mod_evasive2

Started by ikebut, June 05, 2017, 11:46:32 PM

Previous topic - Next topic

ikebut

How to stop dos filter from blocking my ip address

I installed this module
mod_evasive2-1.10.1-2.4-vc14-x64 win configured.
I keep getting my ip address listed as dos attact
  How do I stop this ?

Gregg

DOSWhitelist   127.0.0.1
DOSWhitelist   192.168.1.*
DOSWhitelist   8.8.8.8
etc. etc.

ikebut

I added this to my Apache conf. setup httpd.
 
<IfModule evasive2_module>
    DOSHashTableSize    3097
    DOSPageCount        5
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   5
    DOSWhitelist   127.0.0.1
    DOSWhitelist   127.0.0.*
    DOSWhitelist   192.168.1.*
    DOSWhitelist   8.8.8.8
    DOSWhitelis   (My IP Address)
</IfModule>
   
...but I still get this warning in my dos log file

Tue Jun 06 22:25:53 2017
PID: 41732
Blacklisting address (My IP Address): possible DoS attack.

Gregg

I'll have to test the module.
Personally I do not like this module, but people seem to want it so I compiled it.

fabluzan

#4
Quote from: Gregg on June 06, 2017, 04:12:49 AM
DOSWhitelist   127.0.0.1 read more about anova
DOSWhitelist   192.168.1.*
DOSWhitelist   8.8.8.8
etc. etc.
I've also just installed the module. Thanks for tip. Is it possible to block a range of IPs. e.g. From 192.168.1.5 to 192.168.1.98

Gregg

#5
Quote from: fabluzan on September 05, 2017, 09:20:05 PMIs it possible to block a range of IPs. e.g. From 192.168.1.5 to 192.168.1.98

As I stated above I don't like this module or use it. I can only quote the included readme which I won't but you can read it yourself.

It says you can do a range of IPs but it only shows an example using the *, and it does state it's only good for the last octet.
So 192.168.1.* is the only example shown for ranges.

Now Apache can handle 192.168.1.0/8 so maybe the module can handle that as well. But you will have to be brave and experiment. httpd -t is a great little wonder I use all the time after making changes or experimenting with a live server. If Apache says "Syntax OK" then most times it is and you can restart the server safely. It's bit me a couple times but I just undo the changes and start the server. It's down for what? 5 seconds? I can afford a couple people getting a timeout once. They will try again or they will try again later. If they don't try again, their loss not mine :)

Edit:

Using the CIDR tool at http://www.ipaddressguide.com/cidr#range

This would be how to Whitelist that range of IPs
DOSWhitelist  192.168.1.5/32
DOSWhitelist  192.168.1.6/31
DOSWhitelist  192.168.1.8/29
DOSWhitelist  192.168.1.16/28
DOSWhitelist  192.168.1.32/27
DOSWhitelist  192.168.1.64/27
DOSWhitelist  192.168.1.96/31
DOSWhitelist  192.168.1.98/32

Yes, all 8 of these and only if the module supports it of course.