apache抵御DOS攻击模块(ZT)
英文官方网站
摘抄地址
mod_dosevasive v1.10
What is mod_dosevasive?
mod_dosevasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_dosevasive presently reports abuses via email and syslog facilities.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
Requesting the same page more than a few times per second
Making more than 50 concurrent requests on the same child per second
Making any requests while temporarily blacklisted (on a blocking list)
This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it's a good idea to integrate this with your firewalls and routers for maximum protection.
This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on 'reload' should not be affected unless they do it maliciously. mod_dosevasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.
软件下载:
源码包:
Stable [ Version 1.10 ] mod_dosevasive for Apache v1.3 and 2.0, and NSAPI (SunONE)
http://www.nuclearelephant.com/proje...ve_1.10.tar.gz
Linux RPM软件包:
The following links are not official RPMs, but have been submitted as freely downloadable.
http://checksuite.sourceforge.net/dl/
安装方法:
APACHE v1.3
-----------
Without DSO Support:
1. Extract this archive into src/modules in the Apache source tree
2. Run ./configure --add-module=src/modules/dosevasive/mod_dosevasive.c
3. make, install
4. Restart Apache
With DSO Support, Ensim, or CPanel:
1. $APACHE_ROOT/bin/apxs -iac mod_dosevasive.c
2. Restart Apache
APACHE v2.0(我采用的方法)
-----------
1. Extract this archive
2. Run $APACHE_ROOT/bin/apxs -i -a -c mod_dosevasive20.c
3. The module will be built and installed into $APACHE_ROOT/modules, and loaded into your httpd.conf
4. Restart Apache
APACHE v1.3
-----------
# 修改httpd.conf,增加以下内容
LoadModule dosevasive_module libexec/mod_dosevasive.so
AddModule mod_dosevasive.c
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
APACHE v2.0
-----------
# 修改httpd.conf,增加以下内容
LoadModule dosevasive20_module modules/mod_dosevasive20.so
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
完成安装和配置后,重新启动apache。
===============================================================================================
What is mod_dosevasive?
mod_dosevasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_dosevasive presently reports abuses via email and syslog facilities.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
Requesting the same page more than a few times per second
Making more than 50 concurrent requests on the same child per second
Making any requests while temporarily blacklisted (on a blocking list)
This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it's a good idea to integrate this with your firewalls and routers for maximum protection.
This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on 'reload' should not be affected unless they do it maliciously. mod_dosevasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.
软件下载:
源码包:
Stable [ Version 1.10 ] mod_dosevasive for Apache v1.3 and 2.0, and NSAPI (SunONE)
http://www.nuclearelephant.com/proje...ve_1.10.tar.gz
Linux RPM软件包:
The following links are not official RPMs, but have been submitted as freely downloadable.
http://checksuite.sourceforge.net/dl/
安装方法:
APACHE v1.3
-----------
Without DSO Support:
1. Extract this archive into src/modules in the Apache source tree
2. Run ./configure --add-module=src/modules/dosevasive/mod_dosevasive.c
3. make, install
4. Restart Apache
With DSO Support, Ensim, or CPanel:
1. $APACHE_ROOT/bin/apxs -iac mod_dosevasive.c
2. Restart Apache
APACHE v2.0(我采用的方法)
-----------
1. Extract this archive
2. Run $APACHE_ROOT/bin/apxs -i -a -c mod_dosevasive20.c
3. The module will be built and installed into $APACHE_ROOT/modules, and loaded into your httpd.conf
4. Restart Apache
APACHE v1.3
-----------
# 修改httpd.conf,增加以下内容
LoadModule dosevasive_module libexec/mod_dosevasive.so
AddModule mod_dosevasive.c
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
APACHE v2.0
-----------
# 修改httpd.conf,增加以下内容
LoadModule dosevasive20_module modules/mod_dosevasive20.so
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
完成安装和配置后,重新启动apache。
===============================================================================================
DOSHashTableSize
----------------
The hash table size defines the number of top-level nodes for each child's
hash table. Increasing this number will provide faster performance by
decreasing the number of iterations required to get to the record, but
consume more memory for table space. You should increase this if you have
a busy web server. The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_dosevasive.c for a list
of primes used).
DOSPageCount
------------
This is the threshhold for the number of requests for the same page (or URI)
per page interval. Once the threshhold for that interval has been exceeded,
the IP address of the client will be added to the blocking list.
DOSSiteCount
------------
This is the threshhold for the total number of requests for any object by
the same client on the same listener per site interval. Once the threshhold
for that interval has been exceeded, the IP address of the client will be added
to the blocking list.
DOSPageInterval
---------------
The interval for the page count threshhold; defaults to 1 second intervals.
DOSSiteInterval
---------------
The interval for the site count threshhold; defaults to 1 second intervals.
DOSBlockingPeriod
-----------------
The blocking period is the amount of time (in seconds) that a client will be
blocked for if they are added to the blocking list. During this time, all
subsequent requests from the client will result in a 403 (Forbidden) and
the timer being reset (e.g. another 10 seconds). Since the timer is reset
for every subsequent request, it is not necessary to have a long blocking
period; in the event of a DoS attack, this timer will keep getting reset.
DOSEmailNotify
--------------
If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.
NOTE: Be sure MAILER is set correctly in mod_dosevasive.c
(or mod_dosevasive20.c). The default is "/bin/mail -t %s" where %s is
used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.
DOSSystemCommand
----------------
If this value is set, the system command specified will be executed
whenever an IP address becomes blacklisted. This is designed to enable
system calls to ip filter or other tools. A locking mechanism using /tmp
prevents continuous system calls. Use %s to denote the IP address of the
blacklisted IP.
DOSLogDir
---------
Choose an alternative temp directory
By default "/tmp" will be used for locking mechanism, which opens some
security issues if your system is open to shell users.
http://security.lss.hr/index.php?pag...LSS-2005-01-01
In the event you have nonprivileged shell users, you'll want to create a
directory writable only to the user Apache is running as (usually root),
then set this in your httpd.conf.
WHITELISTING IP ADDRESSES
As of version 1.8, IP addresses of trusted clients can be whitelisted to
insure they are never denied. The purpose of whitelisting is to protect
software, scripts, local searchbots, or other automated tools from being
denied for requesting large amounts of data from the server. Whitelisting
should *not* be used to add customer lists or anything of the sort, as this
will open the server to abuse. This module is very difficult to trigger
without performing some type of malicious attack, and for that reason it is
more appropriate to allow the module to decide on its own whether or not
an individual customer should be blocked.
To whitelist an address (or range) add an entry to the Apache configuration
in the following fashion:
DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*
Wildcards can be used on up to the last 3 octets if necessary. Multiple
DOSWhitelist commands may be used in the configuration.
TWEAKING APACHE
The keep-alive settings for your children should be reasonable enough to
keep each child up long enough to resist a DOS attack (or at least part of
one). For every child that exits, another 5-10 copies of the page may get
through before putting the attacker back into '403 Land'. With this said,
you should have a very high MaxRequestsPerChild, but not unlimited as this
will prevent cleanup.
You'll want to have a MaxRequestsPerChild set to a non-zero value, as
DosEvasive cleans up its internal hashes only on exit. The default
MaxRequestsPerChild is usually 10000. This should suffice in only allowing
a few requests per 10000 per child through in the event of an attack (although
if you use DOSSystemCommand to firewall the IP address, a hole will no
longer be open in between child cycles).
TESTING
Want to make sure it's working? Run test.pl, and view the response codes.
If the target machine is not localhost, be sure to change it in the script
first. You should receive 403 responses after the first 25-50 requests,
depending on your server configuration. Please don't use this script to
DoS others without their permission.
----------------
The hash table size defines the number of top-level nodes for each child's
hash table. Increasing this number will provide faster performance by
decreasing the number of iterations required to get to the record, but
consume more memory for table space. You should increase this if you have
a busy web server. The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_dosevasive.c for a list
of primes used).
DOSPageCount
------------
This is the threshhold for the number of requests for the same page (or URI)
per page interval. Once the threshhold for that interval has been exceeded,
the IP address of the client will be added to the blocking list.
DOSSiteCount
------------
This is the threshhold for the total number of requests for any object by
the same client on the same listener per site interval. Once the threshhold
for that interval has been exceeded, the IP address of the client will be added
to the blocking list.
DOSPageInterval
---------------
The interval for the page count threshhold; defaults to 1 second intervals.
DOSSiteInterval
---------------
The interval for the site count threshhold; defaults to 1 second intervals.
DOSBlockingPeriod
-----------------
The blocking period is the amount of time (in seconds) that a client will be
blocked for if they are added to the blocking list. During this time, all
subsequent requests from the client will result in a 403 (Forbidden) and
the timer being reset (e.g. another 10 seconds). Since the timer is reset
for every subsequent request, it is not necessary to have a long blocking
period; in the event of a DoS attack, this timer will keep getting reset.
DOSEmailNotify
--------------
If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.
NOTE: Be sure MAILER is set correctly in mod_dosevasive.c
(or mod_dosevasive20.c). The default is "/bin/mail -t %s" where %s is
used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.
DOSSystemCommand
----------------
If this value is set, the system command specified will be executed
whenever an IP address becomes blacklisted. This is designed to enable
system calls to ip filter or other tools. A locking mechanism using /tmp
prevents continuous system calls. Use %s to denote the IP address of the
blacklisted IP.
DOSLogDir
---------
Choose an alternative temp directory
By default "/tmp" will be used for locking mechanism, which opens some
security issues if your system is open to shell users.
http://security.lss.hr/index.php?pag...LSS-2005-01-01
In the event you have nonprivileged shell users, you'll want to create a
directory writable only to the user Apache is running as (usually root),
then set this in your httpd.conf.
WHITELISTING IP ADDRESSES
As of version 1.8, IP addresses of trusted clients can be whitelisted to
insure they are never denied. The purpose of whitelisting is to protect
software, scripts, local searchbots, or other automated tools from being
denied for requesting large amounts of data from the server. Whitelisting
should *not* be used to add customer lists or anything of the sort, as this
will open the server to abuse. This module is very difficult to trigger
without performing some type of malicious attack, and for that reason it is
more appropriate to allow the module to decide on its own whether or not
an individual customer should be blocked.
To whitelist an address (or range) add an entry to the Apache configuration
in the following fashion:
DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*
Wildcards can be used on up to the last 3 octets if necessary. Multiple
DOSWhitelist commands may be used in the configuration.
TWEAKING APACHE
The keep-alive settings for your children should be reasonable enough to
keep each child up long enough to resist a DOS attack (or at least part of
one). For every child that exits, another 5-10 copies of the page may get
through before putting the attacker back into '403 Land'. With this said,
you should have a very high MaxRequestsPerChild, but not unlimited as this
will prevent cleanup.
You'll want to have a MaxRequestsPerChild set to a non-zero value, as
DosEvasive cleans up its internal hashes only on exit. The default
MaxRequestsPerChild is usually 10000. This should suffice in only allowing
a few requests per 10000 per child through in the event of an attack (although
if you use DOSSystemCommand to firewall the IP address, a hole will no
longer be open in between child cycles).
TESTING
Want to make sure it's working? Run test.pl, and view the response codes.
If the target machine is not localhost, be sure to change it in the script
first. You should receive 403 responses after the first 25-50 requests,
depending on your server configuration. Please don't use this script to
DoS others without their permission.
===============================================================================
mod_dosevasive v1.10
什么是mod_dosevasive?
mod_dosevasive是一种提供躲避HTTP DOS/DDOS攻击或暴力强制攻击的apache模块。它同样可以用作网络探测和管理的工具,通过简单的配置,就可以同ipchains(ip链?)防火墙,路由器等设备进行对话。并通过email或系统日志提供报告。
发现攻击是通过创建一个内建的IP地址和URIs的动态哈希表来完成,并且阻止同一ip在以下的情况:
1.在同一秒多次请求同一页面
2.对同一child(对象?)作出超过50个并发请求
3.被列入黑名单的ip
这种方式在单点攻击和分布式多点攻击的状况下都能很好工作,但如同其它的防黑软件一样,只是针对于那些对网络带宽和处理器消耗的攻击,所以这就是为什么我们要推荐你将它与你的防火墙和路由器配合使用,因为这样才能提供最大限度的保护。
这个模块有一个内建的滤除机制和级别设定,对付不同情况,正因如此合法请求不会受到妨碍,即使一个用户数次连击“刷新”,也不会受到影响,除非,他是故意这样做的。mod_dosevasive完全可以通过apache配置文件来配置,很容易就可以集成到你的web服务器,并且容易使用。
什么是mod_dosevasive?
mod_dosevasive是一种提供躲避HTTP DOS/DDOS攻击或暴力强制攻击的apache模块。它同样可以用作网络探测和管理的工具,通过简单的配置,就可以同ipchains(ip链?)防火墙,路由器等设备进行对话。并通过email或系统日志提供报告。
发现攻击是通过创建一个内建的IP地址和URIs的动态哈希表来完成,并且阻止同一ip在以下的情况:
1.在同一秒多次请求同一页面
2.对同一child(对象?)作出超过50个并发请求
3.被列入黑名单的ip
这种方式在单点攻击和分布式多点攻击的状况下都能很好工作,但如同其它的防黑软件一样,只是针对于那些对网络带宽和处理器消耗的攻击,所以这就是为什么我们要推荐你将它与你的防火墙和路由器配合使用,因为这样才能提供最大限度的保护。
这个模块有一个内建的滤除机制和级别设定,对付不同情况,正因如此合法请求不会受到妨碍,即使一个用户数次连击“刷新”,也不会受到影响,除非,他是故意这样做的。mod_dosevasive完全可以通过apache配置文件来配置,很容易就可以集成到你的web服务器,并且容易使用。
DOSHashTableSize
----------------
哈希表的大小决定每个子级哈希表的顶级节点数,越多则越可避免反复的查表,但会占据更多内存,如果你的服务器要应付很多访问,那就增大它。The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_dosevasive.c for a list
of primes used).
DOSPageCount
------------
规定请求同一页面(URI)的时间间隔犯规的次数,一旦超过,用户ip将被列入黑名单
DOSSiteCount
------------
规定请求站内同一物件的时间间隔犯规的次数,一旦超过,用户ip将被列入黑名单
DOSPageInterval
---------------
同一页面的规定间隔时间,默认为1秒
DOSSiteInterval
---------------
站内同一物件的时间间隔,默认为1秒
DOSBlockingPeriod
-----------------
The blocking period 是规定列入黑名单内ip的禁止时限,在时限内,用户继续访问将收到403 (Forbidden)的错误提示,并且计时器将重置。由于列入黑名单后每次访问都会重新计时,所以不必将时限设置太大。在Dos攻击下,计时器也会保持重置
DOSEmailNotify
--------------
假如这个选项被设置,每个ip被列入黑名单时,都将发送email通知。但有机制防止重复发送相同的通知
注意:请确定mod_dosevasive.c (or mod_dosevasive20.c)已正确配置。
默认配置是 "/bin/mail -t %s"
%s 是email发送的目的地址,假如你是linux或其它使用别的邮箱的操作系统,你需要修改这里
DOSSystemCommand
----------------
假如设置了此项,当有ip被列入黑名单,指定的系统命令将被执行,此项功能被设计为受攻击时可以执行ip过滤器和其它的工具软件,有内建机制避免对相同攻击作重复反应
用 %s 表示黑名单中的ip
DOSLogDir
---------
系统日志目录
默认"/tmp"目录用作保密机制,仅向一些特权级用户开放 (这里有些不懂,可能翻错了)
By default "/tmp" will be used for locking mechanism, which opens some
security issues if your system is open to shell users.
在没有特权shell用户时,你应该为apache服务器用户(通常为root)创建一个只可写的文件夹,并在httpd.conf里配置访问权限
WHITELISTING IP ADDRESSES
在1.8版中提供信任ip机制
进入信任ip名单的ip它们将不会受到阻止,次功能主要是用于保护软件,scripts,本地搜索,或其它的自动工具对服务器进行大量的资源请求时不会被阻止
请确认而不是用在添加客户或其它什么类别的人员,因为这将给本模块进行正常工作带来阻碍
信任ip名单应在apache配置文件中添加如下格式的字段(可以是ip段)
DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*
ip地址后三段可以使用通配符,并且可以各格式复用
TWEAKING APACHE
keep-alive项是确保能阻止攻击(至少其中一部分攻击). 但在阻止攻击,发送403页面前,5-10 个页面还是会通过阻止而发送
. 所以你必须设置足够高的MaxRequestsPerChild, 但不是无限,是一个非零的数,默认的MaxRequestsPerChild设定是10000. 这还是将允许少量的攻击进入,但如果你配合防火强使用,将天衣无缝
TESTING
运行 test.pl来测试是否安装成功,如果不是localhost的话,修改其中的服务器地址字段,成功的话在25-50个(取决于你的配置)请求后你将收到403 forbidden回复。快用这个试试其它的服务器吧!(但请别说是我让你这样做的)
----------------
哈希表的大小决定每个子级哈希表的顶级节点数,越多则越可避免反复的查表,但会占据更多内存,如果你的服务器要应付很多访问,那就增大它。The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_dosevasive.c for a list
of primes used).
DOSPageCount
------------
规定请求同一页面(URI)的时间间隔犯规的次数,一旦超过,用户ip将被列入黑名单
DOSSiteCount
------------
规定请求站内同一物件的时间间隔犯规的次数,一旦超过,用户ip将被列入黑名单
DOSPageInterval
---------------
同一页面的规定间隔时间,默认为1秒
DOSSiteInterval
---------------
站内同一物件的时间间隔,默认为1秒
DOSBlockingPeriod
-----------------
The blocking period 是规定列入黑名单内ip的禁止时限,在时限内,用户继续访问将收到403 (Forbidden)的错误提示,并且计时器将重置。由于列入黑名单后每次访问都会重新计时,所以不必将时限设置太大。在Dos攻击下,计时器也会保持重置
DOSEmailNotify
--------------
假如这个选项被设置,每个ip被列入黑名单时,都将发送email通知。但有机制防止重复发送相同的通知
注意:请确定mod_dosevasive.c (or mod_dosevasive20.c)已正确配置。
默认配置是 "/bin/mail -t %s"
%s 是email发送的目的地址,假如你是linux或其它使用别的邮箱的操作系统,你需要修改这里
DOSSystemCommand
----------------
假如设置了此项,当有ip被列入黑名单,指定的系统命令将被执行,此项功能被设计为受攻击时可以执行ip过滤器和其它的工具软件,有内建机制避免对相同攻击作重复反应
用 %s 表示黑名单中的ip
DOSLogDir
---------
系统日志目录
默认"/tmp"目录用作保密机制,仅向一些特权级用户开放 (这里有些不懂,可能翻错了)
By default "/tmp" will be used for locking mechanism, which opens some
security issues if your system is open to shell users.
在没有特权shell用户时,你应该为apache服务器用户(通常为root)创建一个只可写的文件夹,并在httpd.conf里配置访问权限
WHITELISTING IP ADDRESSES
在1.8版中提供信任ip机制
进入信任ip名单的ip它们将不会受到阻止,次功能主要是用于保护软件,scripts,本地搜索,或其它的自动工具对服务器进行大量的资源请求时不会被阻止
请确认而不是用在添加客户或其它什么类别的人员,因为这将给本模块进行正常工作带来阻碍
信任ip名单应在apache配置文件中添加如下格式的字段(可以是ip段)
DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*
ip地址后三段可以使用通配符,并且可以各格式复用
TWEAKING APACHE
keep-alive项是确保能阻止攻击(至少其中一部分攻击). 但在阻止攻击,发送403页面前,5-10 个页面还是会通过阻止而发送
. 所以你必须设置足够高的MaxRequestsPerChild, 但不是无限,是一个非零的数,默认的MaxRequestsPerChild设定是10000. 这还是将允许少量的攻击进入,但如果你配合防火强使用,将天衣无缝
TESTING
运行 test.pl来测试是否安装成功,如果不是localhost的话,修改其中的服务器地址字段,成功的话在25-50个(取决于你的配置)请求后你将收到403 forbidden回复。快用这个试试其它的服务器吧!(但请别说是我让你这样做的)
