logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: mod_dosevasive for apache 2.2 Page 1, 2  Next
Author
cefilos



Joined: 14 Oct 2006
Posts: 2

PostPosted: Sat 14 Oct '06 10:40    Post subject: mod_dosevasive for apache 2.2 Reply with quote

I try to compile the mod to work on apache 2.2 win32

just change code a little ,disable some functions and it seem works (I guess)

http://download.yousendit.com/E00F9DA06BD8BC44 only 7 day from now

http://www.zdziarski.com/projects/mod_evasive/ original

*thing I disable
- Email Notify
- No Dos Evasive Log (but write in apache error log)
- maybe something I not disable but it might notwork in win32

*I compile on windows xp ,vc++ 8 , apache 2.2.3 (but set environment to windows 2003 sp1)

please if someone can change and make it work perfect on windows,or just compile in better condition.


CONFIGURATION

mod_evasive has default options configured, but you may also add the
following block to your httpd.conf:

LoadModule dosevasive22_module modules/mod_dosevasive22.dll

<IfModule dosevasive22_module>

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 10

</IfModule>


DOSHashTableSize
----------------

The hash table size defines the number of top-level nodes for each child's
hash table. Increasing this number will provide faster performance by
decreasing the number of iterations required to get to the record, but
consume more memory for table space. You should increase this if you have
a busy web server. The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_evasive.c for a list
of primes used).

DOSPageCount
------------

This is the threshhold for the number of requests for the same page (or URI)
per page interval. Once the threshhold for that interval has been exceeded,
the IP address of the client will be added to the blocking list.

DOSSiteCount
------------

This is the threshhold for the total number of requests for any object by
the same client on the same listener per site interval. Once the threshhold
for that interval has been exceeded, the IP address of the client will be added
to the blocking list.

DOSPageInterval
---------------

The interval for the page count threshhold; defaults to 1 second intervals.

DOSSiteInterval
---------------

The interval for the site count threshhold; defaults to 1 second intervals.

DOSBlockingPeriod
-----------------

The blocking period is the amount of time (in seconds) that a client will be
blocked for if they are added to the blocking list. During this time, all
subsequent requests from the client will result in a 403 (Forbidden) and
the timer being reset (e.g. another 10 seconds). Since the timer is reset
for every subsequent request, it is not necessary to have a long blocking
period; in the event of a DoS attack, this timer will keep getting reset.


WHITELISTING IP ADDRESSES

IP addresses of trusted clients can be whitelisted to insure they are never
denied. The purpose of whitelisting is to protect software, scripts, local
searchbots, or other automated tools from being denied for requesting large
amounts of data from the server. Whitelisting should *not* be used to add
customer lists or anything of the sort, as this will open the server to abuse.
This module is very difficult to trigger without performing some type of
malicious attack, and for that reason it is more appropriate to allow the
module to decide on its own whether or not an individual customer should be
blocked.

To whitelist an address (or range) add an entry to the Apache configuration
in the following fashion:

DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*

Wildcards can be used on up to the last 3 octets if necessary. Multiple
DOSWhitelist commands may be used in the configuration.
Back to top
Demoric



Joined: 23 Nov 2005
Posts: 9
Location: S.E. Kansas

PostPosted: Tue 17 Oct '06 4:05    Post subject: Reply with quote

Just wanted to say thanks for posting this. I have wanted to use this since I changed from apache 2.0.53, now I'm using it on 2.2.3

Everything seems to be working well.
Back to top
DrWeb



Joined: 30 Oct 2006
Posts: 2
Location: Ukraine

PostPosted: Tue 31 Oct '06 10:27    Post subject: File is unavailable:file associated with link has expired :( Reply with quote

Please, help help help....
Can anybody post this module in rapidshare.com?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3091
Location: Hilversum, NL, EU

PostPosted: Tue 31 Oct '06 12:26    Post subject: Reply with quote

I have still a copy on my box at Removed
Steffen
Back to top
DrWeb



Joined: 30 Oct 2006
Posts: 2
Location: Ukraine

PostPosted: Tue 31 Oct '06 13:05    Post subject: Thank's a lot! Reply with quote

Thanks Very Happy
Back to top
sljiang



Joined: 09 Nov 2006
Posts: 2

PostPosted: Thu 09 Nov '06 10:35    Post subject: Re: Thank's a lot! Reply with quote

Can anybody provide a compiled version for apache2.0? Very thankful!
Back to top
sljiang



Joined: 09 Nov 2006
Posts: 2

PostPosted: Fri 10 Nov '06 5:29    Post subject: Re: Thank's a lot! Reply with quote

OR explain how to compile it on windows platform. Thanks!
Back to top
DADE



Joined: 23 Dec 2006
Posts: 5

PostPosted: Sun 24 Dec '06 16:36    Post subject: Reply with quote

I would like to use that module on Apache 2.0 too, please.

Cheers Very Happy
Back to top
Panda



Joined: 16 Dec 2006
Posts: 16

PostPosted: Tue 02 Jan '07 5:05    Post subject: Reply with quote

http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
Back to top
Panda



Joined: 16 Dec 2006
Posts: 16

PostPosted: Tue 02 Jan '07 5:09    Post subject: Reply with quote

One way to stop one of the more basic attacks on a server is mod_evasive.This how-to will walk though the process of installing and configuring mod_evasive. This apache module will help protect against people sending too many requests to the webserver in an attempt to flood it. If it detects too many connections the offending ip will be blocked from the accessing apache for This is especially useful when the server is continuously getting attacked. With this default configuration it will block the offending ip for 10 minutes. If it continues to try and flood mod_evasive will automatically add more time to this.

*Update* Feb 1 2005 - Now links to the latest version of mod_evasive from the old name of mod_dosevasive.



**NOTE** This module has been known to cause problems with frontpage server extensions. If you them you should not install this module or just be aware of the fact it might break them.

Follow this section for Apache 1.3.x.

-----command-----
cd /usr/local/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/local/apache/bin/apxs -cia mod_evasive.c
-----command-----



Follow this section for Apache 2.0.x.
-----command-----
up2date -i httpd-devel
cd /usr/local/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c
-----command-----

If you are adding the is module to apache 1.3.x the following lines need to be added to the httpd.conf below the AddModule section.

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>



If you are using apache 2.0.x you need to scroll to below the LoadModule section in the httpd.conf and add the following:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
</IfModule>

Exit and save out of the httpd.conf

Now it should be ready to go. Exit out of pico and restart apache.
-----command-----
service httpd restart
-----command-----

For now I have removed the mailing feature from my configuration. If you would like it you need to add "DOSEmailNotify root" in the IfModule section of your httpd.conf. If you are having trouble with mod_evasive emailing you then you probably need to make sure that the mail configuration is correct. By default the it is set to /bin/mail which you may have to sym-link to the correct mail binary. You can also edit the line containing the following: "#define MAILER "/bin/mail -t %s" in the source code to change which it is pointing to.


If you have problem use this config:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
Back to top
fulldump



Joined: 15 Jan 2007
Posts: 1

PostPosted: Mon 15 Jan '07 1:45    Post subject: Reply with quote

i tried to use this modded evasive under freebsd (i know it's windows forum, but i can't find anything related on other pages), but removed winsock.dll from source, but i got error when i start apache 2.2.4:

Cannot load /usr/local/libexec/apache22/mod_dosevasive22.so into server: /usr/local/libexec/apache22/mod_dosevasive22.so: Undefined symbol "_snprintf"

please help!
Back to top
Rodrigo



Joined: 12 Feb 2007
Posts: 1

PostPosted: Mon 12 Feb '07 15:24    Post subject: Apply dosevasive22 module depending on request url Reply with quote

Hi, first of all sorry my english.

Great job compiling this dosevasive22 module for windows. I was wondering if there is a way to apply dosevasive22 module depending on the required url. Maybe it could sound a little strange but I want to reject the request of some php files (i.e. the onces that access to database and take several execution time) and not all my web docs. I think that the solution could be using SetEnvIf directive on httpd.conf, but i cant figure out how to "disable" the module depending on Request_URI for example.

Thanks a lot for your answers.

Rodrigo.
Back to top
erict



Joined: 22 Jan 2006
Posts: 11
Location: UK

PostPosted: Mon 19 Mar '07 16:58    Post subject: Reply with quote

Hi, I've got a Win98 laptop with Apache 2.0.55 for test purposes. When I test the config with dosevasive 1.8 for apache 2.0 it cannot load as unspecified library files are missing. Does that mean a missing runtime library?

It loads on my Vista machine running Apache 2.0.55.

(don't want to upgrade Apache yet as I haven't got my head round changing from mod_security 1 to 2).

Any help appreciated.
With good wishes,
EricT.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7364
Location: Germany, Next to Hamburg

PostPosted: Mon 19 Mar '07 17:06    Post subject: Reply with quote

You can not use a Apache 2.2.x module with Apache 2.0.x Wink
Back to top
erict



Joined: 22 Jan 2006
Posts: 11
Location: UK

PostPosted: Mon 19 Mar '07 17:23    Post subject: Reply with quote

James Blond wrote:
You can not use a Apache 2.2.x module with Apache 2.0.x Wink


Ah, sorry: my mistake. The .c file read "version 1.8 for Apache 2.0", though the included dll was mod_dosevasive22.dll.

Does anyone have an Apache 2.0 dll, then, please?

Many thanks,

EricT.
Back to top
boterkoek



Joined: 03 May 2007
Posts: 3

PostPosted: Thu 03 May '07 12:48    Post subject: Reply with quote

Hi all

my server is attacked multiple times with something called 'website nuker' ..
though im not sure what that tool exactly do it leaves my apache 2.2.4 server crippled.. apache is still running, and port 80 remains open. Yet my server doesnt send any html/php pages anymore.

I tried install the mod_evasive for apache windows, but when i launch my 2.2.4 server it tells something like 'wrong API'

Does anyone know how i can get mod_evasive for 2.2.4 or how i could stop this dos attacks on my server?
Back to top
vultr



Joined: 04 May 2007
Posts: 1

PostPosted: Fri 04 May '07 16:08    Post subject: Reply with quote

Im running a windows 2003 web edition server with apache 2.2.4 installed and mod_dosEvasive, my server is vurnable for some sort of single machine dos attack. Not only my own server is vurnable but basically ANY apache 2.2.4 win32 server, even without php installed ( i checked by installing apache2 on 4 machines)

I have installed this module (dosEvasive) by placing the c and dll files in the /module directory. And added the configuration lines in the httpd.conf file.

The Dospagecount seems to work as i reloaded the same html page a couple of times and the server responded with : FORBIDDEN.

However when attacked by the specific syn flood attack apache2 becomes useless and doesnt send any pages out anymore. When the attacker stops sending his SYN flood the server starts responding again. I have tried to change the DOSSiteCount value but it didnt help.

Did I do something wrong or maybe this build doesnt work for apache 2.2.4 ?
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Mon 07 May '07 3:14    Post subject: Reply with quote

re: "...or maybe this build doesnt work for apache 2.2.4"

Steffen's mod_dosevasive build works fine for me on Apache 2.2.4 (from Apache Lounge) on Win2k, Win2003, and XP.
The fact that the response switches to FORBIDDEN sounds like it is working correctly on your system.

If this is actually a SYN attack, this gets handled entirely by the operating system.
SYN packets never get to Apache - only completed connections - so dos_evasive (or any other Apache technique) isn't going to help for this kind of attack.

How did you check that it was a SYN attack? Did you use a network monitor? netstat?
There's nothing in your Apache error.log or access.log for this attack, right?

If you are sure this is a SYN packet attack, you might want to check out the SynAttackProtect Windows registry setting.
This is a long-shot. Windows 2003 should be resistant to SYN attacks without the need for any tinkering.

-tom-
Back to top
trolleycrash



Joined: 28 Apr 2008
Posts: 1

PostPosted: Mon 28 Apr '08 21:34    Post subject: Reply with quote

http://rapidshare.com/files/111108411/dosevasive.zip.html

Here's the original file, posted to Rapidshare as requested
Back to top
xblue



Joined: 19 Feb 2006
Posts: 1

PostPosted: Tue 13 May '08 14:09    Post subject: I need this module too - can anyone share it? Reply with quote

all old links doesn´t work anymore - is there a now location????
Back to top


Reply to topic   Topic: mod_dosevasive for apache 2.2 View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules Page 1, 2  Next