Allowing Apache/mod_dosevasive to use iptables through sudoers

categories:

What is mod_dosevasive ?

mod_dosevasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

The issue

Apache by default runs as an unprivileged user. When using the module dosevasive, you can set it up to trigger a command when a DoS/DDoS/Brute force attack is detected.

This is my config :

mod_dosevasive config :

<code>LoadModule dosevasive20_module modules/mod_dosevasive20.so

    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50 
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
# Optional Directives - /usr/share/doc/mod_dosevasive/README for more info
    DOSEmailNotify      admin@domain.be
    DOSWhitelist        192.168.1.*
    DOSSystemCommand    "sudo /sbin/iptables -A INPUT -s %s -j DROP"
</code>

You can see I set up dosevasive to drop the offending IP’s when the system is triggered.

As we are running apache as an unprivileged user, when need to allow apache to use sudo in order to drop the IP’s with iptables.

Edit the sudoers file : visudo

Add this : apache ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT -s [0-9.]* -j DROP

This would allow apache/mod_dosevasive to drop an offending IP in the firewall.

As I’m not a sudoers regular user, this may not be the best recipe.. If you have a better solution, drop me a line ! :)




Thanks for reading this post!


Did you find an issue in this article?

- click on the following Github link
- log into Github with your account
- click on the line number containing the error
- click on the "..." button
- choose "Reference in new issue"
- add a title and your comment
- click "Submit new issue"

Your feedback is much appreciated! πŸ€œπŸΌπŸ€›πŸΌ

You can also drop me a line below!