Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Mod_antiloris for 2.4 |
|
Author |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Sun 19 Feb '12 14:54 Post subject: Mod_antiloris for 2.4 |
|
|
Hello,
is it possible to compile mod_antiloris for apache 2.4 ?
Thanks |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Sun 19 Feb '12 15:28 Post subject: |
|
|
Yep, can you test it ?
Download is Removed, see the note below from Gregg:
Come to think of it, in reality, mod_reqtimeout is a better module to use. It's not such a hard limit. I use it along with mod_antiloris 0.4.1. mod_reqtimeout is more giving, in there if data is flowing, it will not timeout. It's adjustable and works on both sides of the request, thereby defending against Antiloris as well as SlowHttp attacks......
Steffen
Last edited by admin on Fri 24 Feb '12 12:39; edited 3 times in total |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3093 Location: Hilversum, NL, EU
|
Posted: Sun 19 Feb '12 16:59 Post subject: |
|
|
It crashes here.
Steffen |
|
Back to top |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Sun 19 Feb '12 23:04 Post subject: |
|
|
Crash here too |
|
Back to top |
|
NewEraCracker
Joined: 23 Aug 2010 Posts: 36
|
Posted: Mon 20 Feb '12 0:51 Post subject: |
|
|
I don't know how steffen did build it. I am using apxs and visual studio 9 here.
While apxs over visual studio cmd line, building mod_antiloris.c from source does fail.
I've edited the file build\config_vars.mk (line 74) to include the apache lib files in link options.
Code: | LDFLAGS = kernel32.lib "C:\Apache24\lib\*.lib" /nologo /subsystem:windows /dll /machine:I386 /libpath:"C:\Apache24\lib" |
Aparently it seems the issue is with the code, apache 2.4 seems to have some minor breakage:
Code: | C:\Apache24\bin>apxs -cia ../build/mod_antiloris.c
Use of assignment to $[ is deprecated at apxs.bat line 120.
cl /nologo /MD /W3 /O2 /D WIN32 /D _WINDOWS /D NDEBUG -I"C:\Apache24\include
" /c /Fo../build/mod_antiloris.lo ../build/mod_antiloris.c
mod_antiloris.c
../build/mod_antiloris.c(130) : error C2039: 'remote_ip' : is not a member of 'c
onn_rec'
c:\apache24\include\httpd.h(1056) : see declaration of 'conn_rec'
../build/mod_antiloris.c(130) : warning C4047: 'function' : 'const char *' diffe
rs in levels of indirection from 'unsigned int'
../build/mod_antiloris.c(130) : warning C4024: 'apr_cpystrn' : different types f
or formal and actual parameter 2
../build/mod_antiloris.c(130) : error C2198: 'apr_cpystrn' : too few arguments f
or call
../build/mod_antiloris.c(137) : warning C4047: 'function' : 'ap_sb_handle_t *' d
iffers in levels of indirection from 'int'
../build/mod_antiloris.c(137) : warning C4024: 'ap_get_scoreboard_worker' : diff
erent types for formal and actual parameter 1
../build/mod_antiloris.c(137) : warning C4020: 'ap_get_scoreboard_worker' : too
many actual parameters
../build/mod_antiloris.c(156) : error C2039: 'remote_ip' : is not a member of 'c
onn_rec'
c:\apache24\include\httpd.h(1056) : see declaration of 'conn_rec'
apxs:Error: Command failed with rc=131072
. |
|
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Mon 20 Feb '12 3:13 Post subject: |
|
|
I've got 0.4(.1) now at Apache Haus, we have been supplying it with our 2.3.x betas since we started distributing them back at 2.3.5.
I will have NewEra's 0.5(.1) up shortly, I just compiled the x64 one. I'm still not convinced about some of the targets in 0.5 but, why fight it
And yes, In my view they went out of their way to break just about every 3rd party module out there. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Mon 20 Feb '12 4:06 Post subject: |
|
|
Come to think of it, in reality, mod_reqtimeout is a better module to use. It's not such a hard limit. I use it along with mod_antiloris 0.4.1. mod_reqtimeout is more giving, in there if data is flowing, it will not timeout. It's adjustable and works on both sides of the request, thereby defending against Antiloris as well as SlowHttp attacks.
I have found this to be a happy setting for it:
<IfModule reqtimeout_module>
RequestReadTimeout header=10-25,MinRate=250
</IfModule>
I only change the header timeout from the modules default setting as I am more concerned about a quicker early response on that side of the request, yet I have lowered the bar for getting more time. None the less, at 25 seconds, the request times out. In an actual Antiloris attack, it would time out at 10 seconds.
http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html |
|
Back to top |
|
NewEraCracker
Joined: 23 Aug 2010 Posts: 36
|
Posted: Mon 20 Feb '12 12:47 Post subject: |
|
|
For the slowloris attack mod_reqtimeout comes handy, but the build I've made of mod_antiloris (the 0.5) has protection against other attacks such as slowpost DoS.
In my server I run mod_reqtimeout and mod_antiloris with the following configuration:
Code: | <IfModule antiloris_module>
IPReadLimit 20
</IfModule>
<IfModule reqtimeout_module>
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule> |
Both come handy.
By the way, glsmith, can you please also include the source code in the download archive? I'd like to learn about the changes to make the module compatible with apache 2.4.
Thank you. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Mon 20 Feb '12 19:25 Post subject: |
|
|
I'll repackage in a day or two and include the diff.
Code: |
--- mod_antiloris.c 2011-09-09 05:22:39.747070300 -0700
+++ mod_antiloris.c 2012-02-19 12:10:55.349000000 -0800
@@ -22,11 +22,16 @@
#include "http_connection.h"
#include "http_log.h"
#include "ap_mpm.h"
+#include "ap_release.h"
#include "apr_strings.h"
#include "scoreboard.h"
#define MODULE_NAME "mod_antiloris"
-#define MODULE_VERSION "0.5"
+#define MODULE_VERSION "0.5.1"
+
+#ifdef APLOG_USE_MODULE
+APLOG_USE_MODULE(antiloris);
+#endif
module AP_MODULE_DECLARE_DATA antiloris_module;
@@ -105,6 +110,7 @@
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, MODULE_NAME " " MODULE_VERSION " started");
ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit);
ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit);
+ ap_add_version_component(p, MODULE_NAME "/" MODULE_VERSION);
return OK;
}
@@ -127,14 +133,18 @@
worker_score *ws_record;
ws_record = &ap_scoreboard_image->servers[sbh->child_num][sbh->thread_num];
- apr_cpystrn(ws_record->client, c->remote_ip, sizeof(ws_record->client));
+ apr_cpystrn(ws_record->client, c->client_ip, sizeof(ws_record->client));
client_ip = ws_record->client;
/* Count up the number of connections we are handling right now from this IP address */
for (i = 0; i < server_limit; ++i) {
for (j = 0; j < thread_limit; ++j) {
+#if AP_SERVER_MAJORVERSION_NUMBER == 2 && AP_SERVER_MINORVERSION_NUMBER > 2
+ ws_record = ap_get_scoreboard_worker_from_indexes(i, j);
+#else
ws_record = ap_get_scoreboard_worker(i, j);
+#endif
switch (ws_record->status) {
case SERVER_BUSY_READ:
case SERVER_BUSY_WRITE:
@@ -153,7 +163,7 @@
}
if (ip_count > conf->limit) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "[client %s] Antiloris rejected, too many connections", c->remote_ip);
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "[client %s] Antiloris rejected, too many connections", c->client_ip);
return OK;
} else {
return DECLINED;
@@ -161,17 +171,10 @@
}
-static void child_init (apr_pool_t *p, server_rec *s)
-{
- ap_add_version_component(p, MODULE_NAME "/" MODULE_VERSION);
-}
-
-
static void register_hooks(apr_pool_t *p)
{
ap_hook_post_config(post_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_process_connection(pre_connection, NULL, NULL, APR_HOOK_FIRST);
- ap_hook_child_init(child_init, NULL, NULL, APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA antiloris_module = {
|
|
|
Back to top |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Thu 23 Feb '12 19:02 Post subject: |
|
|
Hello,
Mod_antiloris 0.5.1 from apachehaus work like a charm |
|
Back to top |
|
|
|
|
|
|