So, my apache installation seems to be finally secured against slowloris. Apparently…why? Because I did not fully test it, but a simple attack seems not to break my site now!

Some time ago, I tried to defend my Apache server with the antiloris module. At that time, this module was in version 0.3, and unfortunately, was not (and still isn’t) much disseminated. I installed it but had no luck! An attack with slowloris would still render my my apache served site unusable.

The second approach I took was to mess with iptables

At the time, it seemed to me all my problems were solved lol I was wrong…oh well:

my idea was to limit the number of connections that one host could open to my server. After some research, I found this. So it was just a matter of changing that to port 80 and a more suitable number of connections:

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 10 -j DROP
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

What the above commands do is to “count” the number of connections to port 80 that some host/IP does. The count is updated after each passing second. If the host passes the limit (in this case, 10) new connections are dropped.

Btw, this approach counts on the recent module for iptables. In my VPS, I did not have this module enabled, so I had to ask for support to my service provider, and they enabled the module.

But, of course, this number, the number of connections to let some host do over a period of time, is hard to get! It depends on many things. Either way, the above did not work for me and the number is wrong for a number of reasons…but I must remark that limiting the number of connections a host can do to our server is always an intelligent move.

After acknowledging my failure with iptables, I researched for another defense against slowloris. After googling a bit, I found this. I decided to try it. After all, varnish was even on the oficial repositories of ubuntu! But once again, this did not work. I was able to instale and configure both apache and varnish, and my sites were online. But varnish, when attacked with slowloris, gave my 200 OK and an empty content! Just blank pages when accessing the site when an attack was taking place…it was disapointing…About this, I found the following:

…which is nothing! Seems that no one knows how to solve this. Also, the version I installed, available in the repos was not the latest, so I upgraded varnish. This did not work either….

Oh well, the truth is that I was some kind of relieved when I unistalled varnish. For someone using a VPS with small amount of ram, and a couple of sites with not much audience, it makes almost no sense to use varnish.

So I continued in my quest to find a defense to slowloris. I decided to try mod_antiloris once again, hoping that I had made something wrong during installation. When I visited the page, I noticed version 0.4

So, the following was what I’ve done to install:

wget ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.4.tar.bz2
tar -xjvf mod_antiloris-0.4.tar.bz2
cd mod_antiloris-0.4/
sudo apxs2 -a -i -c mod_antiloris.c

This compiles, installs and activates the module in apache, writing a “LoadModule” directive in httpd.conf. For sake of organization between other things, you can delete that line from your httpd.conf, and create a antiloris.load in /etc/apache2/mods-available/:

sudo echo "LoadModule antiloris_module   /usr/lib/apache2/modules/mod_antiloris.so" > /etc/apache2/mods-available/antiloris.load
sudo a2enmod antiloris
sudo /etc/init.d/apache2 restart

This creates the file and enables the module.
…and finally, the site remained operable during an attack with slowloris . And, though I did not fully tested this, I’m happy for now

References:

Spread the word...

Miscellaneous

Apache (apparently) Secured against our beloved slowloris attack

References:

Post a Comment

« Home

About This Post

Interact

RSS Feeds

Categories

Tags

Send me a message!