Apache 2.4 - ignoring .conf file

[demilicious]

I'm having issues with this fork ignoring my .conf files. It continues to log to /tmp and whitelisted IPs get blocked. I'm on Ubuntu 14.04 LTS and Apache 2.4.

Relevant configs + permissions:

ryan@ip-10-0-5-164:~$ sudo cat /etc/apache2/mods-available/evasive20.conf
<IfModule mod_evasive24.so>
    DOSHashTableSize    3097
    DOSPageCount        1
    DOSSiteCount        1
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   90

    DOSWhitelist    127.0.0.1

    #DOSEmailNotify      you@yourdomain.com
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           /var/log/apache2/mod_evasive
</IfModule>

ryan@ip-10-0-5-164:~$ sudo cat /etc/apache2/mods-available/evasive20.load
LoadModule evasive20_module   /usr/lib/apache2/modules/mod_evasive24.so

ryan@ip-10-0-5-164:~$ ls -l /usr/lib/apache2/modules/ | grep evasive
-rw-r--r-- 1 root root   58838 Feb 18 00:12 mod_evasive24.so

mod is enabled:

ryan@ip-10-0-5-164:~$ sudo a2enmod evasive20
Module evasive20 already enabled

Running the conventional Perl test script results in 403s and log files output to /tmp:

ryan@ip-10-0-5-164:~$ perl test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

ryan@ip-10-0-5-164:~$ ls -l /tmp
total 16
-rw-r--r-- 1 www-data www-data    6 Feb 18 17:02 dos-127.0.0.1

[davemidd]

Check the ownership on /var/log/apache2/mod_evasive
The directory should be the same as the use that is running apache - in your example it looks like it should be www-data:www-data.

[BuriXon-code]

The problem is in the naming of the module and the .so file - if you are still interested in the topic, leave a comment here.
The author has probably abandoned the project (both the original author and the fork authors), but I'm just sitting down and working on it.

[esabol]

I'm still interested in this project. If you intend to fork, @BuriXon-code, and take over maintaining it, I'd be interested in following your efforts.

[BuriXon-code]

I'm currently working on it. I managed to make a version that compiles correctly on Apache v2.4 and reads the config, but I still have a few more ideas ;)

I started working on it because I liked the project, BUT I would prefer response 429 instead of 403 -> that's what I have and it works.

If anything happens, I'll let you know how it goes.

[BuriXon-code]

I'm also considering creating a more modern and readable version as a separate repository/module – the same purpose, but 100% mine. I don't intend to abandon the project, as I use it myself. It would probably be more enjoyable and more sensible than forking.

I'm currently using this module on my Apache 2.4 server; you can try to DDoS my website, but be very careful, as I have low thresholds and an extensive system for blocking via Cloudflare and iptables proxies.
You can see that it's running on Apache 2.4, that it's reading the config (5 hits per page / 25 hits per site), and that it's returning 429 (my edit), not 403.

I don't have anything more to show right now, as I wanted to make some sensible, working versions before pushing repos/forks. For now, you can just take my word for it.

I didn't use the shivaas/mod_evasive repository because I preferred to do it myself.

[BuriXon-code]

@esabol What features could be helpful in this module?

I'm almost done, but I'm still thinking about additional features:

1. DOSSensitiveCount, DOSSensitiveAdd - option to assign lower/higher trigger thresholds to specific URIs.
2. Option to use/configure not only in RSRC conf but also in .htaccess/VirtualHost

In addition, I did:

• port to Apache 2.4 (error-free compilation, unique module name, normal working config);
• corrected module logs (readable logs in /var/log/apache2/ or DOSMainLog);
• added response code switch (default: 403 FORBIDDEN, available 403 or 429);
• reworked and improved DOSWhitelist;
• Client IP read from r->useragent_ip instead of r->connection->remote/client_ip (also works correctly through proxy/NAT by reading IP from HTTP headers).

I would appreciate any suggestions now while the code is still fresh :))

I'll be making the first release this weekend.

[esabol]

@BuriXon-code : One of the things I have noticed is that it only seems to block IPv4 addresses and not do anything with IPv6. At least I have never seen any IPv6 addresses in the directory showing the blocked IPs. Now this might have to do something with our load balancer setup. The IPv6 address is only passed to the server in an X-Forwarded-For: header, and it may not even be the first IP address listed in that header (I don't recall at the moment, but I know you can have multiple IP addresses listed, separated by a comma). Anything you can do about this? Or have we not configured it correctly?

[BuriXon-code]

I use useragnet_ip instead of client_ip, so X-Forwarded-For is also included -> previous versions and forks did not WORK properly with proxy connections, but I fixed that :)
Now both IPv4 and IPv6 are passed to the module.

[esabol]

@BuriXon-code wrote:

I'm almost done, but I'm still thinking about additional features:

1. DOSSensitiveCount, DOSSensitiveAdd - option to assign lower/higher trigger thresholds to specific URIs.
2. Option to use/configure not only in RSRC conf but also in .htaccess/VirtualHost

Those are both excellent ideas!

In addition, I did:

Great work!

I'm very much looking forward to your release!

[BuriXon-code]

@esabol

Imanaged to make custom Count levels for different URIs :)

Try to "atack" me:

1. Normal setting DOSPageCount 15:

while :; do curl -s -I https://burixon.dev/ | grep 'HTTP/'; done

2. Custom setting DOSCustomLevelCount 1 for /about/ URI:

while :; do curl -s -I https://burixon.dev/about/ | grep 'HTTP/'; done

3. With UserAgent containing "googlebot" - added option DOSWhitelistUA *googlebot*:

while :; do curl -s -I https://burixon.dev/about/ -A "foo-googlebot-bar" | grep 'HTTP/'; done

You should see that in case 1 the lock comes very late (or not at all), in case 2 the lock comes very quickly, and in case 3 it never comes.

I'm currently working on adding configs to VitrualHost, but so far it's ending up with a Segmentation fault.

[BuriXon-code]

@esabol
Now try this:

main VirtualHost with DOSPageCount 15

while :; do curl -s -I https://burixon.dev/ | grep 'HTTP/'; done

and test VirtualHost with own DOSPageCount 1

while :; do curl -s -I https://test.burixon.dev/ | grep 'HTTP/'; done

Success... ;)

[esabol]

@BuriXon-code : I just tested all of the commands in your above two posts. I get 200 OK for all of them (doing upwards of 50 requests each) except for the last one. For the last one, I get intermittent 403s among the 200 OKs. Not what I expected to see.

HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
^C

I think I am coming from an IPv6 address.

[BuriXon-code]

Sorry, friend, I had to change /about/ back to normal configuration because crawlers and bots (including those from Google) started blocking it.

As for the responses you are displaying - they look fine.

while :; do curl -s -I https://burixon.dev/ | grep 'HTTP/'; dobę

in the first output the blocking will never occur because the limit is set quite high

while :; do curl -s -I https://burixon.dev/ | grep 'HTTP/'; dobę

Here, the first 403s will start appearing quickly because the limit is set low. Try keeping the curl a little longer and you'll see this:

┌╼[ u0_a655 ~ 19:42 ] ╾╼ (~) (0)
└──╼$ while :; do curl "https://test.burixon.dev/" -s -I | grep 'HTTP/'; done
HTTP/2 200
HTTP/2 200
HTTP/2 200
HTTP/2 403
HTTP/2 200
HTTP/2 200
HTTP/2 200
HTTP/2 200                                                                  
HTTP/2 200
HTTP/2 403                                                             
HTTP/2 200
HTTP/2 200
HTTP/2 403
HTTP/2 200
HTTP/2 200
HTTP/2 200
HTTP/2 403
HTTP/2 403
HTTP/2 200
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 200
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 200
HTTP/2 403
HTTP/2 200
HTTP/2 403                                                                  
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 200
HTTP/2 403
HTTP/2 200
HTTP/2 403
HTTP/2 403                                                                 
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 200
HTTP/2 403
HTTP/2 200
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 403
HTTP/2 403

the first few or a dozen requests are mixed 200/403 to exclude false positives - on purpose, so as not to accidentally block users who did not intentionally trigger the block.
The next ones go normally with a 403 response.
These 200 errors appearing every so often are caused by the module imposing a lock for a specific period of time (10 seconds in my case). After that, the first 1-2 requests may return 200.

these two curls however show that on the same website but different VirtualHost there can be different rules/thresholds.

I must admit that I stupidly did the tests on my own main website instead of preparing a separate VirtualHost for testing.

The module release will be released tonight. You will be able to read the documentation and try it yourself :)

[esabol]

OK, I did a couple hundred, and it still seems very intermittent, but I guess that's the way it should work.

I did get one 520, by the way.

[BuriXon-code]

@esabol

You might have gotten 5xx just now because I was just setting up a new VirtualHost and Apache stopped working for a short while.

I have prepared a new environment for testing:

1. test1.burixon.dev will aggressively and very quickly return 403 if your UA does not contain "test-module".

Try without custom User-Agent:

while :; do curl -s -I https://test1.burixon.dev/ | grep 'HTTP/'; done

and with custom User-Agent:

while :; do curl -s -I https://test1.burixon.dev/ -A "test-module" | grep 'HTTP/'; done

You should see a 403 for the first command quite quickly, and a 200 for the second. ✔️

2. test2.burixon.dev has very high limits, but has a /sensitive directory that has low limits. By the way, I removed the delay between requests here.

Try / :

while :; do curl -s -I https://test2.burixon.dev/ | grep 'HTTP/'; done

Try /sensitive:

while :; do curl -s -I https://test2.burixon.dev/sensitive/ | grep 'HTTP/'; done

For the first command you should see a 200, and for the second (different directory, same VirtualHost) you should see a 429 pretty quickly.

Warning

you need to leave about 40-60 seconds between "attacks" so that the module can "forget" you.