From owner-freebsd-apache@freebsd.org Fri May 27 19:08:14 2016 Return-Path: Delivered-To: freebsd-apache@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1ABE6B4C022 for ; Fri, 27 May 2016 19:08:14 +0000 (UTC) (envelope-from will_squire@hotmail.co.uk) Received: from BLU004-OMC1S28.hotmail.com (blu004-omc1s28.hotmail.com [65.55.116.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CCA6F172A for ; Fri, 27 May 2016 19:08:13 +0000 (UTC) (envelope-from will_squire@hotmail.co.uk) Received: from BLU436-SMTP147 ([65.55.116.9]) by BLU004-OMC1S28.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Fri, 27 May 2016 12:07:05 -0700 X-TMN: [RdiA6ynrl/ba4HNTI6CNW9EYeM7qBbIB] X-Originating-Email: [will_squire@hotmail.co.uk] Message-ID: From: Will Squire Subject: mod_evasive is not blocking IPs causing DoS, but is logging them Date: Fri, 27 May 2016 20:07:01 +0100 To: freebsd-apache@freebsd.org MIME-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-OriginalArrivalTime: 27 May 2016 19:07:02.0763 (UTC) FILETIME=[F3C9BBB0:01D1B84A] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 May 2016 19:08:14 -0000 Hi all - my first time mailing here, here goes... mod_evasive is not blocking IPs that are causing DoS, but it is logging = the IPs in the /tmpdirectory. The files it generates to this directory = are named dos-XXX.XXX.XXX.XXX(XXX.XXX.XXX.XXX being the IP).=20 Have read that mod_evasive does not work well with the = mpm_prefork_module because it uses processes over threads. This is not = being used, but mpm_event_module is (not mpm_worker_module). Not sure if = this is the problem? Here is the content of the mod_evasive config file created at = /usr/local/etc/apache24/Includes/mod_evasive.conf: DOSHashTableSize 3097 DOSPageCount 2 DOSPageInterval 1 DOSSiteCount 50 DOSSiteInterval 1 DOSBlockingPeriod 60 DOSEmailNotify example@example.com Have also read that mod_evasive uses iptables, but ipfw is being used. = Again, I'm not sure if this is the issue? Also noticed a trend of sudo privileges being given to Apache in some of = the examples found online (particularly when using mod_evasive's = DOSSystemCommand). I don't intend to give Apache sudo privileges, but = have tried adding deny directives to ipfw using DOSSystemCommand with = sudo privileges: DOSSystemCommand "sudo ipfw add 00010 deny ip from %s to any" This also didn't end well. Any help appreciated, thanks.=20 Kind regards,=20 Will Squire=