qos newbie with a setting question

Quality of service module for Apache httpd

Brought to you by: pbuchbinder

qos newbie with a setting question

Forum: Open Discussion

Creator: mark edwards

Created: 2014-03-21

Updated: 2014-04-05

mark edwards - 2014-03-21

hello all - total newbie here. i have been coming under serious DoS attacks the past several months attacking my wordpress. it was advised to install mod_qos.

so, i issued the command:

yum install mod_qos ;

and then i added the following two lines into my /etc/httpd/conf/httpd.conf file:

QS_LocRequestLimitMatch ^/wp-login.php 10
QS_LocRequestPerSecLimitMatch ^/wp-login.php 1

any other thoughts or suggestions ?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

mark edwards - 2014-03-21

sorry for the newbie question - i am using virtualmin/webmin and i believe they have a different installation method other than:

apxs -i -c mod_qos.c

i have the question posted on the virtualmin/webmin forum. if i dont hear anything soon, i will try using the apxs method.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Pascal Buchbinder - 2014-03-21

What kind of attack did you observe? DoS? Brute-force?

You may want to limit how often a source IP may access /wp-login.php using QS_ClientEventLimitCount:

SetEnvIf Request_URI /wp-login.php QS_Limit QS_ClientEventLimitCount 20 300

measurements against DoS/DDoS (slowloris/loic) are listed at http://opensource.adnovum.ch/mod_qos/#ddos
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Adam V. - 2014-04-04

Hey there,

I actually work at a web hosting company, and I've been running some heavy testing on this module for this very reason (seems like the attacks on wp-login.php are everywhere). Really one of the best ways of dealing with this is to install a security plugin (like Better WP Security). However, mod_qos can also be very effective at mitigating this traffic.

Like Pascal mentioned, Event limiting is one option, and as you've mentioned, LocRequest* limiting is also an option (though that will impact everyone, including yourself). I've actually found that utilizing milestones works very well in this situation. Since the access logs only show an endless list of POST requests from the attack, and since your average human will obviously attempt to GET the file first (so you can see what you're POST-ing to), you can simply block any attempts at POST-ing directly to the file, like so:

QS_MileStone deny "^GET /wp-login.php.*"
QS_MileStone deny "^POST /wp-login.php"
QS_MileStoneTimeout 30

With mod_qos, there are really all sorts of ways you can approach a situation like this. However, in my testing, the above was better than any other method I tried at mitigating the unwanted traffic, while also keeping load low and sites responsive.

Hope this helps!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Pascal Buchbinder - 2014-04-05

thank you Adam for sharing your experience with us!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.