Mod evasive not working properly on ubuntu 10.04

apache-2.2ddos

I have an ubuntu 10.04 server where I installed mod_evasive using apt-get install libapache2-mod-evasive

I already tried several configurations, the result stays the same.

The blocking does work, but randomly.

I tried with low limis and long blocking periods as well as short limits.

The behaviour I expect is that I can request websites until either page or site limit is reached per given interval.
After that I expect to be blocked until I did not make another request for as long as the block period.

However the behaviour is that I can request sites and after a while I get random 403 blocks, which increase and decrase in percentage, however they are very scattered.

This is an output of siege, so you get an idea:

HTTP/1.1 200   0.09 secs:      75 bytes ==> /robots.txt
HTTP/1.1 403   0.08 secs:     242 bytes ==> /robots.txt
HTTP/1.1 200   0.08 secs:      75 bytes ==> /robots.txt
HTTP/1.1 403   0.08 secs:     242 bytes ==> /robots.txt
HTTP/1.1 200   0.11 secs:      75 bytes ==> /robots.txt
HTTP/1.1 403   0.08 secs:     242 bytes ==> /robots.txt
HTTP/1.1 200   0.08 secs:      75 bytes ==> /robots.txt
HTTP/1.1 403   0.09 secs:     242 bytes ==> /robots.txt
HTTP/1.1 200   0.08 secs:      75 bytes ==> /robots.txt
HTTP/1.1 200   0.09 secs:      75 bytes ==> /robots.txt
HTTP/1.1 200   0.08 secs:      75 bytes ==> /robots.txt
HTTP/1.1 200   0.09 secs:      75 bytes ==> /robots.txt
HTTP/1.1 403   0.08 secs:     242 bytes ==> /robots.txt
HTTP/1.1 200   0.08 secs:      75 bytes ==> /robots.txt
HTTP/1.1 403   0.08 secs:     242 bytes ==> /robots.txt
HTTP/1.1 200   0.10 secs:      75 bytes ==> /robots.txt
HTTP/1.1 403   0.08 secs:     242 bytes ==> /robots.txt
HTTP/1.1 200   0.08 secs:      75 bytes ==> /robots.txt
HTTP/1.1 403   0.09 secs:     242 bytes ==> /robots.txt
HTTP/1.1 200   0.10 secs:      75 bytes ==> /robots.txt
HTTP/1.1 403   0.09 secs:     242 bytes ==> /robots.txt
HTTP/1.1 200   0.09 secs:      75 bytes ==> /robots.txt
HTTP/1.1 200   0.08 secs:      75 bytes ==> /robots.txt
HTTP/1.1 200   0.09 secs:      75 bytes ==> /robots.txt
HTTP/1.1 200   0.08 secs:      75 bytes ==> /robots.txt
HTTP/1.1 200   0.10 secs:      75 bytes ==> /robots.txt
HTTP/1.1 200   0.08 secs:      75 bytes ==> /robots.txt

The exac limits in place during this test run were:

DOSHashTableSize 3097
DOSPageCount 10
DOSSiteCount 100
DOSPageInterval 10
DOSSiteInterval 10
DOSBlockingPeriod 120
DOSLogDir /var/log/mod_evasive
DOSEmailNotify ***@gmail.com
DOSWhitelist 127.0.0.1

So I would expect to be blocked at least 120 seconds after being blocked once.

Any ideas aobut this?

I also tried adding my configuration at different places (vhost, server config, directory context) and with of without ifmodule directive…

This doesnt change anything.

Best Answer

This issue can be caused by using apache in prefork mode, each counter of mod_evasive are not shared between process.

Post about it on serverfault

Related Topic