在FreeBSD上使用mod_dosevasive对抗DDos攻击

  mod_dosevasive是一个Apache上的可选模块,它能应对一些基于HTTP的拒绝服务攻击,就是常说的Dos或者DDos攻击,这种攻击是让很多大小网站都头疼的攻击方式,mod_dosevasive从Apache1.3开始出现,虽然不能完全彻底的防止大规模的DDos攻击,但是对于普通的攻击来说,还是非常不错的选择。

  我的服务器(http://www.toplee.com/blog/)就曾经收到过类似的测试攻击(就是估计别人是为了练手,并非真的要针对我),搞得很头疼,我一些朋友的应用也遇到过类似的烦恼,基本上都通过安装mod_dosevasive得到了较好的解决。下面我就来以我在FreeBSD上安装基于Apache2.2.2的mod_dosevasive经过给大家分享一下经验,顺便进一步讲述一下mod_dosevasive的特性。

  mod_dosevasive通过对来访IP地址和访问URI建立内部动态哈希表来检测是否有攻击,如果有如下的行为将拒绝该IP的访问:

1. 每秒对同一页面的请求数超过平时(原文:Requesting the same page more than a few times per second)。
2. 每秒同一个子进程有超过50次的并发请求。
3. 临时被拒绝(在blacklist中)的时候还不断进行请求。

  mod_dosevasive可以非常方便的和防火墙、路由器等进行整合,进一步提高抗拒绝服务的能力。和别的防攻击工具一样,mod_dosevasive同样收到带宽、系统处理能力等因素的影响,所以要想应对大规模的攻击,最好的方式就是把mod_dosevasive和您的防火墙和路由器进行整合,而不是简单的安装成为独立的Apache模块。

mod_dosevasive在apache2.2.2上的安装方法:

一、使用源码安装:
1、下载

#cd /tmp (任何别的目录都行)
#wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

2、解压缩

#tar -zxvf mod_dosevasive_1.10.1.tar.gz
#cd mod_dosevasive

3、以动态模块方式编译

# apxs -i -a -c mod_dosevasive20.c

4. 修改/etc/httpd/conf/httpd.conf文件,加入对模块的支持:

LoadModule dosevasive20_module libexec/apache22/mod_dosevasive20.so

二、使用FreeBSD的port进行安装(强烈推荐此方式)

#cd /usr/ports/www/mod_dosevasive20
#make install clean

  至此,完成了mod_dosevasive的安装,重启apache服务后,它就开始工作了,这个时候您如果不作任何别的设置,它也可以使用默认配置为您提供良好的防攻击能力,当然,您也可以自己进行一些参数的定制配置,可选的参数如下:

在您的httpd.conf文件中,加入类似下面的部分
Apache 1.3.x

<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

Apache 2.x

<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

参数简单说明:
DOSHashTableSize 3097 记录和存放黑名单的哈西表大小,如果服务器访问量很大,可以加大该值
DOSPageCount 5 同一个页面在同一时间内可以被统一个用户访问的次数,超过该数字就会被列为攻击,同一时间的数值可以在DosPageInterval参数中设置。
DOSSiteCount 50 同一个用户在同一个网站内可以同时打开的访问数,同一个时间的数值在DOSSiteInterval中设置。
DOSPageInterval 2 设置DOSPageCount中时间长度标准,默认值为1。
DOSSiteInterval 2 设置DOSSiteCount中时间长度标准。
DOSBlockingPeriod 10 被封时间间隔秒,这中间会收到 403 (Forbidden) 的返回。

其他可选参数:
DOSEmailNotify lee@toplee.com 设置受到攻击时接收攻击信息提示的邮箱地址。
DOSSystemCommand “su – someuser -c ‘/sbin/… %s …'” 受到攻击时Apache运行用户执行的系统命令
DOSLogDir “/var/lock/mod_dosevasive” 攻击日志存放目录,BSD上默认是 /tmp

下面是我的服务器上看到的一些日志情况:

#cd /tmp
#ll |wc -l
    2303
#ls
......
dos-218.64.69.71        dos-219.80.33.54        dos-222.214.156.211
dos-218.64.79.59        dos-219.82.143.127      dos-222.214.2.148
dos-218.64.81.162       dos-219.82.46.245       dos-222.214.206.162 
dos-218.65.102.178      dos-220.113.43.61       dos-222.214.207.191
......
#more dos-218.64.69.71
30611
可以看到,这个ip地址有30611次的访问攻击被记录!!!

参考资料:
原官方主页:http://www.nuclearelephant.com/projects/dosevasive/
新主页地址:http://www.zdziarski.com/projects/mod_evasive/
本文永久链接: http://www.toplee.com/blog/?p=278

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
13 Responses
  1. iso1600 says:

    你写的技术文章很有意思,有空交流下

  2. Michael says:

    [Comment ID #5169 Will Be Quoted Here]

    见笑了,只是一些很初级的东西,欢迎多指点和交流!

  3. OceanMeng says:

    希望跟主人探讨!
    在zdziarski.com上看到

    mod_evasive for Apache v1.3 and 2.0,

    那里可以确认支持apache2.2.X呢?
    您在apache2.2.2上测试通过了是吗?对于apache1.3和2.x的区别是否只是在于配置文件中的

    而且你提到的针对apache2.x包括apache2.2.x吗?

    希望能尽快知道答案,谢谢啦!
    我的联系方式:(qq/msn/mail)11772226 ie_eu@hotmail.com ocean.meng@gmail.com

  4. Michael says:

    [Comment ID #8405 Will Be Quoted Here]

    您说的mod_evasive不知道是不是mod_dosevasive,对于mod_dosevasive来说,目前我测试安装的结果是支持apache2.2.2的,下面是我安装后测试打印的系统信息:


    Apache Version Apache/2.2.2 (FreeBSD) mod_ssl/2.2.2 OpenSSL/0.9.8b DAV/2 PHP/5.1.4
    Apache API Version 20051115

  5. 金刚 says:

    不错 强烈支持!希望帅哥多发些好文章

  6. unrulyboy says:

    看到了,但我使用lighttpd作为WEBSERVER,有没有好的方法呢

  7. Michael says:

    [Comment ID #17672 Will Be Quoted Here]

    Lighttpd 有个 evasive 模块,可以起到一定的保护作用,但是更多的防攻击能力还是需要结合别的软件,甚至是自己开发,比如我们就自己做过分析日志来实时更新ipfw防火墙策略,这个的效果还是不错的,细节就不便说了。

  8. korpton says:

    我也很头疼这个这个问题,连续三天都是,后台打电话到机房说是CC攻击,搞不清楚是DDos还是cc,没办法放到机房的一个抗cc攻击的硬防下面,OS是FB6.2,Apache2.2.0,有空也试一下这个模块!

  9. freebsd很强的 一般不会挂的

  10. 深圳SEO says:

    是篇好文章的 学习啦

  11. 深圳小笨笨SEO says:

    路过,学习了,收藏了,谢谢分享!

  12. 北京装修 says:

    虽然不太懂,但我先收藏先,改天试试

  13. 给你顶了。。。写的挺不错的呢!以后经常来的

  14. There’s definately a lot to know about this topic.
    I love all of the points you have made.

  15. Thank you for sharing your thoughts. I really appreciate your efforts and I will be waiting for your next write ups thank you once again.

  16. Fantastic goods from you, man. I’ve understand your
    stuff previous to and you’re just extremely wonderful.
    I really like what you’ve acquired here, certainly like what you are saying and the way in which
    you say it. You make it entertaining and you
    still care for to keep it smart. I can not wait to read much more from you.
    This is actually a great website.

  17. Fantastic goods from you, man. I have be aware your stuff prior to and you’re just too great.

    I actually like what you have obtained here, certainly like what you’re stating and the best way in which
    you say it. You are making it enjoyable and you continue to care for to
    stay it wise. I cant wait to learn far more from you. That
    is really a terrific site.

  18. At this time I am going away to do my breakfast, once having my breakfast coming over
    again to read more news.

  19. hello!,I like your writing so so much! percentage we communicate more approximately your article on AOL?
    I need an expert in this house to resolve my problem.
    May be that’s you! Having a look ahead to see you.

  20. Very descriptive article, I enjoyed that a
    lot. Will there be a part 2?

  21. Excellent beat ! I would like to apprentice while you amend your website, how can i subscribe for a blog
    website? The account helped me a acceptable deal. I had been a little bit acquainted
    of this your broadcast offered bright clear idea

  22. Hi! Someone in my Facebook group shared this website with us so I came to check it out.
    I’m definitely loving the information. I’m bookmarking and will
    be tweeting this to my followers! Exceptional blog
    and great style and design.

  23. I every time emailed this blog post page to all my contacts,
    because if like to read it next my contacts will too.

  24. Very descriptive article, I loved that a lot. Will
    there be a part 2?

Leave a Reply

Your email address will not be published. Required fields are marked *

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image