Apache + Mod_evasive : Problem With Test.pl

Home » CentOS » Apache + Mod_evasive : Problem With Test.pl
CentOS 8 Comments

Hi,

I’m currently experimenting with the mod_evasive module for Apache, to protect the server against potential DoS attacks. Here’s what I did so far.

# yum install mod_evasive

Don’t touch mod_evasive’s default configuration, just restart Apache.

# systemctl restart httpd

The package includes a test.pl script supposed to launch a testing DoS
attack. Unfortunately this script doesn’t seem to work as expected. Here’s the only response I get:

# perl test.pl
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request

According to the various online tutorials I found, this should more look like:

# perl test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK

HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

I tried this on two sandbox machine, one on my LAN, one on a public server, and both times I got the same result.

Any suggestions?

Niki

Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Web : http://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

8 thoughts on - Apache + Mod_evasive : Problem With Test.pl

  • Am 09.07.2017 um 13:06 schrieb Nicolas Kovacs:

    What does apache log? I guess it logs more than just HTTP status 400.

    Alexander

  • Le 09/07/2017 à 13:17, Alexander Dalloz a écrit :

    Unfortunately the Apache logs don’t tell much.

    192.168.2.5 – – [09/Jul/2017:13:01:27 +0200] “GET /?91 HTTP/1.0” 400 226
    “-” “-”
    192.168.2.5 – – [09/Jul/2017:13:01:27 +0200] “GET /?92 HTTP/1.0” 400 226
    “-” “-”
    192.168.2.5 – – [09/Jul/2017:13:01:27 +0200] “GET /?93 HTTP/1.0” 400 226
    “-” “-”
    192.168.2.5 – – [09/Jul/2017:13:01:27 +0200] “GET /?94 HTTP/1.0” 400 226
    “-” “-”

    Niki


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Web : http://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

  • Le 09/07/2017 à 13:17, Alexander Dalloz a écrit :

    I wonder if something is wrong with the test.pl script. Here’s what I have:

    #!/usr/bin/perl

    # test.pl: small script to test mod_dosevasive’s effectiveness

    use IO::Socket;
    use strict;

    for(0..20) {
    my($response);
    my($SOCKET) = new IO::Socket::INET( Proto => “tcp”,
    PeerAddr=> “127.0.0.1:80”);
    if (! defined $SOCKET) { die $!; }
    print $SOCKET “GET /?$_ HTTP/1.0\n\n”;
    $response = < $SOCKET>;
    print $response;
    close($SOCKET);
    }

    With this script (present in /usr/share/doc/mod_evasive-1.10.1/) I get a
    “HTTP/1.1 400 Bad Request” error back on a standard CentOS installation.

    Hmmmm. I’m clueless.

    Niki


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Web : http://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

    • I’ve had the same problem on Ubuntu 16, finally found a solution for me.
      Original line:
      print $SOCKET “GET /?$_ HTTP/1.0\n\n”;
      Re-worked line:
      print $SOCKET “GET /?$_ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n”;

      Somehow Apache want Host-ip/address from GET requests aswell.

      • Thanks – I found it wasn’t necessary to add the host but the two sets of \r\n were required to make it work.

    • As suggested by Mattias Bilger, you have to modify original line:

      print $SOCKET “GET /?$_ HTTP/1.0\n\n”;

      To:

      print $SOCKET “GET /?$_ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n”;

      And all will work as expected.

  • Have you checked your port address? May be you are requesting on different port address.

    In my case, it’s the different port address

LEAVE A COMMENT