mod_evasive Konfiguration

stefkey · Oct 7, 2016

Hi,

wieso greift hier mod_evasive nicht ein?

Code:

85.128.142.21 - - [07/Oct/2016:19:36:04 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:04 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:04 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:05 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:05 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:05 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:06 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:06 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:07 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:07 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:07 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:08 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:08 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:09 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:09 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:09 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:10 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:10 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:10 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:11 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:11 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:12 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:12 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:12 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:13 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:13 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:13 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:14 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:14 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:14 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:15 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"
85.128.142.21 - - [07/Oct/2016:19:36:15 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83263 "-" "-"

Meine mod_evasive Konfiguration sieht so aus, und sie funktioniert. Denn wenn ich die Forumsseite mehrmals schnell lade bin ich blockiert:

Code:

<IfModule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount 2
   DOSSiteCount 30
   DOSPageInterval 1
   DOSSiteInterval 2
   DOSBlockingPeriod 10
   DOSEmailNotify meine@email.de
   DOSLogDir "/var/lock/mod-evasive"
</IfModule>

E-Mail Notify funktioniert auch nicht, aber das wäre noch nicht mal so wichtig.

Kann mir jemand sagen warum die IP 85.128.142.21 fröhlich die Seite ständig abrufen kann?

Das Testskript bekommt auch keinen 403, alles 200 und damit freie Bahn für
`perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl`

stefkey · Oct 7, 2016

hab das gefunden:
https://serversupportforum.de/threads/mod_evasive-greift-nicht-test-pl-aber-schon.52170/

Heißt das, dass mod_evasive nicht greift wenn der apache mit mpm-itk läuft?

greystone · Oct 7, 2016

Wie sieht denn Dein System aus?
Welche Linux-Distribution, welche Version dieser Distribution?
Welche apache Version läuft bei Dir?
Management Software im Einsatz(Plesk? Confixx, ... ?)

stefkey · Oct 7, 2016

Debian Squeeze (ich weiß, ich ziehe gerade um auf ein Ubuntu 16.04, aber es muss ja auch auf dem Squeeze gehen)
apache 2.2.16
mlm-itk !
Kein Management Software

Ich lass den apache mal nachher mit mpm-worker laufen, bin gespannt!

greystone · Oct 8, 2016

Keine Management Software

Es gibt noch Hoffnung für Dich.

Ja propiere das mal mit mpm-worker.

Schau auch mal ob mod_evasive überhaupt aktiviert ist:

Code:

apachectl -t -D DUMP_MODULES

nexus · Oct 8, 2016

stefkey said:
Debian Squeeze (ich weiß, ich ziehe gerade um auf ein Ubuntu 16.04, aber es muss ja auch auf dem Squeeze gehen)

Mach doch zuerst den Umzug fertig. Ist ja nicht so wie im realen Leben, wo du für einen Umzug Tage oder Wochen brauchst

So wie du grad an die Sache rangehst, machst du dir doppelte Arbeit.

greystone said:
Es gibt noch Hoffnung für Dich.

Ganz meine Meinung...
[OT] und man möge es kaum glauben greystone, daß wir auch mal derselben Meinung sein können

[/OT]

stefkey · Oct 8, 2016

hey, ich sagte ja, ich wills verstehen. Und Plesk und Co... pfui! Laaaangweilig.
Freut mich das es noch Hoffnung gibt für mich

Ich blieb dran!

Danke für den Code `apachectl -t -D DUMP_MODULES`

Code:

Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_itk_module (static)
 http_module (static)
 so_module (static)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 deflate_module (shared)
 dir_module (shared)
 encoding_module (shared)
 env_module (shared)
 geoip_module (shared)
 headers_module (shared)
 mime_module (shared)
 evasive20_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 ssl_module (shared)
 status_module (shared)
Syntax OK

Läuft also soweit. Wie gesagt, es reagiert ja auch wenn ich im Browser oft reloade, aber das perl script hat freie fahrt. Das irritiert mich. Okay, und nebenbei wird auch der Pole mit seiner IP nicht gebanned. Aber vielleicht liegt das am Angriff?!? Im apache access-log gibts halt 2-3 Anfragen pro Sekunde..hmm ich verstehe es halt leider noch nicht.

Der Umzug braucht schon bissl, ich wechsle gleichzeitig auf nginx und php-fpm un dazu mach ich es mir ja auch besonders schwer so ziemlich alles über die Konsole mit Befehlen zu machen, und die Befehle kann ich noch nicht aus dem ff reinhacken. Naja, es wird schon...

stefkey · Oct 10, 2016

So, nun hab ich statt apache2-mpm-itk den apache2-mpm-prefork am laufen.

Nun bringt das mod-evasive perl test script folgende Ausgabe:

Code:

perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
Verbindungsaufbau abgelehnt at /usr/share/doc/libapache2-mod-evasive/examples/test.pl line 12.

Ganz seltsam ist das mal wieder: Wenn ich das Modul disable und den Apache auch neustarte hat das Perl Script genau die gleiche Ausgabe.

Mit dem apache-mpm-itk kam diese Meldung HTTP/1.1 200 OK bestimmt 20-30.

Und der Pole kommt immer noch durch mit seinen 2-3 Seitenaufrufen pro Sekunden.

Es ist mal wieder zum Mäuse melken. Vielleicht hat jemand einen Hinweis für mich. Es ist nicht wichtig, da ich bald auf nginx wechsele auf dem neuen Server, aber ich will es halt trotzdem gerne zum Laufen bekommen, auch auf dem alten Server, weil ich es eben wissen will. Was dann bei Ningx auf mich zu kommt muss ich noch auschecken, dort hats ja kein mod-evasive soviel ich weiß.

greystone · Oct 10, 2016

Wenn das Modul entladen ist und der Apache neu gestartet ist, dann darf diese Meldung nicht kommen.

Dumme Frage: Wie hast Du den apachen neu gestartet?

Die Frage ist auch, ob der Angreifer wirklich auch immer die gleiche Seite aufruft, wie oben im Logfile zu sehen. Falls nicht, greift das mod_evasive Site-Limit, dass bei Dir auf 30 Requests pro 2 Sekunden steht.

stefkey · Oct 10, 2016

/etc/init.d/apache2 restart

ja, es ist dieselbe Seite die er ständig läd. Es sind 2 Polen

Code:

62.121.130.232 - - [10/Oct/2016:14:38:57 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:38:57 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:38:58 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:38:58 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:38:59 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:38:59 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:39:00 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:39:00 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:39:01 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:39:01 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:39:01 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:39:02 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:39:02 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:39:03 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:39:03 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:39:04 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:39:04 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:39:05 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"

stefkey · Oct 10, 2016

Ha! Jo, ich hatte ja noch ne iptables Regel aktiv

Jetzt passt alles theoretisch. Das Script funktioniert mit dem apache2-mpm-prefork. Ist das logisch das es mit dem apache2-mpm-itk nicht greift?

Nun sind die Polen aber immer noch fleißig am saugen mit 1-2MBit, und mod-evasive schmeißt mir harmlose Ips raus. Aber die Konfiguration sollte doch für die beiden Polen passen?

Code:

<IfModule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount 1
   DOSSiteCount 6
   DOSPageInterval 1
   DOSSiteInterval 1
   DOSBlockingPeriod 10
   DOSLogDir "/var/lock/mod-evasive"
</IfModule>

Und hier die Zugriffe, das passt doch nicht zusammen, oder was machen die beiden da?!?

Code:

85.128.142.82 - - [10/Oct/2016:14:58:26 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:26 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:26 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:26 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:26 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:27 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:27 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:27 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:27 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:28 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:28 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:28 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:28 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:28 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:29 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:29 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:29 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:29 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:29 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:29 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:29 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:30 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:30 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:30 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:30 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:30 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:30 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:31 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:31 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:31 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:31 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:31 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:32 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:32 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:32 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:32 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:32 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:33 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:33 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:33 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:33 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:33 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:33 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:34 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:34 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:34 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:34 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:35 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:35 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:35 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:35 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:35 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:35 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:36 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:36 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:36 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:36 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:36 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:36 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:37 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:37 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:37 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:37 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 403 4720 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:38 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 403 4720 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:38 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:38 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:38 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 403 4720 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:38 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:38 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 403 4720 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:38 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:39 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:39 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:39 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:39 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:40 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 403 4720 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:40 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:40 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 403 4720 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:40 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 403 4720 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:40 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:40 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:41 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 403 4720 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:41 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 403 4720 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:41 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:41 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 403 4720 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:41 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:41 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:41 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:41 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:42 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 403 4720 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:42 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:42 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
85.128.142.82 - - [10/Oct/2016:14:58:43 +0200] "GET /index.php?page=Thread&threadID=1546 HTTP/1.1" 200 83519 "-" "-"
62.121.130.232 - - [10/Oct/2016:14:58:42 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119422 "-" "-"

greystone · Oct 10, 2016

Code:

<IfModule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount 1
   DOSSiteCount 6
   DOSPageInterval 1
   DOSSiteInterval 1
   DOSBlockingPeriod 10
   DOSLogDir "/var/lock/mod-evasive"
</IfModule>

Das ist schon sehr eng eingestellt. Wenn da jemand mal so 10 Tabs aufklickt, wird er vielleicht schon geblockt.

Die beiden Polen(wahrscheinlich nur einer und nicht zwingend Pole

) bekommen doch auch 403er. Insofern scheint es doch zumindest teilweise zu wirken.

Ich hätte evasive jetzt eher mit den Werten gefüttert:

Code:

   DOSPageCount 30
   DOSSiteCount 40
   DOSPageInterval 120
   DOSSiteInterval 60
   DOSBlockingPeriod 300

Wenn jemand die gleiche Seite 30 Mal in zwei Minuten aufruft, dann fliegt er für 5 Minuten raus, was ja mit jedem weiteren Request praktischerweise automatisch verlängert wird.

Wenn jemand 40 beliebige Seitenaufrufe pro Minute hat dito.

Hat den Nebeneffekt, dass Du wahrscheinlich auch alle Suchmaschinen-Bots aussperrst.

stefkey · Oct 10, 2016

Ah, danke ja, ich verstehe. Ich habe die Konfiguration angepasst.

Aber es greift nicht. Ich habe die Zahl der Aufrufe mal gezählt. Es sind von der einen IP 160 Aufrufe pro Minute. mod-evasive arbeitet aber auch, es hat mich zB gesperrt. Komisch.

Und nu? Ich verstehe es nicht!

Code:

62.121.130.232 - - [10/Oct/2016:22:53:06 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:06 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:06 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:07 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:07 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:07 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119165 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:08 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:08 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:08 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:09 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:09 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:09 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:10 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:10 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:10 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:11 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:11 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:11 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:12 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:12 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:13 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:13 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:13 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:14 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:14 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:14 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:14 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:15 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:15 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:15 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:16 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:22:53:16 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"

Die Konfiguration sieht so aus:

Code:

<IfModule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount 30
   DOSSiteCount 40
   DOSPageInterval 120
   DOSSiteInterval 60
   DOSBlockingPeriod 300
   DOSLogDir "/var/lock/mod-evasive"
</IfModule>

stefkey · Oct 10, 2016

okay, ab und zu gibt es doch einen 403, aber die 403er sollten doch ständig da sein?

Code:

62.121.130.232 - - [10/Oct/2016:23:25:17 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:17 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:18 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:18 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:18 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:19 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:19 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:19 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 403 4720 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:19 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:20 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:20 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:20 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:21 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:21 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 200 119166 "-" "-"
62.121.130.232 - - [10/Oct/2016:23:25:21 +0200] "GET /index.php?page=Thread&threadID=248 HTTP/1.1" 403 4720 "-" "-"

nexus · Oct 11, 2016

Ich will jetzt nicht den Klugscheißer raushängen lassen...aber kannst du sicher ausschließen, daß dein Squeeze-System aufgrund fehlender Security-Updates nicht anderweitig kompromittiert sein könnte?

greystone · Oct 11, 2016

@stefkey: Lass das mal ne Weile laufen. So wie ich das verstanden habe, beziehen sich die Limits auf je einen Prozess/Thread. Kann ein paar Minuten dauern, aber dann sollten aber alle Prozesse/Threads geblockt sein. Bzgl. der Menge an Requests ist das ja noch keine richtige DOS.

mod_evasive Konfiguration

stefkey

Member

stefkey

Member

greystone

Active Member

stefkey

Member

greystone

Active Member

nexus

Well-Known Member

stefkey

Member

stefkey

Member

greystone

Active Member

stefkey

Member

stefkey

Member

greystone

Active Member

stefkey

Member

stefkey

Member

nexus

Well-Known Member

greystone

Active Member

We value your privacy