Basic Protection Against Denial of Service (DoS) Attcks
A Denial of Service (DoS) attack is a situation where system resources are deliberately drawn by vandals to the point where the server can’t service legitimate users. In its most rudimentary form, web pages are requested over and over, perhaps hundreds of times per second, by multiple sources at the same time. Most web hosts are not high risk targets for DoS attacks, since websites of limited popularity are not particularly interesting to vandals who launch DoS attacks. Still it makes sense for the prudent server administrator to have some kind of protection in place.
Most data centers have a sophisticated strategy to protect their customers from DoS attacks, so most data center customers assume that DoS protection is in place. They’re probably correct most of the time. However, there is no way to know what protections, if any, are being used in your data center. Your data center isn’t going to tell you what protections they have, since making their security policy public would provide a roadmap to exploit their vulnerabilities. Whatever protections they have in place are best kept secret, so you can’t blame them for doing so. That being the case, you should have your own basic protection in place that at least can discourage unsophisticated attacks.
The kind of protection that works best for preventing request-based DoS attacks is a behavior-triggered IP address blocker. So if an IP address exhibits suspicious behavior then that IP address is temporarily blocked automatically. If suspicious behavior persists during the blocking period, then the blocking period is extended.
One free application that provides behavior-triggered DoS protection is “mod_evasive”, which is an Apache add-on module. With mod_evasive you can set the blocking policy to any threshold settings that suit you. You can also have mod-evasive email you when there is any suspicious activity going on. I strongly recommend that mod_evasive be installed.
Before mod-evasive can be installed the Apache development package needs to be present in the system. To do that open PuTTY, login as root, type the following command and press Enter.
# yum –y install httpd-devel
With those utilities installed you are now ready to download and install mod_evasive. Using PuTTY again as root, issue the following commands. Press Enter after each command.
# cd /tmp
Most data centers have a sophisticated strategy to protect their customers from DoS attacks, so most data center customers assume that DoS protection is in place. They’re probably correct most of the time. However, there is no way to know what protections, if any, are being used in your data center. Your data center isn’t going to tell you what protections they have, since making their security policy public would provide a roadmap to exploit their vulnerabilities. Whatever protections they have in place are best kept secret, so you can’t blame them for doing so. That being the case, you should have your own basic protection in place that at least can discourage unsophisticated attacks.
The kind of protection that works best for preventing request-based DoS attacks is a behavior-triggered IP address blocker. So if an IP address exhibits suspicious behavior then that IP address is temporarily blocked automatically. If suspicious behavior persists during the blocking period, then the blocking period is extended.
One free application that provides behavior-triggered DoS protection is “mod_evasive”, which is an Apache add-on module. With mod_evasive you can set the blocking policy to any threshold settings that suit you. You can also have mod-evasive email you when there is any suspicious activity going on. I strongly recommend that mod_evasive be installed.
Before mod-evasive can be installed the Apache development package needs to be present in the system. To do that open PuTTY, login as root, type the following command and press Enter.
# yum –y install httpd-devel
With those utilities installed you are now ready to download and install mod_evasive. Using PuTTY again as root, issue the following commands. Press Enter after each command.
# cd /tmp
# wget http://entomy.com/security/mod_evasive_1.10.1.tar.gz
# tar xfz mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# /usr/sbin/apxs -cia mod_evasive20.c
That last command might take a minute or so to execute.
Before applying mod_evasive to Apache we need to enter policy parameter settings. Do that with webmin. Click the Others icon at the top of webmin and then click the File Manager icon. On the left side, navigate to the following directory.
/etc/httpd/conf/
Click on the httpd.conf file to select it, then click the Edit tile. That’s a large file, but maybe 20% of the way down you should see a line that says this:
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
That line was added to httpd.conf when mod_evasive was installed. Right below that line you will insert the policy parameters, which you can modify to your liking. Here is the text to insert.
#
# Settings for mod_evasive
#
<IfModule mod_evasive20.c>
DOSHashTableSize 2048
DOSPageCount 10
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
</IfModule>
# tar xfz mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# /usr/sbin/apxs -cia mod_evasive20.c
That last command might take a minute or so to execute.
Before applying mod_evasive to Apache we need to enter policy parameter settings. Do that with webmin. Click the Others icon at the top of webmin and then click the File Manager icon. On the left side, navigate to the following directory.
/etc/httpd/conf/
Click on the httpd.conf file to select it, then click the Edit tile. That’s a large file, but maybe 20% of the way down you should see a line that says this:
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
That line was added to httpd.conf when mod_evasive was installed. Right below that line you will insert the policy parameters, which you can modify to your liking. Here is the text to insert.
#
# Settings for mod_evasive
#
<IfModule mod_evasive20.c>
DOSHashTableSize 2048
DOSPageCount 10
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
</IfModule>
No comments:
Post a Comment