document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-03-24 02:20:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7357 from jessie-pang/master

Browse Source 
20171127 Protecting Your Website From Application Layer DOS Attacks With mod.md
This commit is contained in:
Lv Feng 2018-01-23 21:36:13 +08:00 committed by GitHub
commit 1ce49ddb3f
2 changed files with 216 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

223
sources/tech/20171127 Protecting Your Website From Application Layer DOS Attacks With mod.md
View File

@ -1,223 +0,0 @@
Translating by jessie-pang
Protecting Your Website From Application Layer DOS Attacks With mod
======
There exist many ways of maliciously taking a website offline. The more complicated methods involve technical knowledge of databases and programming. A far simpler method is known as a "Denial Of Service", or "DOS" attack. This attack derives its name from its goal which is to deny your regular clients or site visitors normal website service.
There are, generally speaking, two forms of DOS attack;
1. Layer 3,4 or Network-Layer attacks.
2. Layer 7 or Application-Layer attacks.
The first type of DOS attack, network-layer, is when a huge quantity of junk traffic is directed at the web server. When the quantity of junk traffic exceeds the capacity of the network infrastructure the website is taken offline.
The second type of DOS attack, application-layer, is where instead of junk traffic legitimate looking page requests are made. When the number of page requests exceeds the capacity of the web server to serve pages legitimate visitors will not be able to use the site.
This guide will look at mitigating application-layer attacks. This is because mitigating networking-layer attacks requires huge quantities of available bandwidth and the co-operation of upstream providers. This is usually not something that can be protected against through configuration of the web server.
An application-layer attack, at least a modest one, can be protected against through the configuration of a normal web server. Protecting against this form of attack is important because [Cloudflare][1] have [recently reported][2] that the number of network-layer attacks is diminishing while the number of application-layer attacks is increasing.
This guide will explain using the Apache2 module [mod_evasive][3] by [zdziarski][4].
In addition, mod_evasive will stop an attacker trying to guess a username/password combination by attempting hundreds of combinations i.e. a brute force attack.
Mod_evasive works by keeping a record of the number of requests arriving from each IP address. When this number exceeds one of the several thresholds that IP is served an error page. Error pages require far fewer resources than a site page keeping the site online for legitimate visitors.
### Installing mod_evasive on Ubuntu 16.04
Mod_evasive is contained in the default Ubuntu 16.04 repositories with the package name "libapache2-mod-evasive". A simple `apt-get` will get it installed:
```
apt-get update
apt-get upgrade
apt-get install libapache2-mod-evasive
```
We now need to configure mod_evasive.
It's configuration file is located at `/etc/apache2/mods-available/evasive.conf`. By default, all the modules settings are commented after installation. Therefore, the module won't interfere with site traffic until the configuration file has been edited.
```
<IfModule mod_evasive20.c>
#DOSHashTableSize 3097
#DOSPageCount 2
#DOSSiteCount 50
#DOSPageInterval 1
#DOSSiteInterval 1
#DOSBlockingPeriod 10
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
#DOSLogDir "/var/log/mod_evasive"
</IfModule>
```
The first block of directives mean as follows:
* **DOSHashTableSize** - The current list of accessing IP's and their request count.
* **DOSPageCount** - The threshold number of page requests per DOSPageInterval.
* **DOSPageInterval** - The amount of time in which mod_evasive counts up the page requests.
* **DOSSiteCount** - The same as the DOSPageCount but counts requests from the same IP for any page on the site.
* **DOSSiteInterval** - The amount of time that mod_evasive counts up the site requests.
* **DOSBlockingPeriod** - The amount of time in seconds that an IP is blocked for.
If the default configuration shown above is used then an IP will be blocked if it:
* Requests a single page more than twice a second.
* Requests more than 50 pages different pages per second.
If an IP exceeds these thresholds it is blocked for 10 seconds.
This may not seem like a lot, however, mod_evasive will continue monitoring the page requests even for blocked IP's and reset their block period. As long as an IP is attempting to DOS the site it will remain blocked.
The remaining directives are:
* **DOSEmailNotify** - An email address to receive notification of DOS attacks and IP's being blocked.
* **DOSSystemCommand** - A command to run in the event of a DOS.
* **DOSLogDir** - The directory where mod_evasive keeps some temporary files.
### Configuring mod_evasive
The default configuration is a good place to start as it should not block any legitimate users. The configuration file with all directives (apart from DOSSystemCommand) uncommented looks like the following:
```
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify JohnW@example.com
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>
```
The log directory must be created and given the same owner as the apache process. Here it is created at `/var/log/mod_evasive` and given the owner and group of the Apache web server on Ubuntu `www-data`:
```
mkdir /var/log/mod_evasive
chown www-data:www-data /var/log/mod_evasive
```
After editing Apache's configuration, especially on a live website, it is always a good idea to check the syntax of the edits before restarting or reloading. This is because a syntax error will stop Apache from re-starting and taking your site offline.
Apache comes packaged with a helper command that has a configuration syntax checker. Simply run the following command to check your edits:
```
apachectl configtest
```
If your configuration is correct you will get the response:
```
Syntax OK
```
However, if there is a problem you will be told where it occurred and what it was, e.g.:
```
AH00526: Syntax error on line 6 of /etc/apache2/mods-enabled/evasive.conf:
DOSSiteInterval takes one argument, Set site interval
Action 'configtest' failed.
The Apache error log may have more information.
```
If your configuration passes the configtest then the module can be safely enabled and Apache reloaded:
```
a2enmod evasive
systemctl reload apache2.service
```
Mod_evasive is now configured and running.
### Testing
In order to test mod_evasive, we simply need to make enough web requests to the server that we exceed the threshold and record the response codes from Apache.
A normal, successful page request will receive the response:
```
HTTP/1.1 200 OK
```
However, one that has been denied by mod_evasive will return the following:
```
HTTP/1.1 403 Forbidden
```
The following script will make HTTP requests to `127.0.0.1:80`, that is localhost on port 80, as rapidly as possible and print out the response code of every request.
All you need to do is to copy the following bash script into a file e.g. `mod_evasive_test.sh`:
```
#!/bin/bash
set -e
for i in {1..50}; do
curl -s -I 127.0.0.1 | head -n 1
done
```
The parts of this script mean as follows:
* curl - This is a command to make web requests.
* -s - Hide the progress meter.
* -I - Only display the response header information.
* head - Print the first part of a file.
* -n 1 - Only display the first line.
Then make it executable:
```
chmod 755 mod_evasive_test.sh
```
When the script is run **before** mod_evasive is enabled you will see 50 lines of `HTTP/1.1 200 OK` returned.
However, after mod_evasive is enabled you will see the following:
```
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
...
```
The first two requests were allowed, but then once a third in the same second was made mod_evasive denied any further requests. You will also receive an email letting you know that a DOS attempt was detected to the address you set with the `DOSEmailNotify` option.
Mod_evasive is now protecting your site!
--------------------------------------------------------------------------------
via: https://bash-prompt.net/guides/mod_proxy/
作者:[Elliot Cooper][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://bash-prompt.net/about/
[1]:https://www.cloudflare.com
[2]:https://blog.cloudflare.com/the-new-ddos-landscape/
[3]:https://github.com/jzdziarski/mod_evasive
[4]:https://www.zdziarski.com/blog/

216
translated/tech/20171127 Protecting Your Website From Application Layer DOS Attacks With mod.md Normal file
View File

@ -0,0 +1,216 @@
用 mod 保护您的网站免受应用层 DOS 攻击
======
有多种恶意攻击网站的方法比较复杂的方法要涉及数据库和编程方面的技术知识。一个更简单的方法被称为“拒绝服务”或“DOS”攻击。这个攻击方法的名字来源于它的意图使普通客户或网站访问者的正常服务请求被拒绝。
一般来说,有两种形式的 DOS 攻击:
1. OSI 模型的三、四层,即网络层攻击
2. OSI 模型的七层,即应用层攻击
第一种类型的 DOS 攻击——网络层,发生于当大量的垃圾流量流向网页服务器时。当垃圾流量超过网络的处理能力时,网站就会宕机。
第二种类型的 DOS 攻击是在应用层,是利用合法的服务请求,而不是垃圾流量。当页面请求数量超过网页服务器能承受的容量时,即使是合法访问者也将无法使用该网站。
本文将着眼于缓解应用层攻击,因为减轻网络层攻击需要大量的可用带宽和上游提供商的合作,这通常不是通过配置网络服务器就可以做到的。
通过配置普通的网页服务器,可以保护网页免受应用层攻击,至少是适度的防护。防止这种形式的攻击是非常重要的,因为 [Cloudflare][1] 最近 [报道][2] 了网络层攻击的数量正在减少,而应用层攻击的数量则在增加。
本文将根据 [zdziarski 的博客][4] 来解释如何使用 Apache2 的模块 [mod_evasive][3]。
另外mod_evasive 会阻止攻击者试图通过尝试数百个组合来猜测用户名和密码,即暴力攻击。
Mod_evasive 会记录来自每个 IP 地址的请求的数量。当这个数字超过相应 IP 地址的几个阈值之一时,会出现一个错误页面。错误页面所需的资源要比一个能够响应合法访问的在线网站少得多。
### 在 Ubuntu 16.04 上安装 mod_evasive
Ubuntu 16.04 默认的软件库中包含了 mod_evasive名称为“libapache2-mod-evasive”。您可以使用 `apt-get` 来完成安装:
```
apt-get update
apt-get upgrade
apt-get install libapache2-mod-evasive
```
现在我们需要配置 mod_evasive。
它的配置文件位于 `/etc/apache2/mods-available/evasive.conf`。默认情况下,所有模块的设置在安装后都会被注释掉。因此,在修改配置文件之前,模块不会干扰到网站流量。
```
<IfModule mod_evasive20.c>
#DOSHashTableSize 3097
#DOSPageCount 2
#DOSSiteCount 50
#DOSPageInterval 1
#DOSSiteInterval 1
#DOSBlockingPeriod 10
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
#DOSLogDir "/var/log/mod_evasive"
</IfModule>
```
第一部分的参数的含义如下:
* **DOSHashTableSize** - 正在访问网站的 IP 地址列表及其请求数。
* **DOSPageCount** - 在一定的时间间隔内,每个的页面的请求次数。时间间隔由 DOSPageInterval 定义。
* **DOSPageInterval** - mod_evasive 统计页面请求次数的时间间隔。
* **DOSSiteCount** - 与 DOSPageCount 相同,但统计的是网站内任何页面的来自相同 IP 地址的请求数量。
* **DOSSiteInterval** - mod_evasive 统计网站请求次数的时间间隔。
* **DOSBlockingPeriod** - 某个 IP 地址被加入黑名单的时长(以秒为单位)。
如果使用上面显示的默认配置,则在如下情况下,一个 IP 地址会被加入黑名单:
* 每秒请求同一页面超过两次。
* 每秒请求 50 个以上不同页面。
如果某个 IP 地址超过了这些阈值,则被加入黑名单 10 秒钟。
这看起来可能不算久但是mod_evasive 将一直监视页面请求,包括在黑名单中的 IP 地址,并重置其加入黑名单的起始时间。只要一个 IP 地址一直尝试使用 DOS 攻击该网站,它将始终在黑名单中。
其余的参数是:
* **DOSEmailNotify** - 用于接收 DOS 攻击信息和 IP 地址黑名单的电子邮件地址。
* **DOSSystemCommand** - 检测到 DOS 攻击时运行的命令。
* **DOSLogDir** - 用于存放 mod_evasive 的临时文件的目录。
### 配置 mod_evasive
默认的配置是一个很好的开始因为它的黑名单里不该有任何合法的用户。取消配置文件中的所有参数DOSSystemCommand 除外)的注释,如下所示:
```
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify JohnW@example.com
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>
```
必须要创建日志目录并且要赋予其与 apache 进程相同的所有者。这里创建的目录是 `/var/log/mod_evasive` ,并且在 Ubuntu 上将该目录的所有者和组设置为 `www-data` ,与 Apache 服务器相同:
```
mkdir /var/log/mod_evasive
chown www-data:www-data /var/log/mod_evasive
```
在编辑了 Apache 的配置之后,特别是在正在运行的网站上,在重新启动或重新加载之前,最好检查一下语法,因为语法错误将影响 Apache 的启动从而使网站宕机。
Apache 包含一个辅助命令,是一个配置语法检查器。只需运行以下命令来检查您的语法:
```
apachectl configtest
```
如果您的配置是正确的,会得到如下结果:
```
Syntax OK
```
但是,如果出现问题,您会被告知在哪部分发生了什么错误,例如:
```
AH00526: Syntax error on line 6 of /etc/apache2/mods-enabled/evasive.conf:
DOSSiteInterval takes one argument, Set site interval
Action 'configtest' failed.
The Apache error log may have more information.
```
如果您的配置通过了 configtest 的测试,那么这个模块可以安全地被启用并且 Apache 可以重新加载:
```
a2enmod evasive
systemctl reload apache2.service
```
Mod_evasive 现在已配置好并正在运行了。
### 测试
为了测试 mod_evasive我们只需要向服务器提出足够的网页访问请求以使其超出阈值并记录来自 Apache 的响应代码。
一个正常并成功的页面请求将收到如下响应:
```
HTTP/1.1 200 OK
```
但是,被 mod_evasive 拒绝的将返回以下内容:
```
HTTP/1.1 403 Forbidden
```
以下脚本会尽可能迅速地向本地主机127.0.0.1localhost的 80 端口发送 HTTP 请求,并打印出每个请求的响应代码。
你所要做的就是把下面的 bash 脚本复制到一个文件中,例如 `mod_evasive_test.sh`
```
#!/bin/bash
set -e
for i in {1..50}; do
curl -s -I 127.0.0.1 | head -n 1
done
```
这个脚本的部分含义如下:
* curl - 这是一个发出网络请求的命令。
* -s - 隐藏进度表。
* -I - 仅显示响应头部信息。
* head - 打印文件的第一部分。
* -n 1 - 只显示第一行。
然后赋予其执行权限:
```
chmod 755 mod_evasive_test.sh
```
在启用 mod_evasive **之前**,脚本运行时,将会看到 50 行“HTTP / 1.1 200 OK”的返回值。
但是,启用 mod_evasive 后,您将看到以下内容:
```
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
...
```
前两个请求被允许但是在同一秒内第三个请求发出时mod_evasive 拒绝了任何进一步的请求。您还将收到一封电子邮件(邮件地址在选项 `DOSEmailNotify` 中设置),通知您有 DOS 攻击被检测到。
Mod_evasive 现在已经在保护您的网站啦!
--------------------------------------------------------------------------------
via: https://bash-prompt.net/guides/mod_proxy/
作者:[Elliot Cooper][a]
译者:[jessie-pang](https://github.com/jessie-pang)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://bash-prompt.net/about/
[1]:https://www.cloudflare.com
[2]:https://blog.cloudflare.com/the-new-ddos-landscape/
[3]:https://github.com/jzdziarski/mod_evasive
[4]:https://www.zdziarski.com/blog/