Modevasive Howto

From SHellium Wiki
Jump to: navigation, search
Geographylogo.png In other languages: English | Afrikaans | Albanian | Arabic | Brazilian | Bulgarian | Catalan | Chinese | Croatian | Czech | Danish | Dutch | Esperanto | Estonian | Filipino | Finnish | Flemish | French | German | Greek | Hebrew | Hindi | Hungarian | Indonesian | Italian | Japanese | Latvian | Lithuanian | Macedonian | Malay | Malayalam | Norwegian (Bokmål) | Norwegian (Nynorsk) | Persian | Polish | Portuguese | Romanian | Russian | Serbian | Slovak | Slovenian | Spanish | Swedish | Turkish | Ukrainian | Urdu

Warning.gif

This Feature Is Prohibited

If you attempt to use this on SHellium you will be banned.

DOS Mod Evasive Howto - Modevasive Howto - libapache-mod-evasive Debian Etch

Contents

Install dependencies

  • This can not be run on a SHellium shell*

Install apache2 prefork dev package

apt-get install apache2-prefork-dev

Download the module from Debian

wget http://ftp.de.debian.org/debian/pool/main/liba/libapache-mod-evasive/libapache-mod-evasive_1.10.1.orig.tar.gz
tar zxvf libapache-mod-evasive_1.10.1.orig.tar.gz
cd mod_evasive

Fix Vulnerability

There is a vulnerability in the module that can be exploited by symlinking to the files that mode evasive writes in the /tmp directory. If you have other users that access the system this could mean big trouble. We will edit the source file so it writes its files somewhere else that only www-data user can read and write

vi modevasive20.c

Find this line in the modevasive20.c or modevasive.c file; it should be line 54

#define DEFAULT_LOG_DIR         "/tmp"  // Default temp directory

Change it to this

#define DEFAULT_LOG_DIR         "/var/tmp/doslog"  // Default temp directory

Next we will change the permissions of the /var/tmp/doslog directory so that www-data is the owner and the only one that can read, write and execute in the directory

mkdir /var/tmp/doslog
chown www-data.www-data /var/tmp/doslog
chmod 700 /var/tmp/doslog

Build the module

apxs2  -i -a -c mod_evasive20.c

Apache 1 users should do this instead:

apxs  -i -a -c mod_evasive.c

Error during build

If you get an error like this below it is due to your /etc/apache2/httpd.conf not having any LoadModule statements in it

chmod 644 /usr/lib/apache2/modules/mod_evasive20.so
apxs:Error: Activation failed for custom /etc/apache2/httpd.conf file..
apxs:Error: At least one `LoadModule' directive already has to exist..

Add this to your /etc/apache2/httpd.conf and the module will build correctly.

# Placeholder for future module installations or else modules will fail to build
#LoadModule dummy_module /usr/lib/apache2/modules/mod_dummy.so

After it builds your /etc/apache2/httpd.conf will look like this

# Placeholder for future module installations or else modules will fail to build
#LoadModule dummy_module /usr/lib/apache2/modules/mod_dummy.so
LoadModule evasive20_module   /usr/lib/apache2/modules/mod_evasive20.so

Configuration

Apache2

We want the module to be modular, so we will create the appropritate files for apache2 so that you can load and unload the module with a2enmod and a2dismod.

Remove the line frome the httpd.conf file

vi /etc/apache2/httpd.conf

Remove this

LoadModule evasive20_module   /usr/lib/apache2/modules/mod_evasive20.so

Create the necessary module files

touch /etc/apache2/mods-available/evasive.load
touch /etc/apache2/mods-available/evasive.conf
vi /etc/apache2/mods-available/evasive.load

Put this line in the evasive.load file

LoadModule evasive20_module   /usr/lib/apache2/modules/mod_evasive20.so
vi /etc/apache2/mods-available/evasive.conf

The evasive.conf file should look like the one below

<IfModule mod_dosevasive20.c>
       DOSHashTableSize    3097
       DOSPageCount        1
       DOSSiteCount        50
       DOSPageInterval     1
       DOSSiteInterval     1
       DOSBlockingPeriod   10
       DOSEmailNotify      root
#      DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
#      DOSLogDir           "/var/tmp/doslog"
#Leave this commented while testing, then uncomment once you are sure the module works
#      DOSWhitelist    127.0.0.1
</IfModule>

Now you can load the module like this:

a2enmod evasive

a2enmod will list all available modules and a2dismod will disable the module.

Apache1

Add these lines to your /etc/apache/httpd.conf

Add the lines below for Apache2...Apache1 users should replace <IfModule mod_dosevasive20.c> with <IfModule mod_dosevasive.c>

<IfModule mod_dosevasive20.c>
       DOSHashTableSize    3097
       DOSPageCount        1
       DOSSiteCount        50
       DOSPageInterval     1
       DOSSiteInterval     1
       DOSBlockingPeriod   10
       DOSEmailNotify      root
#      DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
       DOSLogDir           "/var/tmp/doslog"
#Leave this commented while testing, then uncomment once you are sure the module works
#      DOSWhitelist    127.0.0.1
</IfModule>

Table

Below is a Table showing what the fields mean

Key Description
DOSHashTableSize The hash table size defines the number of top-level nodes for each child's hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space
DOSPageCount This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount This is the threshold for the total number of requests for any object by the same client on the same listener per site interval.
DOSPageInterval The interval for the page count threshold; defaults to 1 second intervals.
DOSSiteInterval The interval for the site count threshold; defaults to 1 second intervals.
DOSBlockingPeriod The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).
DOSEmailNotify If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.
DOSSystemCommand If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools.
DOSLogDir Choose an alternative temp directory, default is /tmp.

Testing modevasive

Your modevasive module is now installed and configured...restart apache

/etc/init.d/apache2 restart

Now you can test the module by running the test.pl script included in the modevasive folder

perl test.pl

The reply should look like this

perl test.pl
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 403 Forbidden 
HTTP/1.1 403 Forbidden

Files will be written in the /var/tmp/doslog with the ip address of the blocked ip and there will be a log message in your /var/log/syslog file.

XXX XX XX:XX:XX localhost mod_evasive[26344]: Blacklisting address 127.0.0.1: possible DoS attack.
ls /var/tmp dos-*
dos-127.0.0.1

If you need more information read the files inside the mod_evasive directory. They are very thorough and helpful.

Personal tools
Namespaces

Variants
Actions
Navigation
Indexes
SHellium Sites
Toolbox