Skip to content
Advertisement

ModEvasive on Ubuntu 12.04 LTS broken?

I’ve installed mod_evasive on ubuntu 12.04 LTS using the instructions here

my mod_evasive.conf looks like: 

<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  2
   DOSSiteCount  50
   DOSPageInterval 1
   DOSSiteInterval  1
   DOSBlockingPeriod  10
   DOSLogDir   /var/log/mod_evasive
   DOSEmailNotify root@localhost
   DOSSystemCommand "sudo /root/scripts/ban_ip.sh %s"
</ifmodule>

Neither DOSEmailNotify or DOSSystemCommand seems to work.

If I run the test.pl, the testing script that comes with mod evasive I will get successful connections followed by 403 forbidden,so the module is picking up the mulitple connections and forbidding further connections.

However, no email is sent and the DOSSystemCommand is never executed. I’ve tried changing the DOSSystemCommand to something simple like sending a date to a file, but that also doesn’t seem to work.

Strangely enough 99% of the time nothing works, 1% of the time I will get a email, and the DOSSystemCommand will run. But their doesn’t appear to be any sort of pattern.

I’m aware their is a bug report for something similar https://bugs.launchpad.net/ubuntu/+source/libapache-mod-evasive/+bug/605679, this suggests making a simlink which I have tried to no effect.

Does anyone have Mod_Evasive working propery on UBUNTU 12.04 LTS?

EDIT: I found the issue. The symbolic link does indeed fix the bug.

Mod_evasive keeps a list of ips banned in /var/log/mod_evasive if I clear this completely and run the test script the machine gets banned and one email is sent. Once IP has been banned you will not get any further emails even if mod_evasive DOS attack interval expires and the IP reattacks the server.

Advertisement

Answer

Mostly it should work there is only an email bug specified for mod_evasive on ubuntu-12.04 LTS which can be fixed by creating symbolic link. Please check the below link and it would surely solve the problem. It also mentions how to fix the email bug.

http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

If you are interested in DOS/DDOS prevention I have been using OSSEC too it’s a nice and it not only prevents DOS/DDOS for http,apache but for other protocols.

Thanks & Regards, Alok Thaker

User contributions licensed under: CC BY-SA
7 People found this is helpful
Advertisement