・Amazon Linux に mod_evasive を導入したい!
趣味で運営しているサーバが、何度か落ちてしまい、原因を調査しているが、妙な連続アクセス以外に不審な点が見当たらないため、mod_evasiveを導入し連続アクセスを制御したいと考えました。
・導入にあたって
yumを使うやり方とソースから導入するやり方があるようですが、yumを使うやり方を選択。
*参考にしたサイト:
Apache DoS攻撃にそなえる
AmazonLinuxはEPELリポジトリの追加は特に必要ないようなので、
yum --enablerepo=epel install mod_evasive mkdir /var/lock/mod_evasive chown apache:apache /var/lock/mod_evasive
/etc/httpd/conf.d/mod_evasive.conf を編集
#DOSLogDir "/var/lock/mod_evasive" → DOSLogDir "/var/lock/mod_evasive"
httpdリスタート
sudo /etc/init.d/httpd restart
mod_evasiveが効かない。。。
リスタートまでできたものの、以下の導入テストがいつまでたっても200のまま。。。
perl /usr/share/doc/mod_evasive-1.10.1/test.pl HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK ・ ・ ・ HTTP/1.1 200 OK HTTP/1.1 200 OK
apachectl -M で見るとevasive20_module (shared)の表示あり。
apache は
yum groupinstall -y "Web Server" "MySQL Database" "PHP Support"
で導入
Server version: Apache/2.2.31 (Unix)
Server built: Aug 13 2015 23:45:37
切り分け方法や対処方法をどなたかアドバイスいただけないでしょうか。
よろしくお願いします。
追記:httpd.confに関して
抜粋となりますが、以下で設定しています。
*ご質問頂いた対象箇所がわからなかったため、必要と思われる箇所をこちらで判断しました。確認箇所を追加でご指示いただけると幸いです。
/etc/httpd/conf/httpd.conf ・ ・ ・ Include conf.d/*.conf ・ ・ ・
/etc/httpd/conf.d/mod_evasive.conf LoadModule evasive20_module modules/mod_evasive20.so <IfModule mod_evasive20.c> # The hash table size defines the number of top-level nodes for each # child's hash table. Increasing this number will provide faster # performance by decreasing the number of iterations required to get to the # record, but consume more memory for table space. You should increase # this if you have a busy web server. The value you specify will # automatically be tiered up to the next prime number in the primes list # (see mod_evasive.c for a list of primes used). DOSHashTableSize 3097 # This is the threshhold for the number of requests for the same page (or # URI) per page interval. Once the threshhold for that interval has been # exceeded, the IP address of the client will be added to the blocking # list. DOSPageCount 2 # This is the threshhold for the total number of requests for any object by # the same client on the same listener per site interval. Once the # threshhold for that interval has been exceeded, the IP address of the # client will be added to the blocking list. DOSSiteCount 50 # The interval for the page count threshhold; defaults to 1 second # intervals. DOSPageInterval 1 # The interval for the site count threshhold; defaults to 1 second # intervals. DOSSiteInterval 1 # The blocking period is the amount of time (in seconds) that a client will # be blocked for if they are added to the blocking list. During this time, # all subsequent requests from the client will result in a 403 (Forbidden) # and the timer being reset (e.g. another 10 seconds). Since the timer is # reset for every subsequent request, it is not necessary to have a long # blocking period; in the event of a DoS attack, this timer will keep # getting reset. DOSBlockingPeriod 10 # If this value is set, an email will be sent to the address specified # whenever an IP address becomes blacklisted. A locking mechanism using # /tmp prevents continuous emails from being sent. # # NOTE: Requires /bin/mail (provided by mailx) #DOSEmailNotify you@yourdomain.com # If this value is set, the system command specified will be executed # whenever an IP address becomes blacklisted. This is designed to enable # system calls to ip filter or other tools. A locking mechanism using /tmp # prevents continuous system calls. Use %s to denote the IP address of the # blacklisted IP. #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" # Choose an alternative temp directory By default "/tmp" will be used for # locking mechanism, which opens some security issues if your system is # open to shell users. # # http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01 # # In the event you have nonprivileged shell users, you'll want to create a # directory writable only to the user Apache is running as (usually root), # then set this in your httpd.conf. DOSLogDir "/var/lock/mod_evasive" # You can use whitelists to disable the module for certain ranges of # IPs. Wildcards can be used on up to the last 3 octets if necessary. # Multiple DOSWhitelist commands may be used in the configuration. #DOSWhitelist 127.0.0.1 #DOSWhitelist 192.168.0.* </IfModule>
追記2:access_log
access_logは全て200で返ってきています。
*しきい値を超えている付近を抜粋。
127.0.0.1 - - [09/Jan/2016:08:14:17 +0000] "GET /?38 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:17 +0000] "GET /?39 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:18 +0000] "GET /?40 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:18 +0000] "GET /?41 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:18 +0000] "GET /?42 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:19 +0000] "GET /?43 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:19 +0000] "GET /?44 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:19 +0000] "GET /?45 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:20 +0000] "GET /?46 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:20 +0000] "GET /?47 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:21 +0000] "GET /?48 HTTP/1.0" 200 2926 "-" "-" 127.0.0.1 - - [09/Jan/2016:08:14:21 +0000] "GET /?49 HTTP/1.0" 200 2926 "-" "-"
念のため、外部サーバからab -n 50 -c 10 http://サーバ名/
も実施しましたがこちらも200で返ってきてます。
*しきい値を超えている付近を抜粋。ソースアドレスをXXX.XXX.XXX.XXXで置き換え
XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:07 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:07 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:08 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:09 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:12 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:14 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:16 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:16 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:18 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3" XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
回答2件
あなたの回答
tips
プレビュー