TechTutorials - Free Computer Tutorials  

Introduction to Apache Mod-evasive Hot

Added: 07/29/2008, Hits: 9,458, Rating: 0, Comments: 0, Votes: 0
Add To Favorites | Comment on this article
I had never heard of mod_evasive for Apache before and it would have stayed that way if not for a strange problem that took weeks to solve. It happened like this. Out of the blue, I began having problems approving links in the admin panel of a PHP web app that we run. At first some of the images wouldn't show on the page (but usually some of them would) and the CSS file clearly wasn't being loaded because the page formatting was all wrong. The front end of the software had similar problems.

At first, I thought it was this particular piece of software. The problem seemed completely random and I could never duplicate it. After about a week, we began having problems with our advertisements randomly not displaying on all of our sites. Sometimes, the images were just gone, sometimes they appeared as broken images, and sometimes they were replaced with the bold FORBIDDEN error message. Sometimes it was a mixture of these things on the same page. You can take a look at a screenshot of one of our sites here. For comparison purposes, that particular page should look like this.

If I refreshed the page, often the entire page would come back with the 403 FORBIDDEN error message. It only seemed to affect dynamic pages so I thought it was a MySQL issue. Of course, I was forbidden from accessing the databases when the problem occurred. The only temporary solution I found was to simply wait awhile and then it would eventually start working again (or restart the server).

After many days of research and investigating, I discovered "client denied by server configuration" errors in our error logs which lead me to the problem. I read up on an Apache module that is designed to perform "evasive" maneuvers in the event of a DOS or brute force attack. It does this by looking for a certain number of connections within a certain time frame from a particular IP. If the set rules are violated, the IP is banned for a set period of time. Every connection attempt that occurs while the IP is in a banned state results in additional time added to the ban.

The problem is that each image generated by a PHP applicaton counts as a single page as do included external pages like CSS files (and possibly SSI includes, but I'm not sure on that one). So, with the main page of the site, 8 advertisements, a CSS file, and 2 SSI include files, it is easy to see how easy it would be to get banned without doing anything wrong, especially if you were to quickly refresh the page.

Fortunately, the module is configurable. If you look in your Apache httpd.conf file, you should see the following settings:

Code :

DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 50
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10

Below is an explanation of the settings:

  • DOSHashTableSize This defines the number of top-level nodes for each child process' hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this on a busy web server. Default value is 3097.

  • DOSPageCount - This is the limit for the number of requests for a single URL.

  • DOSPageInterval - This defines the time limit for the request defined by DOSPageCount.

  • DOSSiteCount - This is the limit for total allowed requests (not just a single URL).

  • DOSSiteInterval - This is the time limit for the total requests defined by DOSSiteCount.

  • DOSBlockingPeriod - When an IP is determined to be malicious, it is banned for this period of time. Each infraction that occurs will blacklisted adds an additional interval of this amount.

  • So as an example, the settings listed above would do the following: Blacklist an IP for 10 seconds if it attempted to connect to a URL 5 times within 2 seconds OR if it tried to access 50 total pages within 2 seconds. As we did, you may need to tweak the settings if you are getting broken images, CSS pages not loading, and 403 errors.

    An older version of this module was known as mod_dosevasive. The current version can be downloaded from here.

    Comments (0)

    Be the first to comment on this article

    Related Items

    7 Seconds Resources, Inc.

    IT Showcase