running mod_qos with virtualmin

6 posts / 0 new
Last post
#1 Fri, 03/21/2014 - 11:36
edwardsmarkf

running mod_qos with virtualmin

hello all -

i am trying to get mod_qos running with webmin/virtualmin. so far i have installed mod_qos:

yum install mod_qos;

and then add these two lines into my httpd.conf file:

QS_LocRequestLimitMatch ^/wp-login.php 10
QS_LocRequestPerSecLimitMatch ^/wp-login.php 1

however, when i look in my log files using this command

 grep   mod_qos   /var/log/virtualmin/*_access_log

i am not seeing any activity as per this link: http://opensource.adnovum.ch/mod_qos/#messages

my previous post (https://virtualmin.com/node/29634) contained this advice for me:

...activate it through Webmin's Apache module.

but i am not seeing any place where i have the option to activate this new apache module.

one other link http://unstreamable.blogspot.com/2011/10/how-to-defend-slowloris-ddos-wi... suggested i issue this command:

# apxs -i -c  mod_qos.c 

any help would be appreciated.

UPDATE: 13,882 hack attempts in a 10 minute period- easily doubling the old worlds record.

any help would be GREATLY appreciated!

Mon, 03/24/2014 - 11:35
edwardsmarkf

over the weekend, the DoS slowloris attacks kept getting worse, so here is what i did:

yum install mos_qos ;

then i added this to httpd.conf and restarted apache:

LoadModule qos_module /usr/lib64/httpd/modules/mod_qos.so

and added this to /etc/httpd/conf.d/mod_qos.conf:

## QoS Settings
<IfModule mod_qos.c>
    QS_LocRequestLimitMatch ^/wp-login.php 5
    QS_LocRequestPerSecLimitMatch ^/wp-login.php 1
    # handles connections from up to 100000 different IPs
    QS_ClientEntries 100000
    # will allow only 50 connections per IP
    QS_SrvMaxConnPerIP 50
    # maximum number of active TCP connections is limited to 256
    MaxClients              256
    # disables keep-alive when 70% of the TCP connections are occupied:
    QS_SrvMaxConnClose      70%
   # minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything):
    QS_SrvMinDataRate       150 1200
    # and limit request header and body (careful, that limits uploads and post requests too):
    # LimitRequestFields      30
    # QS_LimitRequestBody     102400
</IfModule>

being the newbie that i am, i am not even sure how to tell if any of this is working, other than to periodically look in the virtualmin log files for any messages that contain "mod_qos".

once again, any suggestions, thoughts or comments are greatly appreciated!

Mon, 03/24/2014 - 13:25
Locutus

While I can't precisely follow if what you did is correct in your case, I'm assuming if you followed this guide about how to use mod_qos in case of a slowloris attack, you should be okay. :)

What you can do to verify that mod_qos is running and doing its thing is accessing the URL "/server_status" on the IP of your machine. If you have mod_status running, that will show a page where mod_qos added a section.

You'll probably need to configure mod_status' settings, because IIRC by default it restricts access to 127.0.0.1.

Mon, 03/24/2014 - 17:11
edwardsmarkf

wow - you really do learn something new every day (attached)

yes its working now. thank you very much!

i would still expect to see status messages in the error log. one virtual-server is showing the messages just as i expected, while the other is not, while both are getting hit with attacks.

you would think that mod_qos would treat all the VS's the same. i even have this in the httpd.conf for each VS:

QS_LocRequestLimitMatch ^/wp-login.php 3
QS_LocRequestPerSecLimitMatch ^/wp-login.php 1

any ideas?

Mon, 03/24/2014 - 19:04 (Reply to #4)
Locutus

Can't say concretely in your case, but I just went through my personal "what to do when setting up a new Virtualmin hosting site" document, and I have the following there pertaining to mod_qos. Note that all "em" tags are supposed to be asterisks * but get replaced by this #%#%ยง forum software. Caret dot asterisk dollar.

For global limit, put this is mod_qos.conf:

QS_LocRequestLimitMatch ^.*$ 100
QS_LocRequestPerSecLimitMatch ^.*$ 10

To limit connections to a vhost per remote IP, put this in mod_qos.conf for each vhost, replacing "DOMAIN.TLD":

SetEnvIfNoCase Host DOMAIN.TLD QS_Event=yes
QS_ClientEventPerSecLimit 2

To limit connections to a vhost over all remote IPs, put this in the vhost's config section:

QS_LocRequestLimitMatch ^/administrator.*$ 10
QS_LocRequestPerSecLimitMatch ^/administrator.*$ 1
QS_LocRequestLimitMatch ^.*$ 30
QS_LocRequestPerSecLimitMatch ^.*$ 5

In this example (Joomla), global connections to the vhost are limited to 30 total and 5 per second, and (to limit brute-force attacks) requests to the backend to 10 total and 1 per second.

Note that the "per second" limit is not a hard limit, but just means that when requests come in faster, they get increasingly slowed down.

Tue, 03/25/2014 - 04:52
Locutus

Another method to limit connections per IP address by the way is the "mod_limitipconn". I use it to limit the number of concurrent downloads from a file hosting VM, and I have the following information about it in my installation checklist:

http://dominia.org/djao/limitipconn2.html

Configuration e.g. via .htaccess:

<FilesMatch "\.(zip|rar|tar|tgz|bz|bz2)$">
   MaxConnPerIP 5
</FilesMatch>
ErrorDocument 503 "Please turn off download managers... Only one download at a time per IP!"
KeepAlive Off
Topic locked