在FreeBSD上使用mod_dosevasive对抗DDos攻击

  mod_dosevasive是一个Apache上的可选模块,它能应对一些基于HTTP的拒绝服务攻击,就是常说的Dos或者DDos攻击,这种攻击是让很多大小网站都头疼的攻击方式,mod_dosevasive从Apache1.3开始出现,虽然不能完全彻底的防止大规模的DDos攻击,但是对于普通的攻击来说,还是非常不错的选择。

  我的服务器(http://www.toplee.com/blog/)就曾经收到过类似的测试攻击(就是估计别人是为了练手,并非真的要针对我),搞得很头疼,我一些朋友的应用也遇到过类似的烦恼,基本上都通过安装mod_dosevasive得到了较好的解决。下面我就来以我在FreeBSD上安装基于Apache2.2.2的mod_dosevasive经过给大家分享一下经验,顺便进一步讲述一下mod_dosevasive的特性。

  mod_dosevasive通过对来访IP地址和访问URI建立内部动态哈希表来检测是否有攻击,如果有如下的行为将拒绝该IP的访问:

1. 每秒对同一页面的请求数超过平时(原文:Requesting the same page more than a few times per second)。
2. 每秒同一个子进程有超过50次的并发请求。
3. 临时被拒绝(在blacklist中)的时候还不断进行请求。

  mod_dosevasive可以非常方便的和防火墙、路由器等进行整合,进一步提高抗拒绝服务的能力。和别的防攻击工具一样,mod_dosevasive同样收到带宽、系统处理能力等因素的影响,所以要想应对大规模的攻击,最好的方式就是把mod_dosevasive和您的防火墙和路由器进行整合,而不是简单的安装成为独立的Apache模块。

mod_dosevasive在apache2.2.2上的安装方法:

一、使用源码安装:
1、下载

#cd /tmp (任何别的目录都行)
#wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

2、解压缩

#tar -zxvf mod_dosevasive_1.10.1.tar.gz
#cd mod_dosevasive

3、以动态模块方式编译

# apxs -i -a -c mod_dosevasive20.c

4. 修改/etc/httpd/conf/httpd.conf文件,加入对模块的支持:

LoadModule dosevasive20_module libexec/apache22/mod_dosevasive20.so

二、使用FreeBSD的port进行安装(强烈推荐此方式)

#cd /usr/ports/www/mod_dosevasive20
#make install clean

  至此,完成了mod_dosevasive的安装,重启apache服务后,它就开始工作了,这个时候您如果不作任何别的设置,它也可以使用默认配置为您提供良好的防攻击能力,当然,您也可以自己进行一些参数的定制配置,可选的参数如下:

在您的httpd.conf文件中,加入类似下面的部分
Apache 1.3.x

<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

Apache 2.x

<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

参数简单说明:
DOSHashTableSize 3097 记录和存放黑名单的哈西表大小,如果服务器访问量很大,可以加大该值
DOSPageCount 5 同一个页面在同一时间内可以被统一个用户访问的次数,超过该数字就会被列为攻击,同一时间的数值可以在DosPageInterval参数中设置。
DOSSiteCount 50 同一个用户在同一个网站内可以同时打开的访问数,同一个时间的数值在DOSSiteInterval中设置。
DOSPageInterval 2 设置DOSPageCount中时间长度标准,默认值为1。
DOSSiteInterval 2 设置DOSSiteCount中时间长度标准。
DOSBlockingPeriod 10 被封时间间隔秒,这中间会收到 403 (Forbidden) 的返回。

其他可选参数:
DOSEmailNotify lee@toplee.com 设置受到攻击时接收攻击信息提示的邮箱地址。
DOSSystemCommand “su – someuser -c ‘/sbin/… %s …'” 受到攻击时Apache运行用户执行的系统命令
DOSLogDir “/var/lock/mod_dosevasive” 攻击日志存放目录,BSD上默认是 /tmp

下面是我的服务器上看到的一些日志情况:

#cd /tmp
#ll |wc -l
    2303
#ls
......
dos-218.64.69.71        dos-219.80.33.54        dos-222.214.156.211
dos-218.64.79.59        dos-219.82.143.127      dos-222.214.2.148
dos-218.64.81.162       dos-219.82.46.245       dos-222.214.206.162 
dos-218.65.102.178      dos-220.113.43.61       dos-222.214.207.191
......
#more dos-218.64.69.71
30611
可以看到,这个ip地址有30611次的访问攻击被记录!!!

参考资料:
原官方主页:http://www.nuclearelephant.com/projects/dosevasive/
新主页地址:http://www.zdziarski.com/projects/mod_evasive/
本文永久链接: http://www.toplee.com/blog/?p=278

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
13 Responses
  1. iso1600 says:

    你写的技术文章很有意思,有空交流下

  2. Michael says:

    [Comment ID #5169 Will Be Quoted Here]

    见笑了,只是一些很初级的东西,欢迎多指点和交流!

  3. OceanMeng says:

    希望跟主人探讨!
    在zdziarski.com上看到

    mod_evasive for Apache v1.3 and 2.0,

    那里可以确认支持apache2.2.X呢?
    您在apache2.2.2上测试通过了是吗?对于apache1.3和2.x的区别是否只是在于配置文件中的

    而且你提到的针对apache2.x包括apache2.2.x吗?

    希望能尽快知道答案,谢谢啦!
    我的联系方式:(qq/msn/mail)11772226 ie_eu@hotmail.com ocean.meng@gmail.com

  4. Michael says:

    [Comment ID #8405 Will Be Quoted Here]

    您说的mod_evasive不知道是不是mod_dosevasive,对于mod_dosevasive来说,目前我测试安装的结果是支持apache2.2.2的,下面是我安装后测试打印的系统信息:


    Apache Version Apache/2.2.2 (FreeBSD) mod_ssl/2.2.2 OpenSSL/0.9.8b DAV/2 PHP/5.1.4
    Apache API Version 20051115

  5. 金刚 says:

    不错 强烈支持!希望帅哥多发些好文章

  6. unrulyboy says:

    看到了,但我使用lighttpd作为WEBSERVER,有没有好的方法呢

  7. Michael says:

    [Comment ID #17672 Will Be Quoted Here]

    Lighttpd 有个 evasive 模块,可以起到一定的保护作用,但是更多的防攻击能力还是需要结合别的软件,甚至是自己开发,比如我们就自己做过分析日志来实时更新ipfw防火墙策略,这个的效果还是不错的,细节就不便说了。

  8. korpton says:

    我也很头疼这个这个问题,连续三天都是,后台打电话到机房说是CC攻击,搞不清楚是DDos还是cc,没办法放到机房的一个抗cc攻击的硬防下面,OS是FB6.2,Apache2.2.0,有空也试一下这个模块!

  9. freebsd很强的 一般不会挂的

  10. 深圳SEO says:

    是篇好文章的 学习啦

  11. 深圳小笨笨SEO says:

    路过,学习了,收藏了,谢谢分享!

  12. 北京装修 says:

    虽然不太懂,但我先收藏先,改天试试

  13. 给你顶了。。。写的挺不错的呢!以后经常来的

  14. There’s definately a lot to know about this topic.
    I love all of the points you have made.

  15. Thank you for sharing your thoughts. I really appreciate your efforts and I will be waiting for your next write ups thank you once again.

  16. Fantastic goods from you, man. I’ve understand your
    stuff previous to and you’re just extremely wonderful.
    I really like what you’ve acquired here, certainly like what you are saying and the way in which
    you say it. You make it entertaining and you
    still care for to keep it smart. I can not wait to read much more from you.
    This is actually a great website.

  17. Fantastic goods from you, man. I have be aware your stuff prior to and you’re just too great.

    I actually like what you have obtained here, certainly like what you’re stating and the best way in which
    you say it. You are making it enjoyable and you continue to care for to
    stay it wise. I cant wait to learn far more from you. That
    is really a terrific site.

  18. At this time I am going away to do my breakfast, once having my breakfast coming over
    again to read more news.

  19. hello!,I like your writing so so much! percentage we communicate more approximately your article on AOL?
    I need an expert in this house to resolve my problem.
    May be that’s you! Having a look ahead to see you.

  20. Very descriptive article, I enjoyed that a
    lot. Will there be a part 2?

  21. Excellent beat ! I would like to apprentice while you amend your website, how can i subscribe for a blog
    website? The account helped me a acceptable deal. I had been a little bit acquainted
    of this your broadcast offered bright clear idea

  22. Hi! Someone in my Facebook group shared this website with us so I came to check it out.
    I’m definitely loving the information. I’m bookmarking and will
    be tweeting this to my followers! Exceptional blog
    and great style and design.

  23. I every time emailed this blog post page to all my contacts,
    because if like to read it next my contacts will too.

  24. Very descriptive article, I loved that a lot. Will
    there be a part 2?

  25. Superstar says:

    I’m not that much of a online reader to be honest but your blogs really nice, keep it up!
    I’ll go ahead and bookmark your website to come back down the road.

    Many thanks

  26. Francy says:

    Hello terrific blog! Does running a blog like this require
    a large amount of work? I have no expertise in computer programming
    however I had been hoping to start my own blog in the near future.

    Anyways, if you have any recommendations or techniques
    for new blog owners please share. I know this is off subject but I just had to ask.
    Kudos!

  27. Superstar says:

    If some one desires to be updated with most up-to-date technologies afterward he must be visit this website and be up to date every day.

  28. Haus Halley says:

    Terrific work! That is the kind of information that are supposed
    to be shared across the internet. Shame on the search engines for not positioning this post upper!
    Come on over and consult with my website . Thank you =)

  29. Starter says:

    Hello every one, here every person is sharing these
    kinds of knowledge, thus it’s fastidious to read this weblog, and I used to pay a visit this web site
    daily.

  30. Superstar says:

    Hey I am so delighted I found your blog, I really found you by
    accident, while I was searching on Aol for something else,
    Anyways I am here now and would just like to say thank you
    for a fantastic post and a all round enjoyable blog (I also love the theme/design), I don’t have time to browse it all
    at the minute but I have bookmarked it and also added in your RSS feeds, so when I
    have time I will be back to read more, Please do keep up the great work.

  31. Haus Swan says:

    This paragraph will assist the internet viewers for creating new blog or even a blog from start to end.

  32. Francy says:

    It’s a shame you don’t have a donate button! I’d without a doubt donate to this superb blog!
    I suppose for now i’ll settle for book-marking and adding your RSS feed to my Google account.
    I look forward to new updates and will talk about this site with my Facebook group.
    Talk soon!

  33. Starland says:

    Write more, thats all I have to say. Literally, it seems as though you relied on the video to
    make your point. You obviously know what youre talking about, why throw away your intelligence on just posting
    videos to your site when you could be giving us something informative to read?

  34. adidas shoes says:

    What’s up Dear, are you really visiting this web site on a regular basis, if so afterward you will absolutely get fastidious knowledge.

  35. adidas shoes says:

    Hello there! I know this is kinda off topic but I was
    wondering if you knew where I could find a captcha plugin for my comment form?
    I’m using the same blog platform as yours and I’m having difficulty finding
    one? Thanks a lot!

  36. V-star 2 says:

    Since the admin of this web site is working, no uncertainty very soon it will be well-known, due to its quality contents.

  37. pas cher says:

    I blog often and I seriously thank you for your content.
    Your article has really peaked my interest. I am going
    to bookmark your blog and keep checking for new information about once a
    week. I opted in for your RSS feed too.

  38. Mid Star says:

    I’m not that much of a online reader to be honest but your blogs really nice, keep it up!

    I’ll go ahead and bookmark your site to come back in the future.

    Many thanks

  39. pas cher says:

    Hello to every body, it’s my first go to see of this weblog; this weblog carries remarkable and actually fine
    material in favor of readers.

  40. It is appropriate time to make a few plans for the
    longer term and it is time to be happy. I’ve learn this submit and if I could I wish to suggest you few interesting issues or advice.

    Perhaps you can write subsequent articles relating to this article.

    I want to read more things approximately it!

  41. Do you have a spam issue on this site; I also am a blogger,
    and I was wanting to know your situation; we have developed some nice
    practices and we are looking to trade solutions with others, why
    not shoot me an e-mail if interested.

  42. nike air max says:

    Its such as you learn my mind! You seem to know so much about this, like you wrote the e-book in it or something.
    I believe that you just can do with some percent to drive
    the message house a little bit, however instead of that, that is fantastic blog.

    A fantastic read. I’ll certainly be back.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image