Skip to main content

mod_evasive issues

Comments

7 comments

  • bellwood
    You're best posting here (I think):
    0
  • cPRex Jurassic Moderator
    @manager23 - thanks for taking the time to write this up. I'll do some additional testing on my end tomorrow and send you some more details then.
    0
  • cPRex Jurassic Moderator
    @manager23 - we've had some things come up so I'm not sure if I'll get to this today. I will definitely test this and report back!
    0
  • cPRex Jurassic Moderator
    I've talked with our team and confirmed that cPanel doesn't make any customizations to the mod_evasive module, so if there are issues with the tool itself it would best be reported to the creator here:
    0
  • manager23
    @cPRex: About DOSBlockingPeriod: I don't think it explains #1. I'm testing this by first triggering a block via a quick series of requests. Then wait 15 seconds before doing another request. If I have set the DOSBlockingPeriod to 30, I would expect to still be blocked, but the block is removed after 10 seconds of inactivity, regardless of what I specify for DOSBlockingPeriod. But I'll report it to the upstream maintainer. Should I report back here if upstream code is updated or is that checked automatically somehow? edit (wanted to edit topic start, but probably too late): ISSUE 9: mod_evasive vs mod_remoteip If you have both installed are using (for example) Cloudflare and want to whitelist the original visitor IPnr, you'll find that while mod_remoteip can retrieve the original visitor IPnr and it gets stored in access logs just fine, mod_evasive unfortunately ignores what mod_remoteip does and still uses the Cloudflare IPnrs. If you then try to whitelist the netblocks on Ubuntu Manpage: sipcalc - IP subnet calculator) to do it like this, because you end up with a list of 6000+ netblocks, so it's not something you want to do manually: curl https://www.cloudflare.com/ips-v4 | \ xargs -n1 sipcalc -s /24 | \ grep Network | \ cut -d- -f2 | \ cut -d' ' -f2 | \ sed -e 's/\.0$/.*/' -e 's/^/DOSWhitelist /' \ > /etc/apache2/mod_evasive.cloudflare.ipv4.conf
    And then add this to the mod_evasive config file followed by a reload of the apache config (service httpd reload): Include /etc/apache2/mod_evasive.cloudflare.ipv4.conf
    You'd have to do this periodically, in case Cloudflare adds more netblocks. edit2 (adding to issue 9): In Cloudflare DNS, you also have to make sure the IPnr of the cPanel server is only listed via IPv4 (A) and not IPv6 (AAAA), otherwise you'd have to whitelist IPv6 netblocks as well. Didn't find documentation on how to whitelist IPv6 addresses. Looking at the code, it seems to be targeted only at IPv4 addresses... and seems I misread the documentations. For IPv4, instead of 162.158.* (which doesn't give an error, but doesn't work either) it seems that 162.158.*.* would work, so you can use wildcards like 1.*.*.*, 1.2.*.* and 1.2.3.* to match class A, B and C netblocks respectively. You'd still have to convert from the CIDR notation cloudflare uses to a series of class B and C networks (which results in a smaller set than just generating class C netblocks). Leaving that as an exercise to the reader ;)
    0
  • cPRex Jurassic Moderator
    Feel free to post back here if you do hear from the upstream crew about any changes!
    0
  • Steve Kemp
    I just noticed the issue about the nobody@ email issues with my own mod_evasive installs but i found that the fix suggested: [QUOTE] ISSUE 5 (bug?): The notifications that I'm getting had an empty subject and what was supposed to be in headers (subject / to) ended up in the body of the email. A very dirty way to fix that is: sed -i 's/mail %s/mail -t/' /usr/lib64/apache2/modules/mod_evasive24.so
    Originally, it calls the /bin/mail program with the recipient email addres as argument (%s), but if you leave out the argument and instead supply the option "-t" it parses the supplied headers for the recipient address. Solved the issue for me, although it'll probably be undone if there's ever an update of the mod_evasive package installed. edit: see also
    0

Please sign in to leave a comment.