On 2/25/06, Zach Roberts <email@example.com> wrote:
> I meant to ask if you had any specific knowledge of how
> FrontPage triggers mod_evasive. Does it perform too many
> request in a short period of time? Anything that would help
> me avoid the problem ;)
When I wrote that I meant that the method it uses to detect incoming DoS
attacks interferes with Frontpage's operation. Most likely the reason
being that it sees Frontpage's requests as a DoS due to the amount of
connections Frontpage uses to publish.
I am assuming that you would be using Frontpage to allow a small group of people to upload files. With this in mind, you can tweak mod_evasive in 2 ways -
1) Use the whitelist directive to tell mod_evasive to ignore those authorized addresses who are using frontpage, and/or
2) Tweak the DOSSiteCount/DOSSiteInterval and DOSPageCount/DOSPageInterval ratios to a threshold that will allow frontpage to work but will still trigger when some launches a DoS attack.
I had to tweak these settings in my environment to allow some of our own web monitoring tools to work.
Just my $00.2.
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache