qos newbie with a setting question

2014-03-21
2014-04-05
  • mark edwards
    mark edwards
    2014-03-21

    hello all - total newbie here. i have been coming under serious DoS attacks the past several months attacking my wordpress. it was advised to install mod_qos.

    so, i issued the command:

    yum install mod_qos ;

    and then i added the following two lines into my /etc/httpd/conf/httpd.conf file:

    QS_LocRequestLimitMatch ^/wp-login.php 10
    QS_LocRequestPerSecLimitMatch ^/wp-login.php 1

    any other thoughts or suggestions ?

     
  • mark edwards
    mark edwards
    2014-03-21

    sorry for the newbie question - i am using virtualmin/webmin and i believe they have a different installation method other than:

    apxs -i -c mod_qos.c

    i have the question posted on the virtualmin/webmin forum. if i dont hear anything soon, i will try using the apxs method.

     
  • What kind of attack did you observe? DoS? Brute-force?

    You may want to limit how often a source IP may access /wp-login.php using QS_ClientEventLimitCount:

    SetEnvIf Request_URI /wp-login.php QS_Limit
    QS_ClientEventLimitCount 20 300
    

    measurements against DoS/DDoS (slowloris/loic) are listed at http://opensource.adnovum.ch/mod_qos/#ddos

     
  • Adam V.
    Adam V.
    2014-04-04

    Hey there,

    I actually work at a web hosting company, and I've been running some heavy testing on this module for this very reason (seems like the attacks on wp-login.php are everywhere). Really one of the best ways of dealing with this is to install a security plugin (like Better WP Security). However, mod_qos can also be very effective at mitigating this traffic.

    Like Pascal mentioned, Event limiting is one option, and as you've mentioned, LocRequest* limiting is also an option (though that will impact everyone, including yourself). I've actually found that utilizing milestones works very well in this situation. Since the access logs only show an endless list of POST requests from the attack, and since your average human will obviously attempt to GET the file first (so you can see what you're POST-ing to), you can simply block any attempts at POST-ing directly to the file, like so:

    QS_MileStone deny "^GET /wp-login.php.*"
    QS_MileStone deny "^POST /wp-login.php"
    QS_MileStoneTimeout 30

    With mod_qos, there are really all sorts of ways you can approach a situation like this. However, in my testing, the above was better than any other method I tried at mitigating the unwanted traffic, while also keeping load low and sites responsive.

    Hope this helps!

     
  • thank you Adam for sharing your experience with us!