flag of the United Kingdom
URBAN
Mainframe

User Comments

(for: Web Server Flood Barrier)
1 | Posted by: Gabriel Mihalache (Registered User) | ~ 1 year, 10 months ago |

I don’t see any protection from a large mass of zombie (windows) machines consuming all your bandwidth with requests (regardless of if they get denied or not). Never mind HTTP requests! They can just dump IMCP packets.

Your ISP can block ICMP, but it can’t filter IPs for abusive HTTP requests. If you pay your hosting based on your traffic, a single flood session can consume all your allocated bandwidth for that month.

2 | Posted by: DarkBlue (Registered User) | ~ 1 year, 10 months ago |

I don’t see any protection from a large mass of zombie (windows) machines consuming all your bandwidth with requests (regardless of if they get denied or not).

That’s true. I didn’t say it was perfect Gabriel. Quoting from the article (highlighting added):

As a result of our efforts, we’ve created a web-server which, while certainly not invulnerable, is hardened against some of the more common DoS-type attacks that could befall it.

Remember, what we’re doing here is plugging holes. We might not be able to plug them all, but at least we keep some of the water out when it rains.

If there’s more that I could/should do then let me know. I’m all ears!

3 | Posted by: DarkBlue (Registered User) | ~ 1 year, 10 months ago |

Gabriel, mod_dosevasive can send IP addresses to other applications with its “DOSSystemCommand” directive. If I adjusted my mod_dosevasive configuration in my “httpd.conf” file by adding:

   DOSSystemCommand "iptables -I INPUT -s %s -j DROP"

(Where “%s” is a placeholder, mod_dosevasive will replace it with an IP address it has classified as rogue.)

Does this improve my situation at all?

Note: With the above change, mod_dosevasive passes each rogue IP to the “firewall” where it is then permanently blocked.

4 | Posted by: Noah Slater (Guest) | ~ 1 year, 10 months ago |

With regards to Gabriel’s comments you should check out http://www.snert.com/Software/mod_throttle/ which may be what your looking for re HTTP flooding.

5 | Posted by: DarkBlue (Registered User) | ~ 1 year, 10 months ago |

Er… yeah… I’ve tried mod_throttle Noah. The experience wasn’t a good one. :-(

6 | Posted by: Jon Berg (Guest) | ~ 1 year, 10 months ago |

This is dealing with DoS on the technical level, but if you want it bad enough most of todays systems are vulnerable to attacks. But as you said some plugging will help on the way.

7 | Posted by: Noah Slater (Guest) | ~ 1 year, 10 months ago |

“Note: With the above change, mod_dosevasive passes each rogue IP to the “firewall” where it is then permanently blocked.”

I think it is unwise to permanently block by IP due to the dynamic nature of some peoples conections and the fact that with some ISPs (i.e. AOL) many users share the same IP.

I do not have a solution to this but if any rules are added to iptables I think they need to be temporary for this reason.

8 | Posted by: DarkBlue (Registered User) | ~ 1 year, 10 months ago |

I think it is unwise to permanently block by IP … many users share the same IP.

I agree Noah. I didn’t actually implement that step. I was just curious as to whether or not Gabriel would consider it an improvement.

I do not have a solution to this

I do!

9 | Posted by: bp (Guest) | ~ 1 year, 9 months ago |

Hi all,

I newly use a combination of mode_security and mod_dosevasive.

works great for me.

“Note: With the above change, mod_dosevasive passes each rogue IP to the “firewall” >> where it is then permanently blocked.”

Thats not true! mod_dosevasive gives you a possibility to run a command, its up to you what you do with it.

my script mod_dosevasive.sh (http://xrl.us/esjt)

blocks the IP for certain N minutes and is removed automagically by batch job submitted to AT.

If you have questions just ask.

Cheers,

Badri

10 | Posted by: DarkBlue (Registered User) | ~ 1 year, 9 months ago |

Welcome to the Urban Mainframe bp.

mod_dosevasive gives you a possibility to run a command, its up to you what you do with it

Exactly bp. So I use that to update the firewall. Why do you think this is “not true”?

11 | Posted by: bp (Guest) | ~ 1 year, 9 months ago |

What I meant to say is, if you just pass an IP to firewall to be blocked. then you can also un-block it, cause firewall rules are not one way traffic.

Cheers,

bp

12 | Posted by: Chris (Guest) | ~ 1 year, 8 months ago |

I would like to install mod_dosevasive on a Debian machine. The problem I’ve having is getting mod_dosevasive.so. Does anyone know of where I can get hold of such a file or instructions as to how to create it?

I’ve read around everywhere for this info but no results. The way Debian’s apache seems to work is that you need a .so file

Chris :-(

13 | Posted by: Noah Slater (Guest) | ~ 1 year, 8 months ago |

You first port of call should probably be it’s home page at http://www.nuclearelephant.com/projects/dosevasive/

From there you can download a tarball of the latest release, unpack it and follow the instructions.

You can do this from a shell like so (I have used a $ sign to indicate your shell prompt)

(Please note you may have to be root to do this):

   $ cd /usr/local/src/
   $ wget www.nuclearelephant.com/projects/dosevasive/mod_dosevasive_1.10.tar.gz
   $ tar -zvxf mod_dosevasive_1.10.tar.gz
   $ cd mod_dosevasive

The installation then varies depending on your Apache installation. If you have Apache2 as I do you only need two more commands (where $APACHE_ROOT is the location of your Apache2 installation, usualy “/usr/local/apache”):

   $ $APACHE_ROOT/bin/apxs -i -a -c mod_dosevasive20.c
   $ apachectl restart

The installation procedure varies depending on your environment, but either way, it behooves you to read the README file that comes with the software. You can view it like so:

   $ less README

I hope this helps.

14 | Posted by: DarkBlue (Registered User) | ~ 1 year, 8 months ago |

Hey, this is brilliant! Thank you Noah for handling all these messages in my absence (Noah - the proxy blogger).

While you’re here, perhaps you’d be so kind as to publish an article or two on my behalf (please)? :-)

Thanks again Noah, I appreciate it.

15 | Posted by: Chris (Guest) | ~ 1 year, 8 months ago |

I did actually review all the relevant documentation before posting.

I am using a debian apache 1.3 package, which has its own way of adding new modules. As part of this you create a .info file which contains a reference to mod_dosevasive.so, and run the apache-modconf command.

The command apxs does not exist on this machine, and anyway using it would go against the quite clear debian package instuctions.

Hence my requirement to get hold of a .so file. Unfortunately the mod_dosevasive author’s installation instructions are not helpful, and any naive gcc commands I’ve tried do not work out well.

I’ve asked for help on LinuxQuestions.org but have got no replies. The next step might be to approach the author I guess, unless you guys have a better idea.

- Chris

PS.

Whilst I’m here, I’ll just say that this command:

   echo 1 > /proc/sys/net/ipv4/tcp_syncookies

I think should go into this file:

   /etc/init.d/bootmisc.sh

on a debian machine, although I haven’t tested it with a reboot yet.

16 | Posted by: Noah Slater (Guest) | ~ 1 year, 8 months ago |

“The command apxs does not exist on this machine, and anyway using it would go against the quite clear debian package instructions.”

apxs should exist in apache's /bin directory. If not, you can download a copy. I do not fully understand (through ignorance) you your problem with doing this. Please excuse me if I ask you what you mean when you say this goes against Debians package instructions? I my self am an avid user of Debian - but I was not aware of any instructions as to how I should or should not compile and install a module.

“Hence my requirement to get hold of a .so file. Unfortunately the mod_dosevasive author's installation instructions are not helpful, and any naive gcc commands I've tried do not work out well”

I am very sorry, but once again I do not understand what you mean. The README file contains clear instructions on how to compile the correct .so files.

Once again, please excuse my ignorance.

NOTE: This comment has been edited by its author! Additions are shown in italics, deletions with a strike-through.

17 | Posted by: Chris (Guest) | ~ 1 year, 8 months ago |

Just do this command:

   man apache-modconf

to find out about the ‘debian way’ of handling handling modules. (Debian.README found at /usr/local/share/doc/apache mentions this command).

The machine don’t even have an apache /bin directory on it! For instance the apache executable is /usr/sbin/apache.

I will take another look at the docs that come with mod-dosevasive for how to get a .so. Thanks for the tip.

18 | Posted by: Chris (Guest) | ~ 1 year, 8 months ago |

I’ve now read the README file again, and have copied it in here, but I’m afraid I still can’t find the reference to creating a .so file.

19 | Posted by: Noah Slater (Guest) | ~ 1 year, 8 months ago |

For Apache 2 when you issue the following command:

   $APACHEROOT/bin/apxs -i -a -c moddosevasive20.c

It makes the .so file for you and configures apache to use it. All though this is not directly stated, it is implied further down where it reads:

LoadModule dosevasive20module modules/moddosevasive20.so

(This line is already added to your configuration by apxs)

I only use Apache 2 so I cannot speak authoritatively about earlier versions, but I am guessing that (as stated in the readme file):

   $APACHEROOT/bin/apxs -iac moddosevasive.c

will do the same thing for Apache 1.3, including the construction of a .so file.

I hope this helps you.

20 | Posted by: Chris (Guest) | ~ 1 year, 8 months ago |

I’m not there yet!

Found: http://xrl.us/fd8m

Which has this great comment:

   # compile Apache, to create apxs

So I do this:

   apt-get source apache
   cd apache-1.3.33
   make -f debian/rules

(And it all works perfectly)

From the commands that Harry goes on to run, this should now exist:

   /downloads/apache-1.3.33/debian/apxs

but it doesn’t! (He’s got apache-1.3.26)

apache-1.3.33 matches the package I’ve installed.

I’ll keep having cracks at this as time goes by… Maybe I’ll specifically get apache-1.3.26. Not quite sure how to do this via apt-get right now, but I’m sure I’ll find out …

- Chris

PS. Setting tcp_syncookies to 1 does of course work when called from bootmisc.sh on machine startup.

21 | Posted by: Chris (Guest) | ~ 1 year, 8 months ago |

I followed Harry’s instructions and got the source for apache-1.3.26 (this is currently stable while 1.3.33 is testing). It didn’t compile right to the end, but did give me an “apxs”. Unfortunately apxs did not work too well:

   cd /downloads/apache-1.3.26/debian
   ./apxs -iac /downloads/mod_dosevasive/mod_dosevasive.c 2> temp

And temp starts off like this:

   gcc -DLINUX=22 -DEAPI -DTARGET="apache" -DNO_DBM_REWRITEMAP -DDEV_RANDOM=/dev/random -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O1 -fPIC -DSHARED_MODULE -I/usr/include/apache-1.3  -c /downloads/mod_dosevasive/mod_dosevasive.c /downloads/mod_dosevasive/mod_dosevasive.c:36:19: httpd.h: No such file or directory /downloads/mod_dosevasive/mod_dosevasive.c:37:23: http_core.h: No such file or directory

Would seem like a fair bit of hassle for me to try and fix this, so my request is, can someone send me a mod_dosevasive.so file that has been compiled using the source of apache-1.3.26?

22 | Posted by: DarkBlue (Registered User) | ~ 1 year, 8 months ago |

Chris, I’m delighted that you’ve found a forum here that may help you to get mod_dosevasive running on your server - and I genuinely hope that you manage to resolve the issues you are currently suffering.

However, will you please take the time to read the formatting instructions if you are going to post session dumps, source code and documentation.

Alternatively, create text files that you can host on a server somewhere and link to them from here (as I have done with some of your longer posts above).

I ask this purely to try to keep this thread readable for future visitors (and to save me from having to waste time reformatting comments).

Thank you.

23 | Posted by: DarkBlue (Registered User) | ~ 1 year, 8 months ago |

NOTE: Comments in this thread have been edited to preserve formatting and readability.

24 | Posted by: Chris (Guest) | ~ 1 year, 8 months ago |

Those error messages that I thought might be “a bit of a hassle to fix” weren’t really a problem at all. I just copied the missing header files into the cwd and the apxs command worked.

With the .so file I then set it up according to the special debian instructions, restarted the apache server and did the test.pl

As I’ve got logcheck working on this server, and I’m using the Debian apache package, I didn’t need to seperately set up any email notification, as these kind of messages came through for free:

mod_dosevasive[20469]: Blacklisting address 127.0.0.1: possible DoS attack.

I emailed the debian apache maintainer about apxs disappearing.

I am very happy with my Debian server! (In fact this really the only glitch I’ve had and I’ve set up loads and am not an experienced sysadmin person).

25 | Posted by: Chris (Guest) | ~ 1 year, 8 months ago |

This is the reply I got from the package maintainer:

Maintainer wrote:

Chris Murphy said:

Was apxs pulled for a reason, or have I got something wrong…

| lucifer:~/> dpkg -S /usr/bin/apxs | apache-dev: /usr/bin/apxs

… Maintainer

Me: Are you saying that the source package for 1.3.33 definitely comes with apxs? (Assume yes).

I guess my confusion came from the fact that it is no longer installed at:

/downloads/apache-1.3.33/debian/apxs

but at:

      /usr/bin/apxs
26 | Posted by: Chris (Guest) | ~ 1 year, 8 months ago |
   lucifer:~/> dpkg -S /usr/bin/apxs
   apache-dev: /usr/bin/apxs

Maintainer again, refering to above two lines:

Erm, what was implied by my previous mail was that you should install “apache-dev” if you want a working apxs binary that matches the debian apache packages.

I think that debian needs a web site where you enter the name of a command, and it tells you which package it is in.

Last post to this thread I promise!

27 | Posted by: DarkBlue (Registered User) | ~ 1 year, 7 months ago |

Chris, have you actually got mod_dosevasive working on your server now?

28 | Posted by: Chris (Guest) | ~ 1 year, 7 months ago |

YES. That happened at 24 where I used the apxs I had got at 21 to get an .so.

The rest was just to see what was actually going on. If I had known about apache-dev from the beginning I wouldn’t have had any troubles at all.

29 | Posted by: DarkBlue (Registered User) | ~ 1 year, 7 months ago |

Damn - I actually read your comment at #24 but it still didn’t register! I gotta lay off the caffeine. :-)

30 | Posted by: davisye (Guest) | ~ 1 year, 7 months ago |

pls help me…

Your Comments
  • Formatting your comments
  • A valid email address is only required if you wish to receive notifications of new comments posted in relation to this page


remember my details:
notify me of new comments:


W3C VALIDATE XHTML
W3C VALIDATE CSS