DOS공격 방어(mod_evasive) 설치하기

Linux tools/mod_evasive 2010. 10. 27. 15:53

웹서버를 운영하는데 DOS 공격을 할 위험이 있는 서버인 경우에는 mod_evasive를 설치하면 좋다.

1. mod_evasive 파일을 다운로드 한다.

[root@mrtg mod_evasive]# wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
[root@mrtg rrdbuild]# tar xvfz mod_evasive_1.10.1.tar.gz
mod_evasive/
mod_evasive/.cvsignore
mod_evasive/LICENSE
mod_evasive/Makefile.tmpl
mod_evasive/README
mod_evasive/mod_evasive.c
mod_evasive/mod_evasive20.c
mod_evasive/mod_evasiveNSAPI.c
mod_evasive/test.pl
mod_evasive/CHANGELOG
[root@mrtg rrdbuild]# cd mod_evasive
[root@mrtg mod_evasive]# ll
total 104
-rw-r--r-- 1 root root 1373 Oct 9 2005 CHANGELOG
-rw-r--r-- 1 root root 18103 Aug 31 2003 LICENSE
-rw-r--r-- 1 root root   470 Oct 9 2005 Makefile.tmpl
-rw-r--r-- 1 root root 14269 Oct 9 2005 README
-rw-r--r-- 1 root root 19395 Oct 9 2005 mod_evasive.c
-rw-r--r-- 1 root root 18242 Oct 9 2005 mod_evasive20.c
-rw-r--r-- 1 root root 15621 Oct 9 2005 mod_evasiveNSAPI.c
-rw-r--r-- 1 root root   406 Aug 31 2003 test.pl
[root@mrtg mod_evasive]# /usr/local/apache/bin/apxs -iac mod_evasive20.c

2. mod_evasive를 설치한다.

[root@mrtg mod_evasive]# /usr/local/apache/bin/apxs -iac mod_evasive20.c
/usr/local/apache/build/libtool --silent --mode=compile gcc -prefer-pic -O3 -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -pthread -I/usr/local/apache/include -I/usr/local/apache/include   -I/usr/local/apache/include   -c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo
/usr/local/apache/build/libtool --silent --mode=link gcc -o mod_evasive20.la -rpath /usr/local/apache/modules -module -avoid-version    mod_evasive20.lo
/usr/local/apache/build/instdso.sh SH_LIBTOOL='/usr/local/apache/build/libtool' mod_evasive20.la /usr/local/apache/modules
/usr/local/apache/build/libtool --mode=install cp mod_evasive20.la /usr/local/apache/modules/
cp .libs/mod_evasive20.so /usr/local/apache/modules/mod_evasive20.so
cp .libs/mod_evasive20.lai /usr/local/apache/modules/mod_evasive20.la
cp .libs/mod_evasive20.a /usr/local/apache/modules/mod_evasive20.a
chmod 644 /usr/local/apache/modules/mod_evasive20.a
ranlib /usr/local/apache/modules/mod_evasive20.a
PATH="$PATH:/sbin" ldconfig -n /usr/local/apache/modules
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/apache/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/local/apache/modules/mod_evasive20.so
[activating module `evasive20' in /usr/local/apache/conf/httpd.conf]
[root@mrtg mod_evasive]#

3. httpd.conf에 LoadModule evasive20_module   modules/mod_evasive20.so 가 추가 되었는지 확인한다.

[root@mrtg mod_evasive]# vi /usr/local/apache/conf/httpd.conf
............. 생략 ..............
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php5_module        modules/libphp5.so
LoadModule evasive20_module   modules/mod_evasive20.so

<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
............. 생략 ....................

이 모듈을 사용하기 위해서 httpd.conf의 가장 아래부분에 아래와 같이 추가한다.

............. 생략 ....................
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

<IfModule mod_evasive20.c>
DOSHashTableSize        3097
DOSPageCount            5
DOSSiteCount            50
DOSPageInterval         1
DOSSiteInterval         1
DOSBlockingPeriod       60
</IfModule>

DOSHashTableSize는 수치가 높으면 더 좋지만 테이블스페이스에 메모리를 남기게 된다.
DOSPageCount는 같은 페이지를 요청에 대한 카운트 수이다. 지정한 값을 초과하면 해당 IP가 블러킹되고 블럭킹 된 시간동안 403(Forbidden) 에러를 출력한다.
DOSSiteCount 동시에 접속하여 같은 페이지를 볼 수 있는 숫자이다.
DOSPageInterval 페이지 카운트 시발점이다.
DOSSiteInterval 사이트 카운트의 시발점이다.
DOSBlocingPeriod 블럭킹 된 IP는 30초 동안 접속을 할 수 없다. 403(Forbidden) 에러를 출력해준다.

4. 테스트를 해 본다.

파일에서 제공하는 test.pl을 실행 시켜본다.

[root@mrtg mod_evasive]# perl test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
........... 생략 ..............
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
[root@mrtg mod_evasive]#

구동 중인 웹서버를 재시작하여 mod_evasive가 적용되게 한 후 다시 테스트 한다.

[root@mrtg mod_evasive]# /usr/local/apache/bin/apachectl restart
[root@mrtg mod_evasive]# perl test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
........... 생략 ................
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
[root@mrtg mod_evasive]#

웹서버에서 새로고침(F5)을 반복 하면 아래와 같은 에러 메시지를 확인 할 수 있다.