Thomas Bergheim dot com | Random ramblings on technology

Easy way to stop spammers/dos-attacks using lighttpd

Nov 25 2008

First, enable mod_evasive, then add: evasive.max-conns-per-ip = X, where X is some integer.

This works, however if the same domain hosts images and files alike, it could lead to false positives. If a pagehit requires 90 requests, and the clientbrowser is set up to allow more concurrent requests to the site than max-conns-per-ip is set to, you will be blocked.

There is a very easy way around this though, enable this only for the frontcontroller. In my case this is what I ended up with:

$HOST["url"] =~"^/(index.php)?(\?.*)?$" {
    evasive.max-conns-per-ip = 4
}

This makes evasive track DOMAIN, DOMAIN/index.php?foo and DOMAIN/?foo, which is what I want. For finding a value that works well you’ll just have to monitor the errorlog for evasive-alerts.

Back to Top

Filed In: linux
Tags: ,

Write a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>