Previous Article: http://www.bkjia.com/Article/201110/109182.html
Installation Method:
1. Download the compressed package in the attachment, decompress it, and copy mod_dosevasive22.dll to the modules directory under the Apache installation directory (of course, it can also be another directory and you need to modify the path yourself ).
2. Modify the Apache configuration file http. conf.
Add the following content
LoadModule dosevasive22_module modules/mod_dosevasive22.dll
DOSHashTableSize 3097
DOSPageCount 3
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
Specifically, DOSHashTableSize 3097 records the blacklist size.
DOSPageCount 3 the number of times each page is read as a dos attack
DOSSiteCount 50 the number of read parts (objects) that each site is considered to be dos Attacks
DOSPageInterval 1 page read interval seconds
DOSSiteInterval 1 read site interval seconds
DOSBlockingPeriod 10 blocked time interval seconds
Mod_dosevasive v1.10
What is mod_dosevasive?
Mod_dosevasive is an apache module that provides protection against http dos/DDOS attacks or brute-force attacks. It can also be used as a tool for network detection and management. Through simple configuration, it can be the same as ipchains (ip chain ?) Firewall protection, routers, and other devices. Reports are provided by email or system logs.
The attack is detected by creating a built-in ip address and a dynamic hash table of the URIs, and blocking the same ip address in the following situations:
1. Multiple requests to the same page in the same second
2. For the same child (Object ?) Make more than 50 concurrent requests
3. blacklisted ip addresses
This method works well in single-point attacks and distributed multi-point attacks, but like other anti-Black software, it only targets attacks that consume network bandwidth and processors, this is why we recommend that you use it with your firewall and vro, because this will provide maximum protection.
This module has a built-in filtering mechanism and level setting to deal with different situations, because such legal requests will not be blocked, even if a user repeatedly clicks "refresh", it will not be affected, unless he did it on purpose. Mod_dosevasive can be configured in the apache configuration file. It is easy to integrate with your web server and easy to use.
DOSHashTableSize
----------------
The size of the hash table determines the number of top-level nodes in each Subhash table. The more hash tables, the more tables can be repeatedly queried, but more memory is occupied, if your server needs to handle a lot of access, increase it. The value you specify will automatically be tiered up
The next prime number in the primes list (see mod_dosevasive.c for a list
Of primes used ).
DOSPageCount
------------
Specifies the number of times that the same page (URI) request is foul at intervals. If the number of times exceeds, the user ip address will be blacklisted.
DOSSiteCount
------------
Specifies the number of times that the same object in the request site has been fouled at intervals. Once the time limit is exceeded, the user ip address will be blacklisted.
DOSPageInterval
---------------
The specified interval on the same page. The default value is 1 second.
DOSSiteInterval
---------------
Time Interval of the same object in the site. The default value is 1 second.
DOSBlockingPeriod
-----------------
The blocking period specifies The time limit for ip addresses to be blacklisted. During this period, The user will receive an error message of 403 (Forbidden) and The timer will be reset. Since every access to the blacklist will be re-timed, the time limit cannot be too large. In Dos attacks, the timer will also be reset.
DOSEmailNotify
--------------
If this option is set, an email notification will be sent when each ip address is blacklisted. However, there is a mechanism to prevent repeated notifications.
Note: Make sure that mod_dosevasive.c (or mod_dosevasive20.c) is correctly configured.
The default configuration is "/bin/mail-t % s"
% S is the destination address sent by email. If you are a linux operating system or another operating system using an email, you need to modify
DOSSystemCommand
----------------
If this item is set, when an ip address is blacklisted, the specified system command will be executed. When this function is designed to be attacked, ip filters and other tool software can be executed, built-in mechanisms to avoid repeated responses to the same attacks
Use % s to indicate ip addresses in the blacklist
DOSLogDir
---------
System log directory
By default, the "/tmp" directory is used as a security mechanism and is only open to privileged users (some users do not understand it here, but may be wrong)
By default "/tmp" will be used for locking mechanic, which opens some
Security issues if your system is open to shell users.
When there is no privileged shell user, you should create a writable folder for the apache server user (usually root) and configure the access permission in httpd. conf.
WHITELISTING IP ADDRESSES
Provides a trusted ip address mechanism in version 1.8.
The ip addresses that enter the trusted ip list will not be blocked. The secondary function is mainly used to protect software, scripts, and local search, or other automatic tools will not be blocked when a large number of resource requests are made to the server.
Please confirm that it is not used to add customers or other types of personnel, because this will hinder the normal operation of this module.
In the apache configuration file, add fields in the following format to the trusted ip list (which can be ip segments)
DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0 .*
Wildcards can be used for the last three segments of an IP address and can be reused in different formats.
TWEAKING APACHE
The keep-alive item is used to prevent the attack (at least part of the attack). However, before the attack is blocked, 5-10 pages will still be sent by blocking the attack.
. Therefore, you must set high enough MaxRequestsPerChild, but not infinite. It is a non-zero number. The default value of MaxRequestsPerChild is 10000. this will allow a small number of attacks to enter, but if you use it with strong fire prevention, it will be seamless
TESTING
Run test. pl to test whether the installation is successful. If it is not localhost, modify the server address field. If it is successful, you will receive a 403 forbidden reply after 25-50 (depending on your configuration) requests.
From a blog
Mod_dosevasive22.dll: http://up.2cto.com/2012/0302/20120302011328695.zip