Ispconfig 3 - DDOS attack mitigation

Discussion in 'General' started by nicog, Jul 8, 2019.

  1. Jesse Norell

    Jesse Norell Well-Known Member

    Unfortunately the "Page" count is per URL, not per URI, so requests to eg. the same php file which vary by query parameters all get lumped together.

    We had one site that calls I think an export.php file repeatedly with different parameters, to get sets of some data exports every few minutes (they might have even had a compounding authentication issue, where a request was made without http authentication, got an error, then retried with authentication credentials - for every single request made).

    We've been good with 24 for DOSPageCount so far, or at least good enough, because I haven't had any complaints. For DOSSiteCount, I actually just increased from 90 to 180 last week, as we had legitimate requests (looked like a wordpress user loading the block editor on a site with many plugins) exceeding that (might have peaked at 115 / sec?). I might start looking at increasing DOSSiteInterval a bit to accommodate spikes but still catch ongoing "high" request rates. I don't know how useful mod_evasive will remain long term as req/sec continue to increase, it's almost too simplistic.
     
    Last edited: May 28, 2020
  2. nhybgtvfr

    nhybgtvfr Active Member

    hmm. everything I've seen online states that DOSPageCount is URI and not URL, eg:

    https://www.linode.com/docs/web-servers/apache-tips-and-tricks/modevasive-on-apache/
    https://devops.ionos.com/tutorials/...urity-and-mod_evasive-for-apache-on-centos-7/


    but yes, mod_evasive does seem to be becoming increasingly irrelevant.

    just because one site may need to allow 24 requests/sec, doesn't mean another site needs more than 2.
    shame the levels can't be set individually per site. would also be nice to have a simple setting to block ip's that keep getting 404's for those buggers trying to blindly scan sites hoping particular script(s) might exist that they can exploit.
    although I guess that could be done with fail2ban.... might have to look at that, could be a problem with testing/developing sites triggering bans though...
     

Share This Page