Can you please help me with the following questions
1. How do we log mod qos variables ? For example QS_Block. I am using %{QS_Block}e but this is not working.
2. If I want to exclude QS_ClientEventBlockCount for some conditions what should be the order for the following
QS_ClientEventBlockCount 20 300
QS_SetEnvIfStatus 400 QS_Block
SetEnvIf Remote_Addr 199.59.162.168 IgnoreIP=yes
QS_SetEnvIf IgnoreIP QS_Block !QS_Block
3. I want to use QS_ClientGeoCountryPriv. Do I need to have geographical database file and is it necessary to mention QS_ClientGeoCountryDB <path>
4. If I want to log QS_Country, from where I can get geographical database file. The one in mod_qos configuration seems to be test file.
5. If I have rule QS_ClientEventBlockCount, is there any way I can know why ip was blocked, what were the individual QS_Block event which were triggered. Currently the information which is logged is not that useful as it just
QS_ClientEventBlockCount rule: max=50, current=51
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
1: mod_qos uses Apache's per request event table to store events and you may log them within the custom or transfer log using the syntax you mentioned above (%{<variable>}e).
3+4: Yes, you need to download a database file, e.g. Maxmind's GeoLite Country CSV database file. Maxmind distributes the GeoLite databases under the "Creative Commons Attribution-ShareAlike 3.0 Unported" license.
5: mod_qos uses a single counter which is incremented for each QS_Block event. There is no additional information about the reason stored (the module does not know what has set the QS_Block variable).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
indicates TCP connections without HTTP requests. It may be used to detect and deny SSL DoS attacks. You can't exclude an IP from this counter since the
SetEnvIf Remote_Addr 192.168. IgnoreIP=yes
directive won't be executed without any HTTP request data.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am trying to use QS_ClientIpFromHeader as I am using X-Forwarded-Ip. But I think QS_ClientEventBlockCount is not using x-forwarded IP from the header.
Can you tell with what all directives can it be used.
Will it work in conjunction with folllowing
1. Connection level rules
QS_ClientEventBlockCount (as blocks request at connection level)
QS_SrvMaxConnPerIP
QS_SrvMaxConnClose
QS_SrvMinDataRate
P.S. :- As per my understanding QS_ClientIpFromHeader will not be useful in conjunction with it, as it's at connection level.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Can you please help me with the following questions
1. How do we log mod qos variables ? For example QS_Block. I am using %{QS_Block}e but this is not working.
2. If I want to exclude QS_ClientEventBlockCount for some conditions what should be the order for the following
QS_ClientEventBlockCount 20 300
QS_SetEnvIfStatus 400 QS_Block
SetEnvIf Remote_Addr 199.59.162.168 IgnoreIP=yes
QS_SetEnvIf IgnoreIP QS_Block !QS_Block
3. I want to use QS_ClientGeoCountryPriv. Do I need to have geographical database file and is it necessary to mention QS_ClientGeoCountryDB <path>
4. If I want to log QS_Country, from where I can get geographical database file. The one in mod_qos configuration seems to be test file.
5. If I have rule QS_ClientEventBlockCount, is there any way I can know why ip was blocked, what were the individual QS_Block event which were triggered. Currently the information which is logged is not that useful as it just
QS_ClientEventBlockCount rule: max=50, current=51
1: mod_qos uses Apache's per request event table to store events and you may log them within the custom or transfer log using the syntax you mentioned above (%{<variable>}e).
2: Your proposal looks fine. Check http://opensource.adnovum.ch/mod_qos/mod_qos_seq.gif to verify when a variable may be set/unset/processed.
3+4: Yes, you need to download a database file, e.g. Maxmind's GeoLite Country CSV database file. Maxmind distributes the GeoLite databases under the "Creative Commons Attribution-ShareAlike 3.0 Unported" license.
5: mod_qos uses a single counter which is incremented for each QS_Block event. There is no additional information about the reason stored (the module does not know what has set the QS_Block variable).
Thanks a lot for your detailed response.
I still have problem with 2. I don't want to block any internal IP. So my config is as follow
QS_SetEnvIfStatus 400 QS_Block
QS_SetEnvIfStatus 401 QS_Block
QS_SetEnvIfStatus 403 QS_Block
QS_SetEnvIfStatus 405 QS_Block
QS_SetEnvIfStatus 406 QS_Block
QS_SetEnvIfStatus 408 QS_Block
QS_SetEnvIfStatus 411 QS_Block
QS_SetEnvIfStatus 413 QS_Block
QS_SetEnvIfStatus 414 QS_Block
QS_SetEnvIfStatus 417 QS_Block
QS_SetEnvIfStatus 505 QS_Block
QS_SetEnvIfStatus QS_SrvMinDataRate QS_Block
QS_SetEnvIfStatus NullConnection QS_Block
BrowserMatch "curl" QS_Block
SetEnvIf Remote_Addr 192.168. IgnoreIP=yes
# unset the QS_Block variable
QS_SetEnvIf IgnoreIP QS_Block !QS_Block
QS_ClientEventBlockCount 50 300
But it is still blocking internal Ip's. Error Logs
mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=50, current=53, c=192.168.11.33
And for some cases it seems to work
If write a script to make curl command more than 50 times, it is not blocking. Can you please help me with that.
Also, can you please explain me about NullConnection. The explanation in Mod Qos is not ver clear. It states
" the special code NullConnection detects connections which are closed event no HTTP request has been received. "
NullConnection
indicates TCP connections without HTTP requests. It may be used to detect and deny SSL DoS attacks. You can't exclude an IP from this counter since the
directive won't be executed without any HTTP request data.
Hi,
Your response was very helpful.
I am trying to use QS_ClientIpFromHeader as I am using X-Forwarded-Ip. But I think QS_ClientEventBlockCount is not using x-forwarded IP from the header.
Can you tell with what all directives can it be used.
Will it work in conjunction with folllowing
1. Connection level rules
QS_ClientEventBlockCount (as blocks request at connection level)
QS_SrvMaxConnPerIP
QS_SrvMaxConnClose
QS_SrvMinDataRate
P.S. :- As per my understanding QS_ClientIpFromHeader will not be useful in conjunction with it, as it's at connection level.
QS_ClientEventLimitCount and QS_Country can be used in conjunction with QS_ClientIpFromHeader.