hello all -
i am trying to get mod_qos running with webmin/virtualmin. so far i have installed mod_qos:
yum install mod_qos;
and then add these two lines into my httpd.conf file:
QS_LocRequestLimitMatch ^/wp-login.php 10 QS_LocRequestPerSecLimitMatch ^/wp-login.php 1
however, when i look in my log files using this command
grep mod_qos /var/log/virtualmin/*_access_log
i am not seeing any activity as per this link: http://opensource.adnovum.ch/mod_qos/#messages
my previous post (https://virtualmin.com/node/29634) contained this advice for me:
...activate it through Webmin's Apache module.
but i am not seeing any place where i have the option to activate this new apache module.
one other link http://unstreamable.blogspot.com/2011/10/how-to-defend-slowloris-ddos-wi... suggested i issue this command:
# apxs -i -c mod_qos.c
any help would be appreciated.
UPDATE: 13,882 hack attempts in a 10 minute period- easily doubling the old worlds record.
any help would be GREATLY appreciated!
over the weekend, the DoS slowloris attacks kept getting worse, so here is what i did:
then i added this to httpd.conf and restarted apache:
and added this to /etc/httpd/conf.d/mod_qos.conf:
being the newbie that i am, i am not even sure how to tell if any of this is working, other than to periodically look in the virtualmin log files for any messages that contain "mod_qos".
once again, any suggestions, thoughts or comments are greatly appreciated!
While I can't precisely follow if what you did is correct in your case, I'm assuming if you followed this guide about how to use mod_qos in case of a slowloris attack, you should be okay. :)
What you can do to verify that mod_qos is running and doing its thing is accessing the URL "/server_status" on the IP of your machine. If you have mod_status running, that will show a page where mod_qos added a section.
You'll probably need to configure mod_status' settings, because IIRC by default it restricts access to 127.0.0.1.
wow - you really do learn something new every day (attached)
yes its working now. thank you very much!
i would still expect to see status messages in the error log. one virtual-server is showing the messages just as i expected, while the other is not, while both are getting hit with attacks.
you would think that mod_qos would treat all the VS's the same. i even have this in the httpd.conf for each VS:
any ideas?
Can't say concretely in your case, but I just went through my personal "what to do when setting up a new Virtualmin hosting site" document, and I have the following there pertaining to mod_qos. Note that all "em" tags are supposed to be asterisks * but get replaced by this #%#%ยง forum software. Caret dot asterisk dollar.
For global limit, put this is
mod_qos.conf
:To limit connections to a vhost per remote IP, put this in
mod_qos.conf
for each vhost, replacing "DOMAIN.TLD":To limit connections to a vhost over all remote IPs, put this in the vhost's config section:
In this example (Joomla), global connections to the vhost are limited to 30 total and 5 per second, and (to limit brute-force attacks) requests to the backend to 10 total and 1 per second.
Note that the "per second" limit is not a hard limit, but just means that when requests come in faster, they get increasingly slowed down.
Another method to limit connections per IP address by the way is the "mod_limitipconn". I use it to limit the number of concurrent downloads from a file hosting VM, and I have the following information about it in my installation checklist:
http://dominia.org/djao/limitipconn2.html
Configuration e.g. via .htaccess: