I have tried to find all the information I could on this and I understand the problem with mod_evasive not working when the server is in the mpm_prefork mode (instead of worker).
However, I was able to make it partially work by lowering the
StartServers
MinSpareServers
MaxSpareServers
in the config file. So my question is: if I configure the mpm_prefork.conf
:
StartServers 1
MinSpareServers 0
MaxSpareServers 0
MaxRequestWorkers 150
MaxConnectionsPerChild 0
would that basically equal to one instance running (as if 'worker'), in which case mod_evasive would be still running as if the server was running as a 'worker'?
Are there any potential problems in such a setup? (such as a lot of legitimate requests not being handled, etc)? Are there any other options for my basic requirements (would mod_security be helpful?)
I understand this is not the best way to mitigate attacks, but I am just looking for basic security against custom crawlers which occasionally overload my server with dozens of requests per second.
Best Answer
It looks like the counters used by mod_evasive are not shared between processes. Hence each time mpm_prefork spawns a new process, the counters are back to 0.
One way to make mod_evasive work with mpm_prefork is hence to have:
MaxConnectionsPerChild 0
(So processes won't be recycled. However this can be dangerous in case of memory leak so you should use a large value instead of 0)This is only based on the behavior I could observe on my own server and should be carefully tested.