![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2015-09-08
功能
* HTTP DoS
* DDoS attack
- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted
If any of the above conditions are met, a 403 response is sent and the IP address is logged.
Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address.
* reports abuse via email and syslog facilities
evasive = 逃避的
*** 經測試, 它的 403 有點怪 ***
Install
# 在 EPEL (Centos6)
yum install mod_evasive
# 人手 compile (Centos6)
yum install httpd-devel
cd /usr/src
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.1...
tar xzf mod_evasive_1.10.1.tar.gz
cd mod_evasive
apxs2 -cia mod_evasive20.c
設定
/etc/httpd/conf.d/mod_evasive.conf
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
# 建立 log Folder
mkdir /var/log/mod_evasive
chown -R apache:apache /var/log/mod_evasive
/etc/httpd/conf.d/mod_evasive.conf
<IfModule mod_evasive20.c>
DOSHashTableSize 3097 # number of top-level nodes for each child's hash table.
DOSPageCount 3
DOSPageInterval 1
DOSSiteCount 60
DOSSiteInterval 1 # total number of requests for the same website by per IP
DOSBlockingPeriod 300 # 會放 user 到 blocklist 的, 並 return "403"
DOSEmailNotify <[email protected]> # yum install mailx
# /bin/mail -t %s" where %s
# 所以是沒有 subject 的
# default "/tmp"
DOSLogDir "/var/log/mod_evasive"
</IfModule>Whitelist
DOSWhitelist 127.0.0.1 DOSWhitelist 192.168.88.*
Run CMD
%s to denote the IP address of the blacklisted IP.
DOSSystemCommand "/usr/bin/sudo /usr/sbin/csf -td %s 3600"
visudo
Add the following to the file:
User_Alias APACHE = apache Cmnd_Alias FIREWALL = /sbin/iptables, /usr/sbin/csf, /sbin/ifconfig, /sbin/route APACHE ALL = (ALL) NOPASSWD: FIREWALL
syslog reporting
/etc/rsyslog.conf
# mod_evasive
daemon.alert /var/log/mod_evasive.log
service rsyslog reload
Sep 8 12:24:15 ns3 mod_evasive[8697]: Blacklisting address 192.168.88.150: possible DoS attack.
清了 "/var/log/mod_evasive/dos-IP" 才會再有 log 一次
ErrorLog
[Tue Sep 08 12:31:59 2015] [error] [client 192.168.88.150] client denied by server configuration: /home/virtualhosts/is2/public_html/index.php
DOC
/usr/share/doc/mod_evasive-1.10.1/README
Test
/usr/share/doc/mod_evasive-1.10.1/test.pl
注意
TWEAKING APACHE
The keep-alive settings for your children should be reasonable enough to
keep each child up long enough to resist a DOS attack (or at least part of
one). Remember, it is the child processes that maintain their own internal
IP address tables, and so when one exits, so does all of the IP information it
had. For every child that exits, another 5-10 copies of the page may get
through before putting the attacker back into '403 Land'. With this said,
you should have a very high MaxRequestsPerChild, but not unlimited as this
will prevent cleanup.
You'll want to have a MaxRequestsPerChild set to a non-zero value, as
DosEvasive cleans up its internal hashes only on exit. The default
MaxRequestsPerChild is usually 10000. This should suffice in only allowing
a few requests per 10000 per child through in the event of an attack (although
if you use DOSSystemCommand to firewall the IP address, a hole will no
longer be open in between child cycles).
