mod_evasiveでApacheのDoS対策 – CentOS 7

ApacheのDoS対策用拡張モジュールmod_evasiveを導入してみました｡

ZDZIARSKI’S BLOG OF THINGS – APACHE MOD_EVASIVE

Apache mod_evasive

【環境】
･CentOS Linux release 7.3.1611 (Core)
･kernel:3.10.0-514.6.1.el7.x86_64
･Apache/2.4.6 (CentOS)

epel repoインストール

mod_evasiveはepel repoからyumでインストールできます｡
epel repoをインスト-していない場合は最初にこれをインストールします｡

# yum -y install epel-release

1	# yum -y install epel-release

mod_evasiveインストール

# yum info mod_evasive
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.tsukuba.wide.ad.jp
 * epel: mirror.premi.st
 * extras: ftp.tsukuba.wide.ad.jp
 * updates: ftp.tsukuba.wide.ad.jp
Available Packages
Name        : mod_evasive
Arch        : x86_64
Version     : 1.10.1
Release     : 22.el7
Size        : 26 k
Repo        : epel/x86_64
Summary     : Denial of Service evasion module for Apache
URL         : http://www.zdziarski.com/blog/?page_id=442
License     : GPLv2+
Description : mod_evasive is an evasive maneuvers module for Apache to provide evasive
            : action in the event of an HTTP DoS or DDoS attack or brute force attack. It
            : is also designed to be a detection and network management tool, and can be
            : easily configured to talk to firewalls, routers, etc. mod_evasive presently
            : reports abuses via email and syslog facilities.

# repoquery --list mod_evasive
/etc/httpd/conf.d/mod_evasive.conf
/usr/lib64/httpd/modules/mod_evasive24.so
/usr/share/doc/mod_evasive-1.10.1
/usr/share/doc/mod_evasive-1.10.1/CHANGELOG
/usr/share/doc/mod_evasive-1.10.1/LICENSE
/usr/share/doc/mod_evasive-1.10.1/README
/usr/share/doc/mod_evasive-1.10.1/test.pl

# yum -y install mod_evasive
(snip)
Installed:
  mod_evasive.x86_64 0:1.10.1-22.el7

Complete!

# yum info mod_evasive

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base: ftp.tsukuba.wide.ad.jp

* epel: mirror.premi.st

* extras: ftp.tsukuba.wide.ad.jp

* updates: ftp.tsukuba.wide.ad.jp

Available Packages

Name : mod_evasive

Arch : x86_64

Version : 1.10.1

Release : 22.el7

Size : 26 k

Repo : epel/x86_64

Summary : Denial of Service evasion module for Apache

URL : http://www.zdziarski.com/blog/?page_id=442

License : GPLv2+

Description : mod_evasive is an evasive maneuvers module for Apache to provide evasive

: action in the event of an HTTP DoS or DDoS attack or brute force attack. It

: is also designed to be a detection and network management tool, and can be

: easily configured to talk to firewalls, routers, etc. mod_evasive presently

: reports abuses via email and syslog facilities.

# repoquery --list mod_evasive

/etc/httpd/conf.d/mod_evasive.conf

/usr/lib64/httpd/modules/mod_evasive24.so

/usr/share/doc/mod_evasive-1.10.1

/usr/share/doc/mod_evasive-1.10.1/CHANGELOG

/usr/share/doc/mod_evasive-1.10.1/LICENSE

/usr/share/doc/mod_evasive-1.10.1/README

/usr/share/doc/mod_evasive-1.10.1/test.pl

# yum -y install mod_evasive

(snip)

Installed:

mod_evasive.x86_64 0:1.10.1-22.el7

Complete!

設定ファイルの編集

/etc/httpd/conf.d/mod_evasive.confが設定ファイルになります｡
デフォルトでは下記の設定になっています｡

# cat /etc/httpd/conf.d/mod_evasive.conf
# mod_evasive configuration
LoadModule evasive20_module modules/mod_evasive24.so

<IfModule mod_evasive24.c>
    # The hash table size defines the number of top-level nodes for each
    # child's hash table.  Increasing this number will provide faster
    # performance by decreasing the number of iterations required to get to the
    # record, but consume more memory for table space.  You should increase
    # this if you have a busy web server.  The value you specify will
    # automatically be tiered up to the next prime number in the primes list
    # (see mod_evasive.c for a list of primes used).
    DOSHashTableSize    3097

    # This is the threshhold for the number of requests for the same page (or
    # URI) per page interval.  Once the threshhold for that interval has been
    # exceeded, the IP address of the client will be added to the blocking
    # list.
    DOSPageCount        2

    # This is the threshhold for the total number of requests for any object by
    # the same client on the same listener per site interval.  Once the
    # threshhold for that interval has been exceeded, the IP address of the
    # client will be added to the blocking list.
    DOSSiteCount        50

    # The interval for the page count threshhold; defaults to 1 second
    # intervals.
    DOSPageInterval     1

    # The interval for the site count threshhold; defaults to 1 second
    # intervals.
    DOSSiteInterval     1

    # The blocking period is the amount of time (in seconds) that a client will
    # be blocked for if they are added to the blocking list.  During this time,
    # all subsequent requests from the client will result in a 403 (Forbidden)
    # and the timer being reset (e.g. another 10 seconds).  Since the timer is
    # reset for every subsequent request, it is not necessary to have a long
    # blocking period; in the event of a DoS attack, this timer will keep
    # getting reset.
    DOSBlockingPeriod   10

    # If this value is set, an email will be sent to the address specified
    # whenever an IP address becomes blacklisted.  A locking mechanism using
    # /tmp prevents continuous emails from being sent.
    #
    # NOTE: Requires /bin/mail (provided by mailx)
    #DOSEmailNotify      you@yourdomain.com

    # If this value is set, the system command specified will be executed
    # whenever an IP address becomes blacklisted.  This is designed to enable
    # system calls to ip filter or other tools.  A locking mechanism using /tmp
    # prevents continuous system calls.  Use %s to denote the IP address of the
    # blacklisted IP.
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"

    # Choose an alternative temp directory By default "/tmp" will be used for
    # locking mechanism, which opens some security issues if your system is
    # open to shell users.
    #
    #   http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
    #
    # In the event you have nonprivileged shell users, you'll want to create a
    # directory writable only to the user Apache is running as (usually root),
    # then set this in your httpd.conf.
    #DOSLogDir           "/var/lock/mod_evasive"

    # You can use whitelists to disable the module for certain ranges of
    # IPs. Wildcards can be used on up to the last 3 octets if necessary.
    # Multiple DOSWhitelist commands may be used in the configuration.
    #DOSWhitelist   127.0.0.1
    #DOSWhitelist   192.168.0.*
</IfModule>

# cat /etc/httpd/conf.d/mod_evasive.conf

# mod_evasive configuration

LoadModule evasive20_module modules/mod_evasive24.so

# The hash table size defines the number of top-level nodes for each

# child's hash table. Increasing this number will provide faster

# performance by decreasing the number of iterations required to get to the

# record, but consume more memory for table space. You should increase

# this if you have a busy web server. The value you specify will

# automatically be tiered up to the next prime number in the primes list

# (see mod_evasive.c for a list of primes used).

DOSHashTableSize 3097

# This is the threshhold for the number of requests for the same page (or

# URI) per page interval. Once the threshhold for that interval has been

# exceeded, the IP address of the client will be added to the blocking

# list.

DOSPageCount 2

# This is the threshhold for the total number of requests for any object by

# the same client on the same listener per site interval. Once the

# threshhold for that interval has been exceeded, the IP address of the

# client will be added to the blocking list.

DOSSiteCount 50

# The interval for the page count threshhold; defaults to 1 second

# intervals.

DOSPageInterval 1

# The interval for the site count threshhold; defaults to 1 second

# intervals.

DOSSiteInterval 1

# The blocking period is the amount of time (in seconds) that a client will

# be blocked for if they are added to the blocking list. During this time,

# all subsequent requests from the client will result in a 403 (Forbidden)

# and the timer being reset (e.g. another 10 seconds). Since the timer is

# reset for every subsequent request, it is not necessary to have a long

# blocking period; in the event of a DoS attack, this timer will keep

# getting reset.

DOSBlockingPeriod 10

# If this value is set, an email will be sent to the address specified

# whenever an IP address becomes blacklisted. A locking mechanism using

# /tmp prevents continuous emails from being sent.

# NOTE: Requires /bin/mail (provided by mailx)

#DOSEmailNotify you@yourdomain.com

# If this value is set, the system command specified will be executed

# whenever an IP address becomes blacklisted. This is designed to enable

# system calls to ip filter or other tools. A locking mechanism using /tmp

# prevents continuous system calls. Use %s to denote the IP address of the

# blacklisted IP.

#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"

# Choose an alternative temp directory By default "/tmp" will be used for

# locking mechanism, which opens some security issues if your system is

# open to shell users.

# http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01

# In the event you have nonprivileged shell users, you'll want to create a

# directory writable only to the user Apache is running as (usually root),

# then set this in your httpd.conf.

#DOSLogDir "/var/lock/mod_evasive"

# You can use whitelists to disable the module for certain ranges of

# IPs. Wildcards can be used on up to the last 3 octets if necessary.

# Multiple DOSWhitelist commands may be used in the configuration.

#DOSWhitelist 127.0.0.1

#DOSWhitelist 192.168.0.*

</IfModule>

ログの設定

DOSLogDirがログファイルの設定になります｡
/var/log/httpdに書き出そうとしたのですが､アクセス権を変更するのも問題がありそうなので別途作成して書き出すことにしました｡

# vi /etc/httpd//conf.d/mod_evasive.conf
# cat /etc/httpd//conf.d/mod_evasive.conf
(snip)
DOSLogDir           "/var/log/mod_evasive"
(snip)

# mkdir /var/log/mod_evasive
# chown 0:apache /var/log/mod_evasive
# chmod 770 /var/log/mod_evasive
# ls -ld /var/log/mod_evasive
drwxrwx--- 2 root apache 6 Jan 31 21:07 /var/log/mod_evasive

# vi /etc/httpd//conf.d/mod_evasive.conf

# cat /etc/httpd//conf.d/mod_evasive.conf

(snip)

DOSLogDir "/var/log/mod_evasive"

(snip)

# mkdir /var/log/mod_evasive

# chown 0:apache /var/log/mod_evasive

# chmod 770 /var/log/mod_evasive

# ls -ld /var/log/mod_evasive

drwxrwx--- 2 root apache 6 Jan 31 21:07 /var/log/mod_evasive

Apache再読込

# apachectl graceful
# httpd -M | grep evasive
 evasive20_module (shared)

# apachectl graceful

# httpd -M | grep evasive

evasive20_module (shared)

動作テスト

/usr/share/doc/mod_evasive-1.10.1/test.plがテストプログラム(perl)です｡
閾値を超えると403(アクセス拒否)になります｡

# perl /usr/share/doc/mod_evasive-1.10.1/test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

# perl /usr/share/doc/mod_evasive-1.10.1/test.pl

HTTP/1.1 200 OK

HTTP/1.1 403 Forbidden

ログの確認

# grep mod_evasive /var/log/messages
Jan 31 21:16:40 centos7 mod_evasive[1641]: Blacklisting address 127.0.0.1: possible DoS attack.
# ls -l /var/log/mod_evasive/
total 4
-rw-r--r-- 1 apache apache 5 Jan 31 21:16 dos-127.0.0.1
# cat /var/log/mod_evasive/dos-127.0.0.1
1641

# grep mod_evasive /var/log/messages

Jan 31 21:16:40 centos7 mod_evasive[1641]: Blacklisting address 127.0.0.1: possible DoS attack.

# ls -l /var/log/mod_evasive/

total 4

-rw-r--r-- 1 apache apache 5 Jan 31 21:16 dos-127.0.0.1

# cat /var/log/mod_evasive/dos-127.0.0.1

1641

設定値についてはサイトの運用状況によって変更して下さい｡

日	月	火	水	木	金	土
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

RootLinks Co., Ltd.

mod_evasiveでApacheのDoS対策 – CentOS 7

Leave a Reply Cancel Reply

RootLinks Co., Ltd.

mod_evasiveでApacheのDoS対策 – CentOS 7

Related posts:

Leave a Reply Cancel Reply