HI, I have noticed if a user is hammering the F5 (Refresh) key in his browser that he easily can bring down my website even my server if i use PHP-CGI because then my server will even run out of RAM. What can i do about this DoS attack? This sucks big time.
PHP cgi should not be used at all as it is too slow and uses too much ressources. So the first step is to switch your website from php-cgi to php-fcgi. If your server is still not able to handle the load, then you can install apache mod_evasive to block users that request too much pages in a short time.
Sorry i did a typo i meant "php-fcgi" not "php-cgi" but still it only takes 30 seconds to overload a 4GB RAM server when simply holding down the F5 key. Is mod_evasive really the only solution for this? I extra upgrade from 2GB RAM to 4GB RAM because of this.
There are 2 solutions, either install mod_evasive or get a faster server. Pressing f5 is basically the same as if your website would have more users that visit the site at the same time, so there is nothing wrong with your server, it just cant handle the load that is caused by that many pageviews. mod_evasive prevents this by checking if the many pageviews are coming from one user or from different users. if they come from one user, mod_evasive blocks the access by this user for a few minutes as its a dos. If they come from different users, then this is normal usage of the site (or a ddos that cant be prevented like this). What you can do in general is to check if your server is optimized. If this is a site that uses mysql, then use mysqltuner to optimize the database settings and if the site uses php, ensure that you have xcache or apc installed to speed up php.
I tried the mod_evasive but i can't get it to work. Could it be that it is outdated the last release was 2005. Here are my settings in the "mod-evasive.load" file: Code: LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so <IfModule mod_evasive20.c> # Specifies the size of hash table. DOSHashTableSize 3097 # Sets the limit for the number of requests for the same page (or URI). DOSPageCount 5 # Sets the limit for the total number of requests for any object by the same client on the same listener. DOSSiteCount 120 # Sets the limit for the total number of requests for any object by the same client on the same listener. DOSPageInterval 2.0 # Sets the interval for the site count threshold. DOSSiteInterval 2.0 # Sets the time that a client will be blocked for if they are added to the blocking list. DOSBlockingPeriod 10 # Pecifies the system command to be executed whenever an IP address becomes blacklisted. #DOSSystemCommand "cscript addFirewallRuleByIP.vbs IP=%s" # Closes network connection socket if the directive state is On. #DOSCloseSocket On # Sends an email to the address specified whenever an IP address becomes blacklisted. DOSEmailNotify [email protected] # Path to the log directory. DOSLogDir “/var/log/apache2/mod_evasive” # Whitelist Option. DOSWhitelist 127.0.0.* DOSWhitelist 127.0.1.* </IfModule>
mod_evasive should be working fine, I installed it already several times this year on customer servers. e.g. on debian you install it with: apt-get install libapache2-mod-evasive works fine on debian, even without any additional configuration.
The DOSLogDir is enclosed in wrong double quotes. It has to be: DOSLogDir "/var/log/apache2/mod_evasive" and not DOSLogDir “/var/log/apache2/mod_evasive” and does the directory /var/log/apache2/mod_evasive exist and is it ownd by the user that runs the apache server?
I also tried it without setting any configurations and i couldn't find any log files in the /tmp folder. It sucks my server can handle over 4000 visits a day but if someone presses the F5 key then the server goes down like a rock.
Why shall it write any logs there? mod_evasive is an apache module, when it blocks a connection, then you find it in the apache error.log or the website error.log. The line is something like "connection denied by server configuration". Thats quite normal. Handling 4000 visits a day is nor much for a normal sized webserver as thats less then 3 visits a minute. But what you simulate with keeping f5 pressed is a few hundred visits a minute and this cant be handled by your server.
I can also not find anything in apache error.log i really ask myself how the shared hosters overcome this problem.
There are just 2 options and I explaine dthese already: Either your server hs the ressources to hadle the number of incoming requests or you limit the number of incoming requests e.g. with mod_evasive so that requests get blocked when their number exceeds a given value. I dont know which setupyou used for your server in detai, if you use ubuntu or debian, just run the apt install command I posted in this thread to install mod_evasive. No other config steps are required. Off course, you can finetune it later, but thats optional.
