Good day, Since a few days we experience SYN-attacks on our servers. Look like: Code: tcp 0 0 ***:80 ***:1466 SYN_RECV tcp 0 0 ***:80 ***:1460 SYN_RECV tcp 0 0 ***:80 ***:1468 SYN_RECV ... We have tried to install mod_evasive and succeeded, but it is not functioning... test.pl only gives 403 codes, but no 200 at the start... apache conf: Code: #################################### # MOD EVASIVE #################################### <IfModule mod_evasive20.c> DOSHashTableSize 4000 DOSPageCount 2 DOSSiteCount 30 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSEmailNotify *** #DOSSystemCommand #DOSLogDir "/var/log/mod_evasive" DOSWhitelist 127.0.0.* DOSWhitelist *** DOSWhitelist *** DOSWhitelist *** DOSWhitelist *** </IfModule> #AddModule mod_evasive.c Now the mod_evasive module is commented out, because if it is not, apache wont start because: Code: Apache 1.3 configuration directives found please read /usr/share/doc/httpd-2.2.4/migration.html [FAILED] Can't find any useful (to me) information in that file though. IP is manually dropped by iptables now, but that's clearly not the best solution. Any advice on how to fix this and protect against syn-flood?
Got it working. Just for others curious: Put this: Code: <IfModule mod_evasive20.c> DOSHashTableSize 4000 DOSPageCount 2 DOSSiteCount 30 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSEmailNotify [email protected] #DOSSystemCommand #DOSLogDir "/var/log/mod_evasive" DOSWhitelist 127.0.0.* DOSWhitelist ...... </IfModule> BELOW the line: Code: LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so in your httpd.conf. The addmodule command is not te be used. Installation: Code: yum install httpd-devel cd /usr/local/src wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz tar -zxf mod_evasive_1.10.1.tar.gz cd mod_evasive /usr/sbin/apxs -cia mod_evasive20.c Excuse me for the lame question
