mod_evasive & SYN attacks/flood

Discussion in 'General' started by ISPConfigFan, May 24, 2007.

  1. ISPConfigFan

    ISPConfigFan New Member

    Good day,

    Since a few days we experience SYN-attacks on our servers. Look like:
    Code:
    tcp        0      0 ***:80            ***:1466         SYN_RECV    
    tcp        0      0 ***:80            ***:1460         SYN_RECV    
    tcp        0      0 ***:80            ***:1468         SYN_RECV    
    ...
    
    We have tried to install mod_evasive and succeeded, but it is not functioning...

    test.pl only gives 403 codes, but no 200 at the start...

    apache conf:
    Code:
    ####################################
    # MOD EVASIVE
    ####################################
    
    <IfModule mod_evasive20.c>
    DOSHashTableSize    4000
    DOSPageCount        2
    DOSSiteCount        30
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
    DOSEmailNotify ***
    #DOSSystemCommand
    #DOSLogDir "/var/log/mod_evasive"
    DOSWhitelist 127.0.0.*
    DOSWhitelist ***
    DOSWhitelist ***
    DOSWhitelist ***
    DOSWhitelist ***
    </IfModule>
    
    #AddModule mod_evasive.c
    
    Now the mod_evasive module is commented out, because if it is not, apache wont start because:
    Code:
     Apache 1.3 configuration directives found
     please read /usr/share/doc/httpd-2.2.4/migration.html
                                                               [FAILED]
    
    Can't find any useful (to me) information in that file though.

    IP is manually dropped by iptables now, but that's clearly not the best solution.

    Any advice on how to fix this and protect against syn-flood?
     
  2. ISPConfigFan

    ISPConfigFan New Member

    Got it working. Just for others curious:

    Put this:
    Code:
    <IfModule mod_evasive20.c>
    DOSHashTableSize    4000
    DOSPageCount        2
    DOSSiteCount        30
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
    DOSEmailNotify xxx@xxx.com
    #DOSSystemCommand
    #DOSLogDir "/var/log/mod_evasive"
    DOSWhitelist 127.0.0.*
    DOSWhitelist ......
    </IfModule>
    
    BELOW the line:
    Code:
    LoadModule evasive20_module   /usr/lib/httpd/modules/mod_evasive20.so
    in your httpd.conf. The addmodule command is not te be used.


    Installation:
    Code:
    yum install httpd-devel
    cd /usr/local/src
    wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz 
    tar -zxf mod_evasive_1.10.1.tar.gz
    cd mod_evasive 
    /usr/sbin/apxs -cia mod_evasive20.c
    
    Excuse me for the lame question :confused:
     

Share This Page