[리눅스] Apache2 확장 모듈 evasive(evasive20_module) 설치

Apache2 확장 모듈 evasive(evasive20_module) 설치

yum 설치

epel 설치

$ yum install -y epel-release

httpd 설치

$ yum install -y httpd

mod_evasive 모듈 설치

$ yum install -y mod_evasive

모듈 확인

$ apachectl -M | egrep evasive
 evasive20_module (shared)

mod_evasive.conf 원본 파일

$ cat /etc/httpd/conf.d/mod_evasive.conf
# mod_evasive configuration
LoadModule evasive20_module modules/mod_evasive24.so

<IfModule mod_evasive24.c>
    # The hash table size defines the number of top-level nodes for each
    # child's hash table.  Increasing this number will provide faster
    # performance by decreasing the number of iterations required to get to the
    # record, but consume more memory for table space.  You should increase
    # this if you have a busy web server.  The value you specify will
    # automatically be tiered up to the next prime number in the primes list
    # (see mod_evasive.c for a list of primes used).
    DOSHashTableSize    3097

    # This is the threshhold for the number of requests for the same page (or
    # URI) per page interval.  Once the threshhold for that interval has been
    # exceeded, the IP address of the client will be added to the blocking
    # list.
    DOSPageCount        2

    # This is the threshhold for the total number of requests for any object by
    # the same client on the same listener per site interval.  Once the
    # threshhold for that interval has been exceeded, the IP address of the
    # client will be added to the blocking list.
    DOSSiteCount        50

    # The interval for the page count threshhold; defaults to 1 second
    # intervals.
    DOSPageInterval     1

    # The interval for the site count threshhold; defaults to 1 second
    # intervals.
    DOSSiteInterval     1

    # The blocking period is the amount of time (in seconds) that a client will
    # be blocked for if they are added to the blocking list.  During this time,
    # all subsequent requests from the client will result in a 403 (Forbidden)
    # and the timer being reset (e.g. another 10 seconds).  Since the timer is
    # reset for every subsequent request, it is not necessary to have a long
    # blocking period; in the event of a DoS attack, this timer will keep
    # getting reset.
    DOSBlockingPeriod   10

    # If this value is set, an email will be sent to the address specified
    # whenever an IP address becomes blacklisted.  A locking mechanism using
    # /tmp prevents continuous emails from being sent.
    #
    # NOTE: Requires /bin/mail (provided by mailx)
    #DOSEmailNotify      you@yourdomain.com

    # If this value is set, the system command specified will be executed
    # whenever an IP address becomes blacklisted.  This is designed to enable
    # system calls to ip filter or other tools.  A locking mechanism using /tmp
    # prevents continuous system calls.  Use %s to denote the IP address of the
    # blacklisted IP.
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"

    # Choose an alternative temp directory By default "/tmp" will be used for
    # locking mechanism, which opens some security issues if your system is
    # open to shell users.
    #
    #   http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
    #
    # In the event you have nonprivileged shell users, you'll want to create a
    # directory writable only to the user Apache is running as (usually root),
    # then set this in your httpd.conf.
    #DOSLogDir           "/var/lock/mod_evasive"

    # You can use whitelists to disable the module for certain ranges of
    # IPs. Wildcards can be used on up to the last 3 octets if necessary.
    # Multiple DOSWhitelist commands may be used in the configuration.
    #DOSWhitelist   127.0.0.1
    #DOSWhitelist   192.168.0.*
</IfModule>

mod_evasive.conf 편집

$ vim /etc/httpd/conf.d/mod_evasive.conf
# mod_evasive configuration
LoadModule evasive20_module modules/mod_evasive24.so

<IfModule mod_evasive24.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10

    #DOSEmailNotify      you@yourdomain.com

    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"

    #DOSLogDir           "/var/log/mod_evasive"

    #DOSWhitelist   127.0.0.1
    #DOSWhitelist   192.168.0.*
</IfModule>

perl 설치

$ yum install -y perl

test.pl 편집

$ vim /usr/local/src/mod_evasive-master/test.pl
#!/usr/bin/perl

# test.pl: small script to test mod_dosevasive's effectiveness

use IO::Socket;
use strict;

for(0..100) {
  my($response);
  my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",
                                      PeerAddr=> "127.0.0.1:80");
  if (! defined $SOCKET) { die $!; }
  print $SOCKET "GET /?$_ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n";
  $response = <$SOCKET>;
  print $response;
  close($SOCKET);
}

test.pl 테스트 실행

$ perl /usr/local/src/mod_evasive-master/test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

mod_evasive 로그 확인

$ ls -l /var/log/mod_evasive
-rw-r--r-- 1 apache apache 5 Feb  9 16:47 dos-172.18.0.1

$ cat /var/log/mod_evasive/dos-172.18.0.1
1173

소스 컴파일

evasive 모듈 설치

$ cd /usr/local/src/

$ wget https://codeload.github.com/shivaas/mod_evasive/zip/master

$ unzip master

$ cd mod_evasive-master

$ /usr/local/apache2/bin/apxs -i -c -a mod_evasive24.c

---output---
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/apache2/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the '-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the 'LD_RUN_PATH' environment variable
     during linking
   - use the '-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to '/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/local/apache2/modules/mod_evasive24.so
[activating module `evasive20' in /usr/local/apache2/conf/httpd.conf]

evasive 설치 확인

$ /usr/local/apache2/bin/apachectl -M | grep evasive
 evasive20_module (shared)

$ cat /usr/local/apache2/conf/httpd.conf | grep evasive
LoadModule evasive20_module   modules/mod_evasive24.so

mod_evasive.conf 파일 생성

$ vim /usr/local/apache2/conf/mod_evasive.conf
<IfModule mod_evasive24.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify <YOU@YOURMAIL.COM>
</IfModule>

mod_evasive 로그 폴더 생성

$ mkdir /var/log/httpd/mod_evasive

mod_evasive 모듈 테스트(test.pl)

$ yum install -y perl

$ vim /usr/local/src/mod_evasive-master/test.pl
#!/usr/bin/perl

# test.pl: small script to test mod_dosevasive's effectiveness

use IO::Socket;
use strict;

for(0..100) {
  my($response);
  my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",
                                      PeerAddr=> "127.0.0.1:80");
  if (! defined $SOCKET) { die $!; }
  print $SOCKET "GET /?$_ HTTP/1.0\n\n";
  $response = <$SOCKET>;
  print $response;
  close($SOCKET);
}

$ perl /usr/local/src/mod_evasive-master/test.pl