On 2/25/06, Zach Roberts <admin@lifelesspeople.com> wrote:
>  I meant to ask if you had any specific knowledge of how
>  FrontPage triggers mod_evasive. Does it perform too many
>  request in a short period of time? Anything that would help
>  me avoid the problem ;)
>
>
>
When I wrote that I meant that the method it uses to detect incoming DoS
attacks interferes with Frontpage's operation. Most likely the reason
being that it sees Frontpage's requests as a DoS due to the amount of
connections Frontpage uses to publish.
 
 
I am assuming that you would be using Frontpage to allow a small group of people to upload files.  With this in mind, you can tweak mod_evasive in 2 ways -
 
1) Use the whitelist directive to tell mod_evasive to ignore those authorized addresses who are using frontpage, and/or
 
2) Tweak the DOSSiteCount/DOSSiteInterval and DOSPageCount/DOSPageInterval ratios to a threshold that will allow frontpage to work but will still trigger when some launches a DoS attack.
 
I had to tweak these settings in my environment to allow some of our own web monitoring tools to work.
 
Just my $00.2.
 

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache