0.1

    #DOSEmailNotify      [email protected]
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           /var/log/apache2/mod_evasive
</IfModule>

ryan@ip-10-0-5-164:~$ sudo cat /etc/apache2/mods-available/evasive20.load
LoadModule evasive20_module   /usr/lib/apache2/modules/mod_evasive24.so

ryan@ip-10-0-5-164:~$ ls -l /usr/lib/apache2/modules/ | grep evasive
-rw-r--r-- 1 root root   58838 Feb 18 00:12 mod_evasive24.so

mod is enabled:

ryan@ip-10-0-5-164:~$ sudo a2enmod evasive20
Module evasive20 already enabled

Running the conventional Perl test script results in 403s and log files output to /tmp:

ryan@ip-10-0-5-164:~$ perl test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

ryan@ip-10-0-5-164:~$ ls -l /tmp
total 16
-rw-r--r-- 1 www-data www-data    6 Feb 18 17:02 dos-127.0.0.1

How whitelist or disable mod_evasive for a specific domain than entire server or all websites?

Hi,

We are using mod_evasive since years and its great module protecting the server against DDoS attack but we now got a situation where we need to disable mod_evasive just for a domain on a shared hosting server than disabling it from entire server.

If there any way we can whitelist/disable mod_evasive for a specific domain on a shared hosting server where hundreds of websites are hosted?

Thank you in advance.

DOSLogDir

Debian

I tried different variants for path of the log dir
for example:
DOSLogDir "/var/log/mod_evasive"
DOSLogDir /var/log/apache2
etc.
but I don't see any log file

compilation error Apache 2.4.25

/usr/share/apr-1.0/build/libtool --mode=compile --tag=disable-static x86_64-linux-gnu-gcc -prefer-pic -pipe -g -O2 -fdebug-prefix-map=/build/apache2-2.4.25=. -fstack-protector-strong -Wformat -Werror=format-security -DBUILD_DATETIME='"2017-07-18T18:37:33"' -Wdate-time -D_FORTIFY_SOURCE=2 -DLINUX -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apache2 -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -I/usr/include -c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo

libtool: compile: x86_64-linux-gnu-gcc -pipe -g -O2 -fdebug-prefix-map=/build/apache2-2.4.25=. -fstack-protector-strong -Wformat -Werror=format-security -DBUILD_DATETIME=\"2017-07-18T18:37:33\" -Wdate-time -D_FORTIFY_SOURCE=2 -DLINUX -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apache2 -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -I/usr/include -c mod_evasive20.c -fPIC -DPIC -o .libs/mod_evasive20.o

mod_evasive20.c: In function ‘access_checker’:
mod_evasive20.c:142:39: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
       if (is_whitelisted(r->connection->remote_ip))
                                       ^~
mod_evasive20.c:146:43: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
       n = ntt_find(hit_list, r->connection->remote_ip);
                                           ^~
mod_evasive20.c:158:56: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
         snprintf(hash_key, 2048, "%s_%s", r->connection->remote_ip, r->uri);
                                                        ^~
mod_evasive20.c:165:47: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
             ntt_insert(hit_list, r->connection->remote_ip, time(NULL));
                                               ^~
mod_evasive20.c:180:58: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
         snprintf(hash_key, 2048, "%s_SITE", r->connection->remote_ip);
                                                          ^~
mod_evasive20.c:187:47: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
             ntt_insert(hit_list, r->connection->remote_ip, time(NULL));
                                               ^~
mod_evasive20.c:208:117: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
         snprintf(filename, sizeof(filename), "%s/dos-%s", log_dir != NULL ? log_dir : DEFAULT_LOG_DIR, r->connection->remote_ip);
                                                                                                                     ^~
mod_evasive20.c:212:36: warning: implicit declaration of function ‘getpid’ [-Wimplicit-function-declaration]
             fprintf(file, "%ld\n", getpid());
                                    ^~~~~~
mod_evasive20.c:212:30: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 3 has type ‘int’ [-Wformat=]
             fprintf(file, "%ld\n", getpid());
                              ^
mod_evasive20.c:215:90: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
             LOG(LOG_ALERT, "Blacklisting address %s: possible DoS attack.", r->connection->remote_ip);
                                                                                          ^
mod_evasive20.c:46:82: note: in definition of macro ‘LOG’
 #define  LOG( A, ... ) { openlog("mod_evasive", LOG_PID, LOG_DAEMON); syslog( A, __VA_ARGS__ ); closelog(); }
                                                                                  ^~~~~~~~~~~
mod_evasive20.c:221:78: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
                 fprintf(file, "Subject: HTTP BLACKLIST %s\n\n", r->connection->remote_ip);
                                                                              ^~
mod_evasive20.c:222:81: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
                 fprintf(file, "mod_evasive HTTP Blacklisted %s\n", r->connection->remote_ip);
                                                                                 ^~
mod_evasive20.c:228:81: error: ‘conn_rec {aka struct conn_rec}’ has no member named ‘remote_ip’; did you mean ‘remote_host’?
               snprintf(filename, sizeof(filename), system_command, r->connection->remote_ip);
                                                                                 ^~
mod_evasive20.c:229:15: warning: ignoring return value of ‘system’, declared with attribute warn_unused_result [-Wunused-result]
               system(filename);
               ^~~~~~~~~~~~~~~~
apxs:Error: Command failed with rc=65536

DOSLogDir is an abuse vector itself

Being that each attack source is written to an individual file in DOSLogDir, this leaves the machine open to inode abuse due to the sheer volume of files that can/will be created and apparently never cleaned up.

DOSLogdir
Directory where lock files will be created to prevent continuous emails from being sent or system commands from getting executed

However, even if DOSEmailNotify or DOSSystemCommand are commented out, these files are still created.

It would be great to simply let the module use syslog in this case.

Edit: Perhaps adding a cleanup routine to the module to remove the related DOSLogDir files when the associated hash table entry expires would be prudent here as well.

Apache 2.4.6 (CentOS7) - undefined symbol: evasive24_module

Hi,

I keep getting the following error once installed mod_evasive24 on Apache 2.4.6 (CentOs7):

httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 78 of /etc/httpd/conf.modules.d/00-base.conf: Can't locate API module structure `evasive24_module' in file /usr/lib64/httpd/modules/mod_evasive24.so: /usr/lib64/httpd/modules/mod_evasive24.so: undefined symbol: evasive24_module

Is there anything that needs to be tweaked? Or is it not compatible with 2.4.6?

Thx for your help.

mod_Evasive block google bot

mod_evasive is great apache module to block site attack.
But Googlebot is giving us much requests every seconds and in most of cases and it is the heaviest http requester.
We can make mod_evasive not to judge Googlebot as dos attacker using whitelist funciton of mod_evasive but you can define it only by IP address.
If googlebot access to your site with unexpected IP, your server will return 403(forbidden) to googlebot and your site's rank in google will also drop.
please help

Whitelist files/URLs on mod_evasive

Hello,

As soon as I enabled this module, I noticed that a number of IPs were blocked straight away, and all of those users use Safari on iOS.

After a quick investigation, I saw that those users were requesting "serviceworker.js" several times. This is a bug and this file should only be fetched once.

I reported that bug to Apple, but unfortunately the mess is already done and many users will continue to fetch this file several times -- https://bugs.webkit.org/show_bug.cgi?id=187435

mod_evasive allows me to whitelist IPs, but is there any way I can also whitelist files, folders or subdomains so that those will not count towards DOSPageCount or DOSSiteCount?

I'm only getting alerts and blocks for those who are fetching "serviceworker.js" so much.

Thank you very much,
Nuno

Query : on blocking

what if 20 users use simultaneously from specific organization (which will be single ip ), will it check user agent before blocking ?

Needed to tweak

To run on our CentOS machine we needed to alter the print $SOCKET line. Thus,

#!/usr/bin/perl

test.pl: small script to test mod_dosevasive's effectiveness

use IO::Socket;
use strict;

for(0..100) {
my($response);
my($SOCKET) = new IO::Socket::INET( Proto => "tcp",
PeerAddr=> "127.0.0.1:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0\r\n\r\n";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.