Apache2.4.4 anti-DDoS module expansion and installation (or httpd2.4.4)

First, let's look at the Chinese notes of the configuration file:
========================================================== ======================================
Doshashtablesize 3097 is the number of GB.
Dospagecount 5 number of accesses to the same page within the same user interval. If the value exceeds 403, the system returns the message.
Dossitecount 80 concurrent connections within the same user interval is 80 exceeds the limit ze returns 403 information according to site requirements, if it is an FTP download site or image resource site may need to be larger
Dospageinterval 2 Same page interval statistics
Dossiteinterval 2 full site Interval
Dosblockingperiod 600 is blocked for 600 seconds

Location where doslogdir "/var/log/mod_evasive" log files are stored.

# Doswhitelist 127.0.0.1
# Doswhitelist 192.168.0. * This is the whitelist, And the IP address here is not restricted.
[Root @ 102 ~] # Touch/var/log/mod_evasive.

The practice is as follows:
# Wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
# Tar zxvf mod_evasive_1.10.1.tar.gz
# Cd mod_evasive
Vim mod_evasive20.c (modify the log directory before installation. This module cannot modify the log directory in the configuration, so please modify the actual configuration before compilation)
/*
# Define default_hash_tbl_size 3097ul // default hash table size
# Define default_page_count 2 // default maximum page hit count per Interval
# Define default_site_count 50 // default maximum site hit count per Interval
# Define default_page_interval 1 // default 1 second page Interval
# Define default_site_interval 1 // default 1 second site Interval
# Define default_blocking_period 10 // default for detected IPs; blocked for 10 seconds
# Define default_log_dir "/tmp" // default temp directory
*/

# Define default_hash_tbl_size 6195ul // default hash table size
# Define default_page_count 2 // default maximum page hit count per Interval
# Define default_site_count 50 // default maximum site hit count per Interval
# Define default_page_interval 1 // default 1 second page Interval
# Define default_site_interval 1 // default 1 second site Interval
# Define default_blocking_period 500 // default for detected IPs; blocked for 10 seconds
# Define default_log_dir "/usr/local/apache2/logs" // default temp directory

The installation method is based on the actual Apache file path (/usr/local/apache2/bin/apxs-I-c mod_evasive1_c or/usr/local/apache2/bin/apxs-I- -C. /mod_evasive20.c)

The latter is used as follows:
/Usr/local/apache2/bin/apxs-I-a-c./mod_evasive1_c

Unfortunately, the following error occurs:

./Mod_evasive20.c: In function 'Access _ checker ':
./Mod_evasive20.c: 142: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 146: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 158: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 165: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 180: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 187: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 208: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 212: Warning: Implicit declaration of function 'getpid'
./Mod_evasive20.c: 215: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 221: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 222: Error: 'conn _ rec 'has no member named 'remote _ ip'
./Mod_evasive20.c: 228: Error: 'conn _ rec 'has no member named 'remote _ ip'
Apxs: Error: Command failed with rc = 65536

Baidu Google has been searching for a long time.

Put lines 142, 146, 158, 165, 180, 187, 208, 212, and 215 in the mod_evasivestmc file.

Change the corresponding remote_ip address to client_ip and save it and reinstall it.

The following information is displayed to prove that everything is successfully installed:

Libraries have been installed in:
/Usr/local/apache2 // modules

If you ever happen to want to link against installed Libraries
In a given directory, libdir, you must either use libtool, and
Specify the full pathname of the library, or use the '-llibdir'
Flag during linking and do at least one of the following:
-Add libdir to the 'LD _ LIBRARY_PATH 'environment variable
During execution
-Add libdir to the 'LD _ run_path 'environment variable
During linking
-Use the '-wl,-rpath-wl, libdir' linker flag
-Have your system administrator add libdir to '/etc/lD. So. conf'

See any operating system documentation about shared libraries
More information, such as the LD (1) and LD. So (8) manual pages.
----------------------------------------------------------------------
Chmod 755/usr/local/apache2 // modules/mod_evasive20.so

Note: apxs is used to compile the module tool. If it is a software package that comes with the system, it is generally located in the/usr/sbin directory. If you compile and install Apache (httpd) by yourself, you should specify the path by yourself;
After the installation is complete, a line is added by default in the/usr/local/apache2/CONF/httpd. conf file.

<Ifmodule mod_ssl.c>
Include CONF/SSL. conf
</Ifmodule>

VI/usr/local/apache2/CONF/httpd. conf
Loadmodule evasive20_module modules/mod_evasive+so
<Ifmodule mod_evasive20.c>
Doshashtablesize 6195
Dossitecount 50
Dospagecount 2
Dospageinterval 1
Dossiteinterval 1

Dosblockingperiod 10

Doslogdir "/usr/local/apache2/logs"
# Bai Ming Dang
Doswhitelist 127.0.0.1
Doswhitelist 127.0.0 .*
</Ifmodule>

Then restart Apache.

Parameter description:
Doshashtablesize 3097: defines the size of the hash table.
Dospagecount 2: The interval at which the client is allowed to access the same page.
Dossitecount 50: Maximum number of concurrent connections allowed to the client.
Dospageinterval 1: webpage access counter interval.
Dossiteinterval 1: The interval between the full-site access counters.
Dosblockingperiod 10: Access Denied time after the blacklist is added.
Iv. test and verify mod_evasive
You can use the Apache AB tool or the evasive to decompress the test. pl script in the directory for testing.
AB tool: AB-N 1000-C 50 http://www..bz/
Perl: Perl test. pl

The following is a simple simulated concurrency test using the Apache built-in test tool.

/Usr/local/apache2/bin/AB-n10000-c1000 http: // 2 **. 25 *. **. **/phpinfo123151.php
This is apachetings, Version 2.3 <$ revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to the Apache Software Foundation, http://www.apache.org/

Benchmarking 2 **. 25 *. **. ** (Be patient)
Completed1000 requests
Completed2000 requests
Completed3000 requests
Completed4000 requests
Completed5000 requests
Completed6000 requests
Completed7000 requests
Completed8000 requests
Completed9000 requests
Completed10000 requests
Finished 10000 requests

Server Software: Apache
Server Hostname: 2 **. 25 *.**.**
Server port: 80

Document path:/phpinfo123151.php
Document length: 219 bytes

Concurrency level: 1000
Time taken for tests: 3.934 seconds
Complete requests: 10000
Failed requests: 8
(CONNECT: 0, receive: 0, Length: 8, exceptions: 0)
Write errors: 0
Non-2xx responses: 9992
Total transferred: 4273472 bytes
HTML transferred: 2633120 bytes
Requests per secondd: 2542.04 [#/sec] (mean)
Time per request: 393.385 [MS] (mean)
Time per request: 0.393 [MS] (mean, internal SS all concurrent requests)
Transfer Rate: 1060.87 [Kbytes/sec] canceled ed

Connection times (MS)
Min mean [+/-SD] median Max
Connection: 0 9 14.9 3 83
Processing: 2 157 432.0 20 3018
Waiting: 0 151 432.8 14 3018
Total: 4 166 438.8 25 3098

Percentage of the requests served within a certain time (MS)
50% 25
66% 31
75% 35
80% 39
90% 446
95% 1461
98% 1708
99% 2382
100% 3098 (longest request)

The following is a test on another machine:

D: \ apmserv5.2.6 \ apache \ bin> AB .exe-n10000-c1000 http: // 192.168.1.104/

This is apachetings, Version 2.3 <$ revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licens
D: \ apmserv5.2.6 \ apache \ bin> AB .exe-n10000-c1000 http: // 192.168.1.104/<br/>

Http: // 192.168.1.104/

The result is:
Forbidden
You don't have permission to access/on this server.
Apache/2.0.59 (UNIX) PHP/5.2.6 server at 192.168.1.104 port 80

On this machine:
Root@192.168.1.104 :~ Curl "http: // 192.168.1.104 /"
...
<Title> test page for Apache installation </title>
...
Still normal, it indicates that this module takes effect.
This folder is not found, and it is estimated that it is a permission problem, so:
Chmod-r 777/usr/local/apache2/logs/
Reuse:
The logs in tail-F/usr/local/Apache/logs/error_log are as follows:
[Mon Jan 10 13:16:45 2011] [Error] [client 192.168.1.94] client denied by server configuration:/usr/local/Apache/htdocs/logo.png

Root@192.168.1.104 :~ /Usr/local/apache2/logs # ls
DOS-192.168.1.101
Local test:
Root@192.168.1.104 :~ /Usr/local/apache2/bin #./AB-n10000-c1000 http: // 192.168.1.104/
Then let's look at the page:
Root@192.168.1.104 :~ /Usr/local/apache2/bin # curl "http: // 192.168.1.104 /"
<! Doctype HTML public "-// IETF // dtd html 2.0 // en">
<HTML> <Title> 403 Forbidden </title>
</Head> <body>
<H1> forbidden <P> You don't have permission to access/
On this server. </P>
<HR>
<Address> Apache/2.0.59 (UNIX) PHP/5.2.6 server at 192.168.1.104 port 80 </address>
</Body> Check the log, which is displayed in the/usr/local/Apache/logs/directory of the server.
A file like DOS-192.168.1.94 is generated [dos and IP addresses are generally used], which is as follows:
Ls/usr/local/Apache/logs/
DOS-192.168.1.101 DOS-192.168.1.104
One more log is displayed:
DOS-192.168.1.104
Let's look at it again:
The logs in tail-F/usr/local/apache2/logs/error_log are as follows: [Note: the error log is in apache2/logs and in apache2]
Bogon:/usr/local/Apache/logs # tail/usr/local/apache2/logs/error_log
[Tue Aug 23 07:00:26 2011] [Error] [client 192.168.1.104] client denied by server configuration:/usr/local/apache2/htdocs/
[Tue Aug 23 07:00:26 2011] [Error] [client 192.168.1.104] client denied by server configuration:/usr/local/apache2/htdocs/
...

========================================================== ======================================
The following are the brothers. If you do not understand him, let's look at him again. The sources are as follows:

Http://hi.baidu.com/suantop/blog/item/33f392a423bbbbe59152ee01.html

Installing modsecurity (mod_security can enhance Apache Security, especially in anti-SQL injection .) :
# Tar zxvf
Modsecurity-apache-1.9.tar.gz
# Cd modsecurity-apache-1.9/apache2/
#/Apache2/bin/apxs-CIA mod_security.c

Open httpd. conf and add
Check whether
Loadmodule security_module modules/mod_security.so
If not, add it.

Add a configuration file for mod_security

<Ifmodule mod_security.c>
Secfilterengine on
Secfiltercheckurlencoding
On
Secfilterdefaultaction "Deny, log, status: 500"
# Secfilterforcebyterange
32 126
# Secfilterscanpost on
Secauditlog
Logs/audit_log
###
Secfilter "\.\./"
#####
Secfilter
/Etc/* passwd
Secfilter/bin/* Sh

# For CSS attack
Secfilter "<(|
) * Script"
Secfilter "<(. |) +>"
# For SQL attack
Secfilter "Delete [
] + From"
Secfilter "insert [] +"
Secfilter "Select. + from"
Secfilter
"Union [] + from"
Secfilter "drop []"
</Ifmodule>