Visaxp
asked on
mod_evasive
I installed mod_evasive in a Redhat Enterprise5 with cpanel and Apache1.3.x
my probelm is with option DOSEmailNotify , i set:
DOSEmailNotify my@email.com
but am not getting any emails from it
what is exactly the modification i should do in file mod_dosevasive.c to make mod_evasive send emails
my probelm is with option DOSEmailNotify , i set:
DOSEmailNotify my@email.com
but am not getting any emails from it
what is exactly the modification i should do in file mod_dosevasive.c to make mod_evasive send emails
It will only email you when an alert has been triggered. How do you know someone is DDoS'ing you?
I don't think anyone uses mod_evasive anymore. It is old and hasn't been touched in ages.
We use CSF with cPanel although it works without cPanel too. http://www.configserver.com/cp/csf.html. It has a connection tracking feature which can block IPs which are making too many connections. And it has email notification features that you can turn on and off. It has LOTS of other useful features which help keep your server secure. I suggest that you try it out.
We use CSF with cPanel although it works without cPanel too. http://www.configserver.com/cp/csf.html. It has a connection tracking feature which can block IPs which are making too many connections. And it has email notification features that you can turn on and off. It has LOTS of other useful features which help keep your server secure. I suggest that you try it out.
ASKER
bilco105
i got lot of lines in /apache/logs/error_log saying:
[Sat Jan 3 17:52:59 2009] [error] [client 66.249.71.244] client denied by server configuration: /home/vbcom/public_html/vb /search.ph p
anindya-baruah
Latest Version 1.10.1 was released on 8-10-2005. thats not too long
i got lot of lines in /apache/logs/error_log saying:
[Sat Jan 3 17:52:59 2009] [error] [client 66.249.71.244] client denied by server configuration: /home/vbcom/public_html/vb
anindya-baruah
Latest Version 1.10.1 was released on 8-10-2005. thats not too long
And you only get those with mod_evasive enabled?
Maybe check your maillog then, /var/log/maillog.
Maybe check your maillog then, /var/log/maillog.
And its 2009 now. So in my opinion it has been a long time. Besides mod_evasive detects connections made by an IP to apache only. Whereas CSF detects all connections made by an IP.
Since you are using cPanel you should have CSF installed anyway (if you don't already have it installed). It provides a cPanel plugin so that you can change its settings from WHM. It also has a "Check Server Security" feature which checks your server's configuration and provides suggestions on how to make it secure.
By the way, I suggest that you upgrade to Apache 2.2. You can do that easily using cPanel's EasyApache feature. Its listed as "Apache Update" in WHM. I hope you are not using Apache 1.3 cause you like to use old stuff. :D
Since you are using cPanel you should have CSF installed anyway (if you don't already have it installed). It provides a cPanel plugin so that you can change its settings from WHM. It also has a "Check Server Security" feature which checks your server's configuration and provides suggestions on how to make it secure.
By the way, I suggest that you upgrade to Apache 2.2. You can do that easily using cPanel's EasyApache feature. Its listed as "Apache Update" in WHM. I hope you are not using Apache 1.3 cause you like to use old stuff. :D
ASKER
here what i found about DOSEmailNotify
--------------
If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.
NOTE: Be sure MAILER is set correctly in mod_dosevasive.c . The default is "/bin/mail -t %s" where %s
is used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.
--------------
i run RHE5 how can i be sure if my mailer match "/bin/mail -t %s" where %s" , if not how to find out to set the correct path?
--------------
If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.
NOTE: Be sure MAILER is set correctly in mod_dosevasive.c . The default is "/bin/mail -t %s" where %s
is used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.
--------------
i run RHE5 how can i be sure if my mailer match "/bin/mail -t %s" where %s" , if not how to find out to set the correct path?
Hello Visaxp,
I was informed about this problem via email. The mod_evasive source file contains a test.pl file
which allows you to simulate an attack.
The "DOSEmailNotify" directive I am assuming using your local email server... Have you got email running
on this machine?
I was informed about this problem via email. The mod_evasive source file contains a test.pl file
which allows you to simulate an attack.
The "DOSEmailNotify" directive I am assuming using your local email server... Have you got email running
on this machine?
NOTE: Be sure MAILER is set correctly in mod_evasive.c
(or mod_evasive20.c). The default is "/bin/mail -t %s" where %s is
used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.
(or mod_evasive20.c). The default is "/bin/mail -t %s" where %s is
used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.
Hello Visaxp,
I just installed mod_evasive on a test bed machine, works fine for me. Here are some tips:
1) Check /bin/mail exists issue the following
test -e /bin/mail ; echo $?
if a 0 is return all is well. However, if a 0 is return the file does not exist.
2) Try sending an email to your local root user with the following command:
echo "Hello Root" | mail -s "Hello Root" root
If the mail is deliver successfully then there is no problem there, otherwise look into
your mail settings.
3) The final tip is to try the following:
DOSEmailNotify root
This sends an email to the local root user when an attack occurs.
I just installed mod_evasive on a test bed machine, works fine for me. Here are some tips:
1) Check /bin/mail exists issue the following
test -e /bin/mail ; echo $?
if a 0 is return all is well. However, if a 0 is return the file does not exist.
2) Try sending an email to your local root user with the following command:
echo "Hello Root" | mail -s "Hello Root" root
If the mail is deliver successfully then there is no problem there, otherwise look into
your mail settings.
3) The final tip is to try the following:
DOSEmailNotify root
This sends an email to the local root user when an attack occurs.
ASKER
hello xDamox
thanks for your usfel tips
for tip 1 the return is 0
for tip 2 the mail deliver successfully
for tip 3 using (DOSEmailNotify root) when running ./test.pl i dont get any emails from mod_evasive
what operating system and apache versions are you running?
thanks for your usfel tips
for tip 1 the return is 0
for tip 2 the mail deliver successfully
for tip 3 using (DOSEmailNotify root) when running ./test.pl i dont get any emails from mod_evasive
what operating system and apache versions are you running?
Hello Visaxp,
I was running Apache 2.2 with mod_evasive20.c
Where you logged in a root and did you type mail which allows you to view mail in your inbox?
I was running Apache 2.2 with mod_evasive20.c
Where you logged in a root and did you type mail which allows you to view mail in your inbox?
ASKER
i run apache1.3
from shell root account after typing root and password i run the command:
echo "Hello Root" | mail -s "Hello Root" root
and i recived the mail in my outlook2003 mailbox
from shell root account after typing root and password i run the command:
echo "Hello Root" | mail -s "Hello Root" root
and i recived the mail in my outlook2003 mailbox
Hello Visaxp,
First step you should try is remove any blocked hosts e.g. check the /tmp directory for entries
similar to:
dos-127.0.0.1
Once you have deleted the /tmp/dos-127.0.0.1 and similar files you can watch the logs of your
mail server. Issue the following command:
tail -n 0 -f /var/log/maillog
When that command has been issued run the test.pl script again to simulate an attack. Once simulation has finished check the maillogs to see if a message was sent.
First step you should try is remove any blocked hosts e.g. check the /tmp directory for entries
similar to:
dos-127.0.0.1
Once you have deleted the /tmp/dos-127.0.0.1 and similar files you can watch the logs of your
mail server. Issue the following command:
tail -n 0 -f /var/log/maillog
When that command has been issued run the test.pl script again to simulate an attack. Once simulation has finished check the maillogs to see if a message was sent.
ASKER
hello xDamox
i did exactly what you said but tail -n 0 -f /var/log/maillog did not show any message send or recieved
in mod_dosevasive.c file the line:
#define MAILER "/bin/mail -s %s"
should i uncomment it?
should i change any thing about the path?
i did exactly what you said but tail -n 0 -f /var/log/maillog did not show any message send or recieved
in mod_dosevasive.c file the line:
#define MAILER "/bin/mail -s %s"
should i uncomment it?
should i change any thing about the path?
Hello Visaxp,
Did you delete the dos-* files out of the /tmp directory?
The "#define" is not a comment but the syntax used in the C programming language.
This is strange that you are not getting any emails... The only time I didn't get emails was because
the dos-127.0.0.1 was in the /tmp directory.
Did you delete the dos-* files out of the /tmp directory?
The "#define" is not a comment but the syntax used in the C programming language.
This is strange that you are not getting any emails... The only time I didn't get emails was because
the dos-127.0.0.1 was in the /tmp directory.
ASKER
hello xDamox
yes i did delete dos-* from /tmp directory
the only thing i can think about is the path "/bin/mail -s %s" might not match the mail path of my server OS. my server run redhat Enterprise5
how do i make sure the mail path of my OS match "/bin/mail -s %s" ?
yes i did delete dos-* from /tmp directory
the only thing i can think about is the path "/bin/mail -s %s" might not match the mail path of my server OS. my server run redhat Enterprise5
how do i make sure the mail path of my OS match "/bin/mail -s %s" ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
[root@host ~]# which mail
/bin/mail
thats very strange, every thing is setup correctly and still i dont get any mails
/bin/mail
thats very strange, every thing is setup correctly and still i dont get any mails
ASKER
thank you for your help xDamox
i upgraded apache from 1.x to 2.2.x and recompile mod_evasive then DOSEmailNotify worked fine.
seems DOSEmailNotify does not work for apache1.x
i upgraded apache from 1.x to 2.2.x and recompile mod_evasive then DOSEmailNotify worked fine.
seems DOSEmailNotify does not work for apache1.x
Hello Visaxp,
I am glad you have it working now.
I am glad you have it working now.