Author |
|
Mox
Joined: 14 Sep 2021 Posts: 8
|
Posted: Sun 02 Jun '24 23:24 Post subject: mod_evasive not working |
|
|
I installed mod_evasive for Apache 2.4 but it's not working properly.
I set DOSBlockingPeriod 100, and it works but I can still load page when I close the browser and do refresh.
Can someone help me? |
|
Back to top |
|
DnvrSysEngr
Joined: 15 Apr 2012 Posts: 224 Location: Denver, CO USA
|
Posted: Mon 03 Jun '24 0:41 Post subject: |
|
|
1. Make sure you have Mod_Evasive loading in your HTTPD.conf file
LoadModule evasive_module modules/mod_evasive.so
2. Make sure you have it pointing to a location for its configuration in your HTTPD.conf file. Mine is in its own .conf file
# Evasive Module configuration
<IfModule evasive_module>
Include conf/extra/httpd-evasive.conf
</IfModule>
3. Sample .conf file for Mod_Evasive
# Place this file in your Apache /conf/extra directory, modify as desired and then add to your httpd.conf
# file somewhere in the global context.
#
# Include conf/extra/httpd-evasive.conf
#
# Required modules: evasive_module
#
<IfModule evasive_module>
DOSBlockingPeriod 10
#DOSEmailNotify you@yourdomain.com
DOSEnabled true
DOSHashTableSize 3097
DOSHTTPStatus 429
DOSLogDir "C:/Program Files/Apache/logs"
DOSPageCount 2
DOSPageInterval 1
DOSSiteCount 50
DOSSiteInterval 1
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSWhitelist 127.0.0.1
#DOSWhitelistUri whitelist.*regex
</IfModule>
#
# End of configuration file for mod_evasive
Hope this helps to get you pointed in the right direction.
--S |
|
Back to top |
|
Mox
Joined: 14 Sep 2021 Posts: 8
|
Posted: Mon 03 Jun '24 1:45 Post subject: |
|
|
mod_evasive is working, but not as I expected.
I set DOSBlockingPeriod 100, and I simulate DoS attack. I can see in error.log that evasive is blocking requests.
But I can still refresh page and load after 10 seconds.
That should not happen.
Code: | <IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 3
DOSSiteInterval 1
DOSBlockingPeriod 100
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule> |
|
|
Back to top |
|
DnvrSysEngr
Joined: 15 Apr 2012 Posts: 224 Location: Denver, CO USA
|
Posted: Wed 05 Jun '24 3:25 Post subject: |
|
|
Granted my knowledge is on the Windows side, I did manage to test in the Linux world.
I have Apache 2.4.59 on a Linux Mint machine and installed Mod_Evasive, configured it and tested it per the link at:
https://phoenixnap.com/kb/apache-mod-evasive
I received HTTP/1.1 400 Bad Request when running the test mentioned in the KB article.
Not sure if you are running different tests? Maybe 'James Blonde' can chime in and provide more assistance? |
|
Back to top |
|
DnvrSysEngr
Joined: 15 Apr 2012 Posts: 224 Location: Denver, CO USA
|
Posted: Wed 05 Jun '24 3:59 Post subject: |
|
|
Addendum:
As I mentioned above, I was getting 400 for my error code.
Looks like the problem depends on test.pl (Remember I am using the the Apache test.pl file)
Found this article that said to
rewrite the line
print $SOCKET "GET /?$_ HTTP/1.0\n\n";
as
print $SOCKET "GET /?$_ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n";
This now yields me 403 as my error code.
https://stackoverflow.com/questions/51172923/mod-evasive-not-working-on-apache-2-4-6
That is the extent of my knowledge of Mod_Evasive. Maybe it is parameters used in test? |
|
Back to top |
|