How To Block Spammers/Hackers With mod_defensible On Apache2 (Debian Etch)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Sun, 2008-07-06 16:19. :: Debian | Apache | Security

How To Block Spammers/Hackers With mod_defensible On Apache2 (Debian Etch)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 06/13/2008

mod_defensible is an Apache 2.x module intended to block spammers/hackers/script kiddies using DNSBL servers. It will look at the client IP and check it in one or several DNSBL servers and return a 403 Forbidden page to the client. This guide shows how to install and use it with Apache 2 on a Debian Etch server.

I do not issue any guarantee that this will work for you!

 

1 Installing Apache2 And mod_defensible

Unfortunately libapache2-mod-defensible is available as a Debian package only for Debian Lenny (testing) and Sid (unstable), but not for Etch. Therefore we will install the libapache2-mod-defensible package from Lenny. To do this, open /etc/apt/sources.list and add the line deb http://ftp2.de.debian.org/debian/ lenny main; your /etc/apt/sources.list could then look like this:

vi /etc/apt/sources.list

deb http://ftp2.de.debian.org/debian/ etch main
deb-src http://ftp2.de.debian.org/debian/ etch main

deb http://ftp2.de.debian.org/debian/ lenny main

deb http://security.debian.org/ etch/updates main contrib
deb-src http://security.debian.org/ etch/updates main contrib

Of course (in order not to mess up our system), we want to install packages from Lenny only if there's no appropriate package from Etch - if there are packages from Etch and Lenny, we want to install the one from Etch. To do this, we give packages from Etch a higher priority in /etc/apt/preferences:

vi /etc/apt/preferences

Package: *
Pin: release a=etch
Pin-Priority: 700

Package: *
Pin: release a=lenny
Pin-Priority: 650

(The terms etch and lenny refer to the appropriate terms in /etc/apt/sources.list; if you're using stable and testing there, you must use stable and testing instead of etch and lenny in /etc/apt/preferences as well.)

Afterwards, we update our packages database:

apt-get update

If you're getting an error like this:

Segmentation faultsts... 96%

or this one:

E: Dynamic MMap ran out of room

open /etc/apt/apt.conf and add a line for APT::Cache-Limit with a very high value, e.g. like this:

vi /etc/apt/apt.conf

APT::Cache-Limit "100000000";

Then run

apt-get update

again and upgrade the installed packages:

apt-get upgrade

(If you see any questions, you can accept the default values.)

To install Apache2 with mod_defensible, we run:

apt-get install apache2 libapache2-mod-defensible libudns0

Afterwards, enable mod_defensible:

a2enmod defensible

Reload Apache:

/etc/init.d/apache2 force-reload

 

2 Configuring mod_defensible

Open /etc/apache2/apache2.conf and go to the end where the virtual hosts are configured, and put the mod_defensible configuration right before the virtual hosts:

vi /etc/apache2/apache2.conf

[...]
# Include generic snippets of statements
Include /etc/apache2/conf.d/

DnsblUse On
DnsblServers httpbl.abuse.ch sbl-xbl.spamhaus.org
DnsblNameserver 145.253.2.75

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/

DnsblUse On enables mod_defensible; the DnsblServers line lists the blacklists you want to use (e.g. httpbl.abuse.ch and sbl-xbl.spamhaus.org), and the DnsblNameserver line defines the DNS server that mod_defensible will use to look up hosts (I found that Apache takes forever to serve pages if you don't specify the DnsblNameserver line).

Restart Apache afterwards:

/etc/init.d/apache2 restart

That's it. If an IP address which is blacklisted tries to access your webserver, it will receive an HTTP error 403.

 

3 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Fri, 2011-01-21 10:18.

Comment: I am not asking for help:

Invalid command 'DnsblNameserver', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.

 

I removed  DnsblNameserver and configtest ran OK.

Submitted by planet_fox (registered user) on Sun, 2009-05-24 14:22.

I have this totorial use on lenny server . Alll looks ok. I have some Problem with the Dnsblserver.

I have change the line to this

 DnsblServers httpbl.abuse.ch

 than run it

Submitted by Aurora (registered user) on Fri, 2008-12-19 19:36.

The last link for mod_defensible has been updated since this article was posted.  The corrected link is:

 mod_defensible:  http://julien.danjou.info/mod_defensible/

Submitted by burnclouds (registered user) on Mon, 2008-08-18 16:59.

Ok, now I am using Debian Lenny in a production environment. (No lectures about this please). But I installed the mod_defensible using apt-get. The followed this how for the configuration stuff. But it slowed do wed access to a crawl, so slow it was totally unusable. I saw the references on this howto and tried http://julien.danjou.info/mod_defensible.html and used his config, same story; too slow. Then I tried the sid mod_defensible package with both configs. Twice I get the same results. No responce from the server. I tried again with wireshark. the server recieves the HTTP requests but never responds. The machine the web server is on is a 1.8Ghz P4 HT w/ 1.5GB ram and a raptor SATA drive with 16MB cache. Running Debian Lenny with a custom 2.6.26-1 kernel. Any ideas on fixing the slow down? Are the lenny/sid packages broken?

Submitted by hex63 (registered user) on Fri, 2008-08-01 17:20.

Nice howto Falco!

I notice a little delay when I access my webserver from local lan. I shall try later from work to see if there is too much or if it's acceptable accessing from wan.

Thanks for sharing! :)

Submitted by tfunky (registered user) on Sun, 2008-07-06 19:38.

Hey Falko!

 Great info as always!

 Are you using this setup in production?

Looking over it I'm wondering what kind of slow down your seeing on user response times because of the lookups.

Have you noticed a slow down?  Or is it more a matter of a tradeoff between response time and security?

 

Submitted by spauldingsmails (registered user) on Wed, 2008-07-09 08:57.

I agree wit tfunky, great article, it's always better to tackle security issues at the source rather than dealing with it after-the-fact.

I also agree that there are probably issues with security vs performance and wonder if there are major performance drawbacks using this technique. If so, are there options such as caching the blacklist locally.

Again, a great and useful article.