ApacheのDoS対策用拡張モジュールmod_evasiveを導入してみました。
ZDZIARSKI’S BLOG OF THINGS – APACHE MOD_EVASIVE
【環境】
・CentOS Linux release 7.3.1611 (Core)
・kernel:3.10.0-514.6.1.el7.x86_64
・Apache/2.4.6 (CentOS)
- epel repoインストール
- mod_evasiveインストール
- 設定ファイルの編集
- ログの設定
- Apache再読込
- 動作テスト
- ログの確認
mod_evasiveはepel repoからyumでインストールできます。
epel repoをインスト-していない場合は最初にこれをインストールします。
1 |
# yum -y install epel-release |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# yum info mod_evasive Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: ftp.tsukuba.wide.ad.jp * epel: mirror.premi.st * extras: ftp.tsukuba.wide.ad.jp * updates: ftp.tsukuba.wide.ad.jp Available Packages Name : mod_evasive Arch : x86_64 Version : 1.10.1 Release : 22.el7 Size : 26 k Repo : epel/x86_64 Summary : Denial of Service evasion module for Apache URL : http://www.zdziarski.com/blog/?page_id=442 License : GPLv2+ Description : mod_evasive is an evasive maneuvers module for Apache to provide evasive : action in the event of an HTTP DoS or DDoS attack or brute force attack. It : is also designed to be a detection and network management tool, and can be : easily configured to talk to firewalls, routers, etc. mod_evasive presently : reports abuses via email and syslog facilities. # repoquery --list mod_evasive /etc/httpd/conf.d/mod_evasive.conf /usr/lib64/httpd/modules/mod_evasive24.so /usr/share/doc/mod_evasive-1.10.1 /usr/share/doc/mod_evasive-1.10.1/CHANGELOG /usr/share/doc/mod_evasive-1.10.1/LICENSE /usr/share/doc/mod_evasive-1.10.1/README /usr/share/doc/mod_evasive-1.10.1/test.pl # yum -y install mod_evasive (snip) Installed: mod_evasive.x86_64 0:1.10.1-22.el7 Complete! |
/etc/httpd/conf.d/mod_evasive.confが設定ファイルになります。
デフォルトでは下記の設定になっています。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
# cat /etc/httpd/conf.d/mod_evasive.conf # mod_evasive configuration LoadModule evasive20_module modules/mod_evasive24.so <IfModule mod_evasive24.c> # The hash table size defines the number of top-level nodes for each # child's hash table. Increasing this number will provide faster # performance by decreasing the number of iterations required to get to the # record, but consume more memory for table space. You should increase # this if you have a busy web server. The value you specify will # automatically be tiered up to the next prime number in the primes list # (see mod_evasive.c for a list of primes used). DOSHashTableSize 3097 # This is the threshhold for the number of requests for the same page (or # URI) per page interval. Once the threshhold for that interval has been # exceeded, the IP address of the client will be added to the blocking # list. DOSPageCount 2 # This is the threshhold for the total number of requests for any object by # the same client on the same listener per site interval. Once the # threshhold for that interval has been exceeded, the IP address of the # client will be added to the blocking list. DOSSiteCount 50 # The interval for the page count threshhold; defaults to 1 second # intervals. DOSPageInterval 1 # The interval for the site count threshhold; defaults to 1 second # intervals. DOSSiteInterval 1 # The blocking period is the amount of time (in seconds) that a client will # be blocked for if they are added to the blocking list. During this time, # all subsequent requests from the client will result in a 403 (Forbidden) # and the timer being reset (e.g. another 10 seconds). Since the timer is # reset for every subsequent request, it is not necessary to have a long # blocking period; in the event of a DoS attack, this timer will keep # getting reset. DOSBlockingPeriod 10 # If this value is set, an email will be sent to the address specified # whenever an IP address becomes blacklisted. A locking mechanism using # /tmp prevents continuous emails from being sent. # # NOTE: Requires /bin/mail (provided by mailx) #DOSEmailNotify you@yourdomain.com # If this value is set, the system command specified will be executed # whenever an IP address becomes blacklisted. This is designed to enable # system calls to ip filter or other tools. A locking mechanism using /tmp # prevents continuous system calls. Use %s to denote the IP address of the # blacklisted IP. #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" # Choose an alternative temp directory By default "/tmp" will be used for # locking mechanism, which opens some security issues if your system is # open to shell users. # # http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01 # # In the event you have nonprivileged shell users, you'll want to create a # directory writable only to the user Apache is running as (usually root), # then set this in your httpd.conf. #DOSLogDir "/var/lock/mod_evasive" # You can use whitelists to disable the module for certain ranges of # IPs. Wildcards can be used on up to the last 3 octets if necessary. # Multiple DOSWhitelist commands may be used in the configuration. #DOSWhitelist 127.0.0.1 #DOSWhitelist 192.168.0.* </IfModule> |
DOSLogDirがログファイルの設定になります。
/var/log/httpdに書き出そうとしたのですが、アクセス権を変更するのも問題がありそうなので別途作成して書き出すことにしました。
1 2 3 4 5 6 7 8 9 10 11 |
# vi /etc/httpd//conf.d/mod_evasive.conf # cat /etc/httpd//conf.d/mod_evasive.conf (snip) DOSLogDir "/var/log/mod_evasive" (snip) # mkdir /var/log/mod_evasive # chown 0:apache /var/log/mod_evasive # chmod 770 /var/log/mod_evasive # ls -ld /var/log/mod_evasive drwxrwx--- 2 root apache 6 Jan 31 21:07 /var/log/mod_evasive |
1 2 3 |
# apachectl graceful # httpd -M | grep evasive evasive20_module (shared) |
/usr/share/doc/mod_evasive-1.10.1/test.plがテストプログラム(perl)です。
閾値を超えると403(アクセス拒否)になります。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# perl /usr/share/doc/mod_evasive-1.10.1/test.pl HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden |
1 2 3 4 5 6 7 |
# grep mod_evasive /var/log/messages Jan 31 21:16:40 centos7 mod_evasive[1641]: Blacklisting address 127.0.0.1: possible DoS attack. # ls -l /var/log/mod_evasive/ total 4 -rw-r--r-- 1 apache apache 5 Jan 31 21:16 dos-127.0.0.1 # cat /var/log/mod_evasive/dos-127.0.0.1 1641 |
設定値についてはサイトの運用状況によって変更して下さい。