質問するログイン新規登録

質問編集履歴

4

access_logの追加

2016/01/09 08:35

投稿

退会済みユーザー
title CHANGED
File without changes
body CHANGED
@@ -132,4 +132,58 @@
132
132
  #DOSWhitelist 127.0.0.1
133
133
  #DOSWhitelist 192.168.0.*
134
134
  </IfModule>
135
+ ```
136
+
137
+ 追記2:access_log
138
+ access_logは全て200で返ってきています。
139
+ *しきい値を超えている付近を抜粋。
140
+
141
+ ```
142
+ 127.0.0.1 - - [09/Jan/2016:08:14:17 +0000] "GET /?38 HTTP/1.0" 200 2926 "-" "-"
143
+ 127.0.0.1 - - [09/Jan/2016:08:14:17 +0000] "GET /?39 HTTP/1.0" 200 2926 "-" "-"
144
+ 127.0.0.1 - - [09/Jan/2016:08:14:18 +0000] "GET /?40 HTTP/1.0" 200 2926 "-" "-"
145
+ 127.0.0.1 - - [09/Jan/2016:08:14:18 +0000] "GET /?41 HTTP/1.0" 200 2926 "-" "-"
146
+ 127.0.0.1 - - [09/Jan/2016:08:14:18 +0000] "GET /?42 HTTP/1.0" 200 2926 "-" "-"
147
+ 127.0.0.1 - - [09/Jan/2016:08:14:19 +0000] "GET /?43 HTTP/1.0" 200 2926 "-" "-"
148
+ 127.0.0.1 - - [09/Jan/2016:08:14:19 +0000] "GET /?44 HTTP/1.0" 200 2926 "-" "-"
149
+ 127.0.0.1 - - [09/Jan/2016:08:14:19 +0000] "GET /?45 HTTP/1.0" 200 2926 "-" "-"
150
+ 127.0.0.1 - - [09/Jan/2016:08:14:20 +0000] "GET /?46 HTTP/1.0" 200 2926 "-" "-"
151
+ 127.0.0.1 - - [09/Jan/2016:08:14:20 +0000] "GET /?47 HTTP/1.0" 200 2926 "-" "-"
152
+ 127.0.0.1 - - [09/Jan/2016:08:14:21 +0000] "GET /?48 HTTP/1.0" 200 2926 "-" "-"
153
+ 127.0.0.1 - - [09/Jan/2016:08:14:21 +0000] "GET /?49 HTTP/1.0" 200 2926 "-" "-"
154
+ ```
155
+ 念のため、外部サーバから```ab -n 50 -c 10 http://サーバ名/```も実施しましたがこちらも200で返ってきてます。
156
+ *しきい値を超えている付近を抜粋。ソースアドレスをXXX.XXX.XXX.XXXで置き換え
157
+ ```
158
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:07 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
159
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:07 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
160
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:08 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
161
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:09 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
162
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
163
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
164
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
165
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
166
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
167
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
168
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
169
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:11 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
170
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:12 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
171
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:14 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
172
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
173
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
174
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
175
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
176
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
177
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
178
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:15 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
179
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:16 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
180
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:16 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
181
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:18 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
182
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
183
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
184
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
185
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
186
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
187
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
188
+ XXX.XXX.XXX.XXX - - [09/Jan/2016:08:12:19 +0000] "GET / HTTP/1.0" 200 2948 "-" "ApacheBench/2.3"
135
189
  ```

3

初心者マーク

2016/01/09 08:34

投稿

退会済みユーザー
title CHANGED
File without changes
body CHANGED
File without changes

2

追記の修正

2016/01/09 06:09

投稿

退会済みユーザー
title CHANGED
File without changes
body CHANGED
@@ -48,9 +48,18 @@
48
48
 
49
49
  ```
50
50
  /etc/httpd/conf/httpd.conf
51
+
52
+
53
+
51
54
  Include conf.d/*.conf
55
+
56
+
57
+
58
+
52
59
  ```
53
60
  ```
61
+ /etc/httpd/conf.d/mod_evasive.conf
62
+
54
63
  LoadModule evasive20_module modules/mod_evasive20.so
55
64
 
56
65
  <IfModule mod_evasive20.c>

1

追記:httpd\.confに関して

2016/01/09 05:46

投稿

退会済みユーザー
title CHANGED
File without changes
body CHANGED
@@ -4,8 +4,8 @@
4
4
  ・導入にあたって
5
5
  yumを使うやり方とソースから導入するやり方があるようですが、yumを使うやり方を選択。
6
6
 
7
- *参考にしたサイト:Apache DoS攻撃にそなえる
7
+ *参考にしたサイト:
8
- http://okochang.hatenablog.jp/entry/2014/03/15/161134
8
+ [Apache DoS攻撃にそなえる](http://okochang.hatenablog.jp/entry/2014/03/15/161134)
9
9
 
10
10
  AmazonLinuxはEPELリポジトリの追加は特に必要ないようなので、
11
11
  ```
@@ -40,4 +40,87 @@
40
40
  Server version: Apache/2.2.31 (Unix)
41
41
  Server built: Aug 13 2015 23:45:37
42
42
  切り分け方法や対処方法をどなたかアドバイスいただけないでしょうか。
43
- よろしくお願いします。
43
+ よろしくお願いします。
44
+
45
+ 追記:httpd.confに関して
46
+ 抜粋となりますが、以下で設定しています。
47
+ *ご質問頂いた対象箇所がわからなかったため、必要と思われる箇所をこちらで判断しました。確認箇所を追加でご指示いただけると幸いです。
48
+
49
+ ```
50
+ /etc/httpd/conf/httpd.conf
51
+ Include conf.d/*.conf
52
+ ```
53
+ ```
54
+ LoadModule evasive20_module modules/mod_evasive20.so
55
+
56
+ <IfModule mod_evasive20.c>
57
+ # The hash table size defines the number of top-level nodes for each
58
+ # child's hash table. Increasing this number will provide faster
59
+ # performance by decreasing the number of iterations required to get to the
60
+ # record, but consume more memory for table space. You should increase
61
+ # this if you have a busy web server. The value you specify will
62
+ # automatically be tiered up to the next prime number in the primes list
63
+ # (see mod_evasive.c for a list of primes used).
64
+ DOSHashTableSize 3097
65
+
66
+ # This is the threshhold for the number of requests for the same page (or
67
+ # URI) per page interval. Once the threshhold for that interval has been
68
+ # exceeded, the IP address of the client will be added to the blocking
69
+ # list.
70
+ DOSPageCount 2
71
+
72
+ # This is the threshhold for the total number of requests for any object by
73
+ # the same client on the same listener per site interval. Once the
74
+ # threshhold for that interval has been exceeded, the IP address of the
75
+ # client will be added to the blocking list.
76
+ DOSSiteCount 50
77
+
78
+ # The interval for the page count threshhold; defaults to 1 second
79
+ # intervals.
80
+ DOSPageInterval 1
81
+
82
+ # The interval for the site count threshhold; defaults to 1 second
83
+ # intervals.
84
+ DOSSiteInterval 1
85
+
86
+ # The blocking period is the amount of time (in seconds) that a client will
87
+ # be blocked for if they are added to the blocking list. During this time,
88
+ # all subsequent requests from the client will result in a 403 (Forbidden)
89
+ # and the timer being reset (e.g. another 10 seconds). Since the timer is
90
+ # reset for every subsequent request, it is not necessary to have a long
91
+ # blocking period; in the event of a DoS attack, this timer will keep
92
+ # getting reset.
93
+ DOSBlockingPeriod 10
94
+
95
+ # If this value is set, an email will be sent to the address specified
96
+ # whenever an IP address becomes blacklisted. A locking mechanism using
97
+ # /tmp prevents continuous emails from being sent.
98
+ #
99
+ # NOTE: Requires /bin/mail (provided by mailx)
100
+ #DOSEmailNotify you@yourdomain.com
101
+
102
+ # If this value is set, the system command specified will be executed
103
+ # whenever an IP address becomes blacklisted. This is designed to enable
104
+ # system calls to ip filter or other tools. A locking mechanism using /tmp
105
+ # prevents continuous system calls. Use %s to denote the IP address of the
106
+ # blacklisted IP.
107
+ #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
108
+
109
+ # Choose an alternative temp directory By default "/tmp" will be used for
110
+ # locking mechanism, which opens some security issues if your system is
111
+ # open to shell users.
112
+ #
113
+ # http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
114
+ #
115
+ # In the event you have nonprivileged shell users, you'll want to create a
116
+ # directory writable only to the user Apache is running as (usually root),
117
+ # then set this in your httpd.conf.
118
+ DOSLogDir "/var/lock/mod_evasive"
119
+
120
+ # You can use whitelists to disable the module for certain ranges of
121
+ # IPs. Wildcards can be used on up to the last 3 octets if necessary.
122
+ # Multiple DOSWhitelist commands may be used in the configuration.
123
+ #DOSWhitelist 127.0.0.1
124
+ #DOSWhitelist 192.168.0.*
125
+ </IfModule>
126
+ ```