mod_evasive is a nice Apache module that helps to protect your server against DoS attacks.
However, when a client is blocked, it will keep on using resources on your server. Even if the request will result in a 403 error, it’s still a connection that needs to be handled. In some cases, it might require spawning a new process for no good reason.
It’s quite easy to configure mod_evasive so that the evil IPs are blocked via the machine firewall, though:
# ...your other settings...
DOSSystemCommand "sudo /root/scripts/ban_ip.sh %s"
</IfModule>
You could put an iptables command there, but I prefer to use a small script because it’s easier to maintain. Also I don’t want to block the IP until the end of time 🙂 So, I use this:
IP=$1
IPTABLES=/sbin/iptables
$IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP
echo "$IPTABLES -D banned -s $IP -p TCP --dport 80 -j DROP" | at now + 2 hours
Don’t forget to grant the permission to run the script to the account used by apache. My sudoers config contains:
And here’s the result, on a busy server victim of some abuse:
Red means “system time”, blue is “user time”. The green arrow marks the time when I configured it to use iptables.
Hello , can you make it more simple to install this script for centos 5.8 for an not so advanced user ?
Thanks in advance really great post 🙂 !
http://library.linode.com/web-servers/apache/mod-evasive?format=source contains the isntructions to install mod_evasive on CentOS.
Once that is done, it’s just a matter of editing a few files, I’m not sure how I could make it simpler…
Sorry i didn’t make my self clear, i’ve already installed it , i know how to do it..
i am stuck here :
#!/bin/sh
IP=$1
IPTABLES=/sbin/iptables
$IPTABLES -A banned -s $IP -p TCP –dport 80 -j DROP
echo “$IPTABLES -D banned -s $IP -p TCP –dport 80 -j DROP” | at now + 2 hours ” >>>>
i create this script and name it as “/root/scripts/ban_ip.sh” OK ?
Then i am stuck here :
Don’t forget to grant the permission to run the script to the account used by apache. My sudoers config contains:
www-data ALL=(ALL) NOPASSWD: /root/scripts/ban_ip.sh”
I rerally need some help on that.. I mean do what ? chown that file as apache ?
please explain the steps to do that…
Thanks for helping me Simone 🙂
sdj
you can use the visudo command to edit the sudoers file (where you need to add that line, or a similar line if apache runs using a different user on your system). Check http://wiki.centos.org/TipsAndTricks/BecomingRoot
Also, note that the iptables commands are using a “banned” chain that doesn’t usually exist. I set it up using something along the lines of:
iptables -N banned
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j banned
before every other rule (it should be one of the first rules in your INPUT chain). Anyway, if you’re not familiar with firewall rules, you should look for some tutorials and documentation to study a bit.
Dude isn’t it big security risk to add www-data to sudoers group?
Well, it’s limited to a specific script. It seems to me that even if www-data gets compromised, the only privileged operation an attacker could do is to add some extra IP’s to the blacklist.
In that unwelcome case, the attacker could probably do more harm with what he can already access (think of db credentials used by web apps…)
I just can’t get this working. DOSSystemCommand doesn’t run it seems. It won’t even output to a text file or set the iptables rule directly.
Strange.
perhaps the user which your apache uses cannot access the command. You can try su’ing as that user and trying the command by hand, to see if you spot the error.