Since my mail server also has webmail access, I am going to protect it also, using fail2ban for Apache. And for fail2ban to have logs to analyse, it would be good to put mod_evasive for Apache.
Here is one nice explanation about what mod_evasive is for : link
And here is a good installation : link
Installation :
#yum install httpd-devel
# wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
# tar xvfz mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# apxs -cia mod_evasive20.c
# chmod 755 /usr/lib/httpd/modules/mod_evasive20.so
Connecting it witj Apache goes by using /etc/httpd/conf/httpd.conf file :
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify admin-postmaster@moj.domen
DOSLogDir /var/log/httpd/mod_evasive
Check the syntax :
# service httpd configtest
Syntax OK
And restart.

How to test mod_evasive? On a convinient Linux put the following script :
## test.pl: small script to test mod_dosevasive’s effectiveness
use IO::Socket;
use strict;
for(0..100) {
my($SOCKET) = new IO::Socket::INET( Proto => “tcp”,
PeerAddr=> “”);
if (! defined $SOCKET) { die $!; }
print $SOCKET “GET /?$_ HTTP/1.0\n\n”;
$response = <$SOCKET>;
print $response;

When this script is started, you should get something like this :
HTTP/1.1 200 OK
HTTP/1.1 200 OK ili HTTP/1.1 302 Found
…..And then this quite a number of times, and when mod_evasive kicks in, you should get :
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

Log of this event for mod_evasive is in /var/log/httpd/error_log.

This entry was posted in Linux and tagged , . Bookmark the permalink.

Comments are closed.