Hi, I have a web server which has CentOS Linux 2.6.18-028stab059.6-ent kernel and Apache 1.3.37 running on it.
2 days back I got one script to test DoS attack on website. It is called slowloris.pl from http://ha.ckers.org/slowloris/
I run that script against my server and it worked. It stopped my website for some time. That time all other services like SSH were working fine.
Can anybody suggests any configuration changes at Apache and OS/Kernel level to prevent from this type of attack ?
Currently I am using following settings:
Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 MinSpareServers 5 MaxSpareServers 10 StartServers 5 MaxClients 150 MaxRequestsPerChild 0
Then Kernel settings are like : tcp_keepalive_time 7200 tcp_keepalive_time 9 tcp_keepalive_intvl 75 tcp_syn_retries 5 tcp_synack_retries 5 tcp_fin_timeout 60
On Tue, 23 Jun 2009 16:42:44 +0530, Neelesh Gurjar neel.hjs@gmail.com wrote:
Hi, I have a web server which has CentOS Linux 2.6.18-028stab059.6-ent kernel and Apache 1.3.37 running on it.
2 days back I got one script to test DoS attack on website. It is called slowloris.pl from http://ha.ckers.org/slowloris/
I run that script against my server and it worked. It stopped my website for some time. That time all other services like SSH were working fine.
Can anybody suggests any configuration changes at Apache and OS/Kernel level to prevent from this type of attack ?
Currently I am using following settings:
Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 MinSpareServers 5 MaxSpareServers 10 StartServers 5 MaxClients 150 MaxRequestsPerChild 0
Then Kernel settings are like : tcp_keepalive_time 7200 tcp_keepalive_time 9 tcp_keepalive_intvl 75 tcp_syn_retries 5 tcp_synack_retries 5 tcp_fin_timeout 60
-- Regards NeeleshG
mod_evasive, formerly known as mod_dosevasive is a Apache module that provides evasive maneuvers action in the event of an HTTP DoS or DDoS (Denial of Service) attack or brute force attack at the web server. When possible attacks are detected, mod_evasive will block the traffic from the source for a specific duration of time, while reports abuses via email and syslog facilities. Or administrators can configure mod_evasive to talk to iptables, ipchains, firewalls, routers, and etc. to build a comprehensive DDOS prevention system for the high traffic busy web server.
Although mod_evasive is not a foolproof and complete DOS prevention system, but installing mod_evasive module for Apache will likely to reduce and stop certain DDOS attacks, minimizing the risks of web hosts and web sites been completely brought down inaccessible by malicious denial of service attack attempts.
How to Install mod_evasive
1. Login to web server via SSH. 2. For Apache 2.0.x, execute the following command:
up2date -i httpd-devel 3. Continue with the following commands one by one for all version of Apache HTTPD server. wget command will download the current stable version 1.10.1 source tarball.
cd /usr/local/src wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.g... tar -zxvf mod_evasive_1.10.1.tar.gz cd mod_evasive 4. For Apache 2.0.x , execute the following command:
/usr/sbin/apxs -cia mod_evasive20.c
Else, for Apache 1.3.x,
/usr/local/apache/bin/apxs -cia mod_evasive.c
Above commands will compile mod_evasive to .so and subsequently add corrensponding AddModule and LoadModule lines into httpd.conf. 5. mod_evasive comes with default configuration value preset, however, if webmasters want to configure and set the value themselves, the following parameters have to be added into httpd.conf Apache configuration file below the AddModule section.
For Apache 2.0.x, add the following text to httpd.conf below AddModule section:
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 100 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 600 </IfModule>
For apache 1.3.x, add the following text to httpd.conf below AddModule section:
<IfModule mod_evasive.c> DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 100 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 600 </IfModule>
Save and exit the httpd.conf Apache configuration file. 6. Restart the Apache server with the following command:
/etc/init.d/httpd restart
Installation is completed. Note that mod_evasive has known issues with FrontPage Server Extensions. Administrator can configure the variables such as enlarging the DOSHashTableSize especially for busy server. But note that whenever when a sournce of attack is blocked, the blocking duration is automatically extended whenever the source attempts to connect again, thus the DOSBlockingPeriod needs not to be too long. Beside, the blocking is based on each sessions of Apache child process, thus the blocking has the lifespan of that particular session only. If webmaster set the maximum clients per process to a very low value, the blocking may not be very effective. All definitions of mod_evasive directives can be found on README file comes with the source codes.
Other than above common configuration parameters, mod_evasive also supports the following three advanced directives:
DOSEmailNotify users@example.com DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’” DOSLogDir “/var/lock/mod_evasive”
The DOSEmailNotify is particular useful, where you can set mod_evasive to send a notification email whenever a possible DOS attack is detected and blocked. For example, “DOSEmailNotify root” will send the email to root user. But note that mailer configuration (by default is “/bin/mail -t %s”) in mod_evasive.c or mod_evasive20.c is correct. You can create a symbolic link if needed to or modify the source code file.
http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-p...
-
Neelesh Gurjar -
Sameep