Re: [mod-security-users] Ideas for future features..
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Ideas for future features..
|
From: Ryan B. <rcb...@gm...> - 2006-02-26 02:53:48
|
On 2/25/06, Zach Roberts <ad...@li...> wrote: > > > I meant to ask if you had any specific knowledge of how > > FrontPage triggers mod_evasive. Does it perform too many > > request in a short period of time? Anything that would help > > me avoid the problem ;) > > > > > > > When I wrote that I meant that the method it uses to detect incoming DoS > attacks interferes with Frontpage's operation. Most likely the reason > being that it sees Frontpage's requests as a DoS due to the amount of > connections Frontpage uses to publish. I am assuming that you would be using Frontpage to allow a small group of people to upload files. With this in mind, you can tweak mod_evasive in 2 ways - 1) Use the whitelist directive to tell mod_evasive to ignore those authorized addresses who are using frontpage, and/or 2) Tweak the DOSSiteCount/DOSSiteInterval and DOSPageCount/DOSPageInterval ratios to a threshold that will allow frontpage to work but will still trigger when some launches a DoS attack. I had to tweak these settings in my environment to allow some of our own we= b monitoring tools to work. Just my $00.2. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache |
