mod_evasiveのインストール
2020/07/15現在、オフィシャルの CentOS8用のリポジトリに rpmは存在しないので、同じカーネルの Fedora29のアーカイブページの rpmからネットワーク経由でインストールする。
Linuxカーネルを確認
# rpm -q kernel kernel-4.18.0-147.3.1.el8_1.x86_64 kernel-4.18.0-147.8.1.el8_1.x86_64 kernel-4.18.0-193.6.3.el8_2.x86_644.18なので、Fedora29(kernel4.18)のrpmでインストールする。
インストール
# rpm -ivh https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/29/Everything/x86_64/Packages/m/mod_evasive-1.10.1-31.fc29.x86_64.rpm
インストール確認
# httpd -M | grep evasive evasive20_module (shared)
mod_evasiveの設定
mod_evasive.conf設定
# vi /etc/httpd/conf.d/mod_evasive.conf
# mod_evasive configuration
LoadModule evasive20_module modules/mod_evasive24.so
<IfModule mod_evasive24.c>
# The hash table size defines the number of top-level nodes for each
# child's hash table. Increasing this number will provide faster
# performance by decreasing the number of iterations required to get to the
# record, but consume more memory for table space. You should increase
# this if you have a busy web server. The value you specify will
# automatically be tiered up to the next prime number in the primes list
# (see mod_evasive.c for a list of primes used).
DOSHashTableSize 3097
# This is the threshhold for the number of requests for the same page (or
# URI) per page interval. Once the threshhold for that interval has been
# exceeded, the IP address of the client will be added to the blocking
# list.
DOSPageCount 10
# This is the threshhold for the total number of requests for any object by
# the same client on the same listener per site interval. Once the
# threshhold for that interval has been exceeded, the IP address of the
# client will be added to the blocking list.
DOSSiteCount 5
# The interval for the page count threshhold; defaults to 1 second
# intervals.
DOSPageInterval 2
# The interval for the site count threshhold; defaults to 1 second
# intervals.
DOSSiteInterval 1
# The blocking period is the amount of time (in seconds) that a client will
# be blocked for if they are added to the blocking list. During this time,
# all subsequent requests from the client will result in a 403 (Forbidden)
# and the timer being reset (e.g. another 10 seconds). Since the timer is
# reset for every subsequent request, it is not necessary to have a long
# blocking period; in the event of a DoS attack, this timer will keep
# getting reset.
DOSBlockingPeriod 60
# If this value is set, an email will be sent to the address specified
# whenever an IP address becomes blacklisted. A locking mechanism using
# /tmp prevents continuous emails from being sent.
#
# NOTE: Requires /bin/mail (provided by mailx)
DOSEmailNotify "-s '[mod_evasive] Alert' メールアドレス"
# If this value is set, the system command specified will be executed
# whenever an IP address becomes blacklisted. This is designed to enable
# system calls to ip filter or other tools. A locking mechanism using /tmp
# prevents continuous system calls. Use %s to denote the IP address of the
# blacklisted IP.
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
# Choose an alternative temp directory By default "/tmp" will be used for
# locking mechanism, which opens some security issues if your system is
# open to shell users.
#
#
# http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
#
# In the event you have nonprivileged shell users, you'll want to create a
# directory writable only to the user Apache is running as (usually root),
# then set this in your httpd.conf.
DOSLogDir "/var/lock/mod_evasive"
# You can use whitelists to disable the module for certain ranges of
# IPs. Wildcards can be used on up to the last 3 octets if necessary.
# Multiple DOSWhitelist commands may be used in the configuration.
#DOSWhitelist 127.0.0.1
#DOSWhitelist 192.168.0.*
</IfModule>
同じページに DOSPageInterval 秒に DOSPageCount 回のアクセスがあったらブラックリストへ。同じサイトに DOSSiteInterval 秒に DOSSiteCount 回のアクセスがあったらブラックリストへ。
ブラックリストに登録された IPからは DOSBlockingPeriod 秒間 403を返す。
ロックファイル格納ディレクトリ作成
# mkdir /var/lock/mod_evasive # chmod 777 /var/lock/mod_evasive
Apache再起動
# httpd -t Syntax OK # systemctl restart httpd
テストプログラムの実行
そのままでは BadRequest 400 が返ってくるので、test.plを修正。私はPHPよりPerl歴の方が長いです・
test.pl修正
# vi /usr/share/doc/mod_evasive/test.pl
print $SOCKET "GET /?$_ HTTP/1.0\r\n\r\n";
テスト実行
# perl /usr/share/doc/mod_evasive/test.pl ? ?Apacheの設定や環境によってはうまくいかないかもしれません。
そんな時はブラウザでF5連打で試しましょう。
成功すると、設定したアドレス宛に
To: -s '[mod_evasive] Alert' メールアドレス
Subject: HTTP BLACKLIST xxx.xxx.xxx.xxx
mod_evasive HTTP Blacklisted xxx.xxx.xxx.xxx
Subject: HTTP BLACKLIST xxx.xxx.xxx.xxx
mod_evasive HTTP Blacklisted xxx.xxx.xxx.xxx
とメールが届きます。
