学步园

主要是先看配置文件的中文注释：
========================================================================
DOSHashTableSize    3097  这个是G数量。
DOSPageCount        5  同一个用户间隔时间内对同一页面的访问次数。超出则返回403信息 
DOSSiteCount        80 同一个用户间隔时间内同时并发连接数是80     超出限制泽返回403信息 具体根据站点需求，如果是FTP下载站或图片资源站可能需要大点
DOSPageInterval 2 同一页面间隔统计
DOSSiteInterval  2  全站间隔时间
DOSBlockingPeriod  600  被封锁的时间是600秒

DOSLogDir           "/var/log/mod_evasive"    日志文件的存放位置。

#DOSWhitelist   127.0.0.1
#DOSWhitelist   192.168.0.*这个就是白名单，这里的ip就不受上面的限制。
[root@102 ~]# touch /var/log/mod_evasive   这样就可以了。

实践情况，如下：
#wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
#tar zxvf mod_evasive_1.10.1.tar.gz
#cd mod_evasive
vim mod_evasive20.c(安装前先修改日志目录，该模块无法在配置中修改日志目录，故请在编译前修改好实际配置)
/*
#define DEFAULT_HASH_TBL_SIZE   3097ul  // Default hash table size
#define DEFAULT_PAGE_COUNT      2       // Default maximum page hit count per interval
#define DEFAULT_SITE_COUNT      50      // Default maximum site hit count per interval
#define DEFAULT_PAGE_INTERVAL   1       // Default 1 Second page interval
#define DEFAULT_SITE_INTERVAL   1       // Default 1 Second site interval
#define DEFAULT_BLOCKING_PERIOD 10      // Default for Detected IPs; blocked for 10 seconds
#define DEFAULT_LOG_DIR         "/tmp"  // Default temp directory
*/

#define DEFAULT_HASH_TBL_SIZE   6195ul  // Default hash table size
#define DEFAULT_PAGE_COUNT      2       // Default maximum page hit count per interval
#define DEFAULT_SITE_COUNT      50      // Default maximum site hit count per interval
#define DEFAULT_PAGE_INTERVAL   1       // Default 1 Second page interval
#define DEFAULT_SITE_INTERVAL   1       // Default 1 Second site interval
#define DEFAULT_BLOCKING_PERIOD 500      // Default for Detected IPs; blocked for 10 seconds
#define DEFAULT_LOG_DIR"/usr/local/apache2/logs"  // Default temp directory

执行安装方法具体根据实际apache文件路径(/usr/local/apache2/bin/apxs -i -c mod_evasive20.c 或者 /usr/local/apache2/bin/apxs -i -a -c ./mod_evasive20.c)

我采用是是后者 如下
/usr/local/apache2/bin/apxs -i -a -c ./mod_evasive20.c

但很不幸出现了如下错误：

./mod_evasive20.c: In function 'access_checker':
./mod_evasive20.c:142: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:146: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:158: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:165: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:180: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:187: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:208: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:212: warning: implicit declaration of function 'getpid'
./mod_evasive20.c:215: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:221: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:222: error: 'conn_rec' has no member named 'remote_ip'
./mod_evasive20.c:228: error: 'conn_rec' has no member named 'remote_ip'
apxs:Error: Command failed with rc=65536

百度 谷歌搜索了好久么有找到办法，最后

把 mod_evasive20.c文件里 142、146、158、165、180、187、208、212、215、221、222、228行

对应的remote_ip修改成client_ip 保存 重新 安装即可

出现如下信息证明一切安装成功：

Libraries have been installed in:
   /usr/local/apache2//modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/local/apache2//modules/mod_evasive20.so

注：apxs 用于编译模块工具；如果是用系统自带的软件包，一般位于/usr/sbin目录。如果您是自己编译安装Apache(httpd)的，你应该自己来指定路径；
安装完成之后会在/usr/local/apache2/conf/httpd.conf文件中，默认添加一行

<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

vi /usr/local/apache2/conf/httpd.conf
LoadModule evasive20_module   modules/mod_evasive20.so
<IfModule mod_evasive20.c>
    DOSHashTableSize 6195
    DOSSiteCount 50
    DOSPageCount 2
    DOSPageInterval 1
    DOSSiteInterval 1

    DOSBlockingPeriod   10

    DOSLogDir "/usr/local/apache2/logs"
    #bai ming dang
    DOSWhiteList 127.0.0.1
    DOSWhiteList 127.0.0.*
</IfModule>

之后重启apache。

相关参数说明：
DOSHashTableSize 3097：定义哈希表大小。
DOSPageCount 2：允许客户机访问同一页的间隔。
DOSSiteCount 50：允许客户机的最大并发连接。
DOSPageInterval 1：网页访问计数器间隔。
DOSSiteInterval 1：全站访问计数器间隔。
DOSBlockingPeriod 10：加入黑名单后拒绝访问时间。
四、对mod_evasive测试验证
可以使用apache的ab工具，也可以使用evasive解压目录中的test.pl脚本测试。
ab工具：ab -n 1000 -c 50 http://www..bz/
perl: perl test.pl

下面是采用APACHE自带测试工具进行的简单模拟并发测试

/usr/local/apache2/bin/ab -n10000 -c1000 http://2**.25*.**.**/phpinfo123151.php
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 2**.25*.**.** (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests

Server Software:        Apache
Server Hostname:        2**.25*.**.**
Server Port:            80

Document Path:          /phpinfo123151.php
Document Length:        219 bytes

Concurrency Level:      1000
Time taken for tests:   3.934 seconds
Complete requests:      10000
Failed requests:        8
   (Connect: 0, Receive: 0, Length: 8, Exceptions: 0)
Write errors:           0
Non-2xx responses:      9992
Total transferred:      4273472 bytes
HTML transferred:       2633120 bytes
Requests per second:    2542.04 [#/sec] (mean)
Time per request:       393.385 [ms] (mean)
Time per request:       0.393 [ms] (mean, across all concurrent requests)
Transfer rate:          1060.87 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    9  14.9      3      83
Processing:     2  157 432.0     20    3018
Waiting:        0  151 432.8     14    3018
Total:          4  166 438.8     25    3098

Percentage of the requests served within a certain time (ms)
  50%     25
  66%     31
  75%     35
  80%     39
  90%    446
  95%   1461
  98%   1708
  99%   2382
 100%   3098 (longest request)

以下是在另一台机器上的测试

D:\APMServ5.2.6\Apache\bin>ab.exe  -n10000 -c1000 http://http://192.168.1.104/

This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licens
D:\APMServ5.2.6\Apache\bin>ab.exe  -n10000 -c1000 http://192.168.1.104/<br />

http://192.168.1.104/

效果果然成了：
Forbidden
You don't have permission to access / on this server.
Apache/2.0.59 (Unix) PHP/5.2.6 Server at 192.168.1.104 Port 80

而在这个机器上：
root@192.168.1.104:~ curl "http://192.168.1.104/"
...
<title>Test Page for Apache Installation</title>
...
依然正常,说明该模块生效。
发现，没有出现这个文件夹，估计是权限的问题，于是：
chmod -R 777 /usr/local/apache2/logs/
再使用：
tail -f /usr/local/apache/logs/error_log中日志如下：
[Mon Jan 10 13:16:45 2011] [error] [client 192.168.1.94] client denied by server configuration: /usr/local/apache/htdocs/logo.png

root@192.168.1.104:~ /usr/local/apache2/logs # ls
dos-192.168.1.101
本机测试：
root@192.168.1.104:~/usr/local/apache2/bin # ./ab  -n10000 -c1000 http://192.168.1.104/
后再看这个页面的情况：
root@192.168.1.104:~/usr/local/apache2/bin # curl "http://192.168.1.104/"              
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache/2.0.59 (Unix) PHP/5.2.6 Server at 192.168.1.104 Port 80</address>
</body></html>
看日志，在服务器的 /usr/local/apache/logs/目录下会有
dos-192.168.1.94这样的文件生成［一般是dos加ip］，果然有，如下：
ls /usr/local/apache/logs/
dos-192.168.1.101  dos-192.168.1.104
查看日志多了一个：
dos-192.168.1.104
再看：
tail -f /usr/local/apache2/logs/error_log中日志如下：【注意：是错误日志在apache2/Logs,在第在apache2中】
bogon:/usr/local/apache/logs # tail /usr/local/apache2/logs/error_log
[Tue Aug 23 07:00:26 2011] [error] [client 192.168.1.104] client denied by server configuration: /usr/local/apache2/htdocs/
[Tue Aug 23 07:00:26 2011] [error] [client 192.168.1.104] client denied by server configuration: /usr/local/apache2/htdocs/
。。。

========================================================================
以下是这位兄弟的，看自己的不明白再看他的罢，以下来源：

http://hi.baidu.com/suantop/blog/item/33f392a423bbbbe59152ee01.html

安装modsecurity（mod_security 可以加强apache的安全性特别是在防sql 注入上有很好的效果。）：
# tar zxvf
modsecurity-apache-1.9.tar.gz
# cd modsecurity-apache-1.9/apache2/
# /apache2/bin/apxs -cia mod_security.c

打开httpd.conf加入
查看是否有
LoadModule security_module    modules/mod_security.so
如没有则加上去

添加一段mod_security的配置文件

<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding
On
SecFilterDefaultAction "deny,log,status:500"
#SecFilterForceByteRange
32 126
#SecFilterScanPOST On
SecAuditLog
logs/audit_log
###
SecFilter "\.\./"
#####
SecFilter
/etc/*passwd
SecFilter /bin/*sh

#for css attack
SecFilter "<( |
)*script"
SecFilter "<(.| )+>"
#for sql attack
SecFilter "delete[
]+from"
SecFilter "insert[ ]+into"
SecFilter "select.+from"
SecFilter
"union[ ]+from"
SecFilter "drop[ ]"
</IfModule>