1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

normal users getting blocked from mod_evasive apache module

Discussion in 'Server Configuration and Hosting' started by XxUnkn0wnxX, Mar 10, 2014.

  1. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    well i recently install mod_evasive module into Apache to help migrate and stop dos attacks but it has been causing me issues such as blocking normal users i am use a shout box that uses ajax scripting

    and i have configured my configuration to this in side my apache config file but not matter how high i set the Numbers or low doesn't resolve my issue as i am unsure how it works.

    <IfModule mod_evasive20.c>
    DOSSystemCommand "sudo /root/antidos/ban_ip.sh %s"
    DOSHashTableSize 3097
    DOSPageCount 60
    DOSSiteCount 150
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 40
    DOSEmailNotify hidden
    DOSLogDir /usr/local/apache/logs/evasive

    i am unsure with these and i have read the official documentation doesn't explain anything


    and what does Interval mean like if i say Interval 5 does this mean 5 seconds?
  2. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    beacuse at the moment this feature is acting like this

    a set limit is set to page count and site count once a user hits that limit they are blocked.

    the way it suppose to work is if a user reaches that limit within the fixed amount of time they get blocked but if that rule times out it resets for them to 0.

    EG user 1 has 30 tabs open on my site and decided to refresh them all. they are close to the limit but there is a timer of 5-6 seconds if they hit 50 or more page counts or site counts within those 5-6 seconds they are blocked for a period of time.

    if the timer expires b4 then then there limit resets to 0 thus not blocking them.

    atm it is not working as such.. so i am not sure how to configure it..

    more information about this module can be found here: http://www.helicontech.com/ape/doc/mod_evasive.htm
  3. Floren

    Floren Well-Known Member

    mod_evasive is ineffective, don't put too much hope on it as real DDoS attacks cannot be stopped. Same thing is valid for Nginx or other similar DDoS software. No matter what you do or have in place, is very hard to stop a good DDoS attack unless you have proper hardware infrastructure which costs a lot of money. I remember that CloudFlare learned a lot from the DDoS attacks performed on their infrastructure by hackers, they blogged about it and told everyone how exhausting was on resources. Therefore, don't even bother with those software gimmicks telling you they can stop an attack because they cannot. :)
    whynot likes this.
  4. XxUnkn0wnxX

    XxUnkn0wnxX Active Member

    well i want to at least make things harder for them most attacks that i get are from zombie bot net attacks and they should be simple to block i need modules which detect these attacks such as once a certain amount of concurrent connections are made from a single ip it auto gets black listed and blocked by a fire wall therefore blocking access to the attacker.

    i know about slow iris ans syn attackers i have those covered. but i need something such as mod_evasive to help detect ips that request to many connections and block them instead. yes there will be false positives. but if run on a timer then that is ok.

    i know for a fact a normal user cannot hit 50 concurrent connections within 5 seconds but i bot net attack or regular dos attack could. because from what i studied from the access logs i had multiple ip's with 50 or more connections to my site. and i found this out comparing them with the regular usage of my site. i saw the ip and the infected url the site that was attacking me.

    EG: - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.7.1; http://www.humanperformanceclinic.com" - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.8.1; http://runabout.eu" - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.7.1; http://www.humanperformanceclinic.com" - - [09/Mar/2014:23:03:33 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.5; http://catsthatblog.com" - - [09/Mar/2014:23:03:30 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.2.1; http://nielsbosma.se" - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.8.1; http://runabout.eu" - - [09/Mar/2014:23:03:33 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.2.1; http://nielsbosma.se" - - [09/Mar/2014:23:03:30 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.8.1; http://www.hakkiceylan.com" - - [09/Mar/2014:23:03:31 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.7.1; http://www.humanperformanceclinic.com" - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.4.2; http://crayoncrisis.com" - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.5; http://catsthatblog.com" - - [09/Mar/2014:23:03:35 +1100] "GET / HTTP/1.1" 500 547 "-" "WordPress/3.2.1; http://www.efrogthemes.com" - - [09/Mar/2014:23:03:30 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.7.1; http://www.humanperformanceclinic.com"

    these are infected url's i did a netstat scan and some of them had 50 or more connections from 1 ip.

    so my best guest is why not install a filter that will auto detect this and block such connections if the limit is reached but i need a timer for it to time out so normal members do not get banned for no reason.

    i had to manually block all the ip's i saw in the access log and then my site started to load just fine. so my software firewall works just fine.

    yes true hardware is needed for much stronger attacks but i want to at least block the most common simple basic ones
    Last edited: Mar 10, 2014

Share This Page