Date: Sat, 22 Mar 2014 16:20:32 +0100
From: Reindl Harald<h.reindl@...>
Subject: Re: [mod-security-users] mod security 2.2.7 problem on
Content-Type: text/plain; charset="iso-8859-1"
Am 22.03.2014 15:49, schrieb Administrator Beckspaced.com:
> hello there
> using the newest mod security 2.2.7 with newest rule set 2.2.9 on an
> opensuse 13.1 with apache 2.4.6
> mod security is actually running fine but i'm trying to run the slow dos
> rule set from experimental rules ->
> whenever i enable this rule set i get blocked by mod security
> [Fri Mar 21 17:23:04.018323 2014] [:warn] [pid 29457] ModSecurity:
> Access denied with code 400. Too many threads  of 100 allowed in
> READ state from 22.214.171.124 - Possible DoS Consumption Attack [Rejected]
just don't do that on the application level
it's insane even respond from the webserver in such a case
ok ... thanks a lot for your reply ;-)
will look into iptables to protect against slow dos attacks.
but still i don't understand why mod security is blocking my IP address?
the server is not public accessible, though it tells me that i got 150 threads connected?
why is that?
also ... why isn't apache creating the collection data files ip.dir ip.pag global.dir global.pag
SecDataDir is set to /var/log/apache2 which is owned and writable by the apache user wwwrun:www
but on apache restart those files (ip.dir global.dir) don't get generated!
so how can mod security collect data if those files are not there?
but apache is able to create the modsec_debug.log and modsec_audtit.log in the directory /var/log/apache2
but it will not create ip.dir and global.dir ... strange!
using opensuse 13.1 which uses systemd now. could this have something to do with it?
running another suse box with opensuse 12.2 which also uses systemd and there i don't have any problems at all
files for mod security get generated after an apache restart
really a bit out of knowledge here ;-(
perhaps someone can guide me towards fixing this?
thanks a million for your help & all the best
p.s. if it is insane to respond to slow dos attack from the webserver with mod security ... why is it even there then?
*argh* that's why "Reply all" on lists is bad
my first reply got offlist
Am 24.03.2014 18:23, schrieb Administrator Beckspaced.com:
> p.s. if it is insane to respond to slow dos attack from the webserver
> with mod security ... why is it even there then?
because often the webserver admins are different persons than
the firewall admins which may not be as resposnible as they
should and so it's better than nothing
but if you ever where target of a *real* DDOS where attack
vectors are combined you know that the resourcces you
burn down on the application layer trying to protect
itself are hardly needed to handle the overall load
block a connection on the iptables layer / network stack
needs magnitudes less ressources