mod_evasive And Moodle

fmosse

• September 05, 2018 23:50

Hi, I have EASY APACHE 4 with Apache 2.4, PHP 5.4, PHP 5.5, PHP 5.6, and PHP 7.0 I have some sites with Moodle that give random intermitent 403 error while surfing. This also happens in some sites in PHP with dozens of images. (Some images, randomly, are not shown... even if I try to enter then directly with the browser, they show 403 error. If I wait some seconds and refresh, they work) I have read that it"s related to mod_evasive. Can it be suspended or reconfigurated for some domains hosted in my WHM? Thanks, Francisco

• 

  cPanelLauren

  • September 06, 2018 16:25

  Hi @fmosse Are you sure you have mod_evasive installed? You can check by running the following: rpm -qa |grep evasive
  There could potentially be other reasons this is occurring, what is your OS? When the issue occurs do you see anything related in /etc/apache2/logs/error_log
  

  0
• 

  fmosse

  • September 06, 2018 19:26

  Hi @fmosse Are you sure you have mod_evasive installed? You can check by running the following: rpm -qa |grep evasive
  There could potentially be other reasons this is occurring, what is your OS? When the issue occurs do you see anything related in /etc/apache2/logs/error_log
  

  
  Hi, I have CENTOS 6.10 standard [host] with WHM I executed it and I get ea-apache24-mod_evasive-1.10.1-4.5.53.cpanel.x86_64 Thanks, Francisco

  0
• 

  cPanelLauren

  • September 06, 2018 20:29

  Hi @fmosse Ok, you do definitely have mod_evasive but unfortunately it can't be disabled per VirtualHost. You can read about this in their FAQ here Mod evasive - Atomicorp Wiki You could whitelist the offending IP address but because the issue is intermittent it wouldn't be a proactive solution. The only way to stop mod_evasive from doing it's job essentially.

  0
• 

  fmosse

  • September 07, 2018 06:48

  Hi @fmosse Ok, you do definitely have mod_evasive but unfortunately it can't be disabled per VirtualHost. You can read about this in their FAQ here

  0
• 

  cPanelLauren

  • September 07, 2018 13:02

  Hi @fmosse Due to the nature of the module VirtualHost exceptions would completely defeat the purpose. You could make modifications to the point at which it begins blocking by modifying one or several of the following: [QUOTE] MODEV_DOSPageCount This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list. MODEV_DOSSiteCount This is the threshhold for the total number of requests for any object (unlike MODEV_DOSPageCount which is for the same page) by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list. MODEV_DOSPageInterval The interval for the page count threshhold; defaults to 1 second intervals. MODEV_DOSSiteInterval The interval for the site count threshhold; defaults to 1 second intervals. MODEV_DOSBlockingPeriod The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.
  The configuration file to modify is located at /etc/apache2/conf.d/300-mod_evasive.conf
  

  0
• 

  fmosse

  • September 07, 2018 16:47

  Hi, Thanks for your reply! This configuration will afect all the domain hosted in that server. Can I modify this per domain? So for some sites I activate it and for some don"t? With is the values that you recommend? I have sites that in one page they load 50 images for example and some load and some doesn"t. And if you try to enter one image directly you simply get the 403 error. If you wait some seconds and reresh it loads... Thanks, Francisco

  0
• 

  cPanelLauren

  • September 07, 2018 18:47

  Hi @fmosse As I've mentioned before and is documented in the mod_evasive documentation you cannot modify this per VirtualHost (domain). I can't tell you what values to add/change because I don't know your system and the traffic you receive. I would suggest enlisting the assistance of a system administrator to change this if you feel uncomfortable - if you don't have one you might find one here: System Administration Services | cPanel Forums You may also want to look at other DDoS mitigation solutions if this doesn't work for you - CSF has some features for this, CDN's like CloudFlare also are solutions some in employ successfully.

  0

Please sign in to leave a comment.