Difference between revisions of "Mod evasive"

From SME Server
Jump to navigationJump to search
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
{{Languages|AddExtraHardDisk}}
 +
{{Level|Advanced}}
 +
{{usefulnote}}
 
How to install and configure mod_evasive on SME8
 
How to install and configure mod_evasive on SME8
  
first add EPEL repo
+
=== About ===
 +
What is mod_evasive?
 +
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
 +
=== Installation===
 +
first add the '''[[epel]]''' reposiotry.
  
 
then
 
then
Line 11: Line 18:
  
 
then edit the file in /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/ with your favorite editor mcedit, nano, pico, vi, vim ...
 
then edit the file in /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/ with your favorite editor mcedit, nano, pico, vi, vim ...
  vim etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/20mod_evasive
+
  vim /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/20mod_evasive
  
 
Then change according to your need the followings
 
Then change according to your need the followings
Line 30: Line 37:
  
 
then create the directory
 
then create the directory
  mkdir /var/log/mod_evasiv
+
  mkdir /var/log/mod_evasive
  chown www:www /var/log/mod_evasiv
+
  chown www:www /var/log/mod_evasive
  
 
  You could then easily set a jail with fail2ban that is checking theses logs...
 
  You could then easily set a jail with fail2ban that is checking theses logs...
  
expand template and restart apache
+
expand template and restart apache
 
  expand-template /etc/httpd/conf/httpd.conf
 
  expand-template /etc/httpd/conf/httpd.conf
 
  /etc/init.d/httpd-e-smith restart
 
  /etc/init.d/httpd-e-smith restart
Line 45: Line 52:
 
source
 
source
 
http://www.aru2l.org/index.php/forum/les-howtos/5958-mod_evasive-sur-sme8
 
http://www.aru2l.org/index.php/forum/les-howtos/5958-mod_evasive-sur-sme8
 +
 +
=== Resources ===
 +
http://www.zdziarski.com/blog/?page_id=442
 +
 +
[[Category:Howto]]
 +
[[Category:Administration]]

Latest revision as of 05:48, 20 December 2016


PythonIcon.png Skill level: Advanced
The instructions on this page may require deviations from standard procedures. A good understanding of linux and Koozali SME Server is recommended.


Is this article helpful to you?
Please consider donating or volunteering
Thank you!

How to install and configure mod_evasive on SME8

About

What is mod_evasive? mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Installation

first add the epel reposiotry.

then

yum install mod_evasive --enablerepo=epel -y

prepare a tempalte custom

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
cp /etc/httpd/conf.d/mod_evasive.conf /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/20mod_evasive

then edit the file in /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/ with your favorite editor mcedit, nano, pico, vi, vim ...

vim /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/20mod_evasive

Then change according to your need the followings


  1. DOSHashTableSize 3097 : The hash table size defines the number of top-level nodes for each child's hash table.
  2. DOSPageCount 2 : This is the threshhold for the number of requests for the same page (or URI) per page interval
  3. DOSSiteCount 150 : This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once thethreshhold for that interval has been exceeded, the IP address of theclient will be added to the blocking list.
  4. DOSPageInterval 1 : The interval for the page count threshhold; defaults to 1 second intervals.
  5. DOSSiteInterval 1 : The interval for the site count threshhold; defaults to 1 second intervals.
  6. DOSBlockingPeriod 10 : The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list
  7. DOSEmailNotify : If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted.
  8. DOSSystemCommand : the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.
  9. DOSLogDir : Choose an alternative temp directory By default "/tmp" will be used for locking mechanism, which opens some security issues if your system is open to shell users.
  10. DOSWhitelist : You can use whitelists to disable the module for certain ranges of IPs.

I suggest to set at least DOSEmailNotify and DOSLogDir "/var/log/mod_evasive"

then create the directory

mkdir /var/log/mod_evasive
chown www:www /var/log/mod_evasive
You could then easily set a jail with fail2ban that is checking theses logs...
expand template and restart apache
expand-template /etc/httpd/conf/httpd.conf
/etc/init.d/httpd-e-smith restart

check that the module was loaded:

apachectl -t -D DUMP_MODULES


source http://www.aru2l.org/index.php/forum/les-howtos/5958-mod_evasive-sur-sme8

Resources

http://www.zdziarski.com/blog/?page_id=442