LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 08-27-2012, 07:59 AM   #1
OMT
LQ Newbie
 
Registered: Sep 2005
Distribution: Slackware
Posts: 15

Rep: Reputation: 0
Problem with mod_evasive on HTTPS


Hello,

I want to start mod_evasive on an Apache server (version 2.2.20 installed on Ubuntu with apt-get). My problem is that it is working indeed, but only on HTTP. I have a virtual host on HTTPS (port 443) and mod_evasive is not working on it. I tried to put the configuration in the virtualhost configuration file in "sites-enabled" instead of it's own file in conf.d, but it was again working only on HTTP. Is there a way to make it work on HTTPS?

Best regards, OMT
 
Old 09-22-2012, 07:40 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Quote:
Originally Posted by OMT View Post
Is there a way to make it work on HTTPS?
Apart from hacking the code, no. There are other ways to deal with request floods as long as you remember that there is only so much an end point can do: in essence DoS and DDoS mitigation requires you to interface with your provider. Start with regular machine and service hardening, comment out any modules and features you don't need now and then check what Apache has to say about security, then limit the amount of new connections to TCP/443:
Code:
# Cap new TCP/443 connections to 60 per second and burst with 10:
iptables -t filter -I INPUT -m tcp -p tcp --dport 443 -m state --state NEW -m limit --limit 60/sec --limit-burst 10 -j ACCEPT

# Limit new TCP/443 to 8 connections per range/24:
iptables -t filter -A INPUT -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 443 -m connlimit --connlimit-above 8 --connlimit-mask 24 -j LOG --log-prefix "SYN8 "
iptables -t filter -A INPUT -m tcp -p tcp --syn --dport 443 -m connlimit --connlimit-above 8 --connlimit-mask 24 -j DROP

# Limit new TCP/443 connections per IP: 256 *packets* per second and burst to 512 per IP and destination port:
iptables -t filter -A INPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit 256/s --hashlimit-burst 512 --hashlimit-mode srcip,dstport --hashlimit-htable-size 3072 --hashlimit-htable-max 5120 --hashlimit-name HTTPS -m state --state NEW -j ACCEPT
- test and tune the numbers as I don't know the amount of traffic your site receives,
- ensure you place rules in the right order and position in your rule set.

* Sometimes a DoS has a reason. Don't go around taunting others.

** If you're facing a DoS then the best thing is not to start panicking but be methodical about it: do research, ask. If you're thinking about blocking IP addresses then you best not succumb to deploying convoluted software firewall management front-ends and don't deploy userland tools that dump addresses in the filter table INPUT chain, /etc/hosts.deny, .htaccess files or make use of netstat to determine the about of connections. In the end you'll find they don't do anything useful (even though others say it is) and can be detrimental to performance. If you're thinking about blocking IP addresses then consider storing them in a raw table PREROUTING chain "recent" module or better, use ipset which also takes whole IP ranges.


//NTLB

Last edited by unSpawn; 09-22-2012 at 07:42 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Mod_evasive and iptables lavinya Linux - Security 1 12-08-2007 08:22 AM
Mitigate Attacks With mod_evasive jeremy LQ Articles Discussion 1 06-22-2007 10:59 AM
Can I install mod_evasive in apache2 when installed from repo? OneBinary Debian 3 04-20-2006 10:11 AM
HTTPS problem Swift&Smart Linux - Software 10 10-18-2003 12:50 PM
Problem with https kired Linux - Newbie 2 03-23-2003 02:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration