automatic blacklisting in load balanced environment
December 9, 2008 6:25 PM   Subscribe

How can we automatically block DOS type attacks in a load balanced environment? We used to have mod_evasive on Apache, but now Apache is behind a a load balancer and so does not see the external IPs. We are manually blacklisting IPs in Shorewall - but would like something on the load balancer to do this automatically on detection. Running Linux, Shorewall, Apache and Pound as load balancer.
posted by Dag Maggot to Computers & Internet (7 answers total)
 
What about running Apache on the "outside"? I'm assuming, from your description, that you're running Pound on an external-facing machine and Apache on your backend systems, and using Pound to stripe requests across the backend servers.

If you put another Apache instance in front of Pound, you can still use mod_evasive, mod_security, or whatever. The only question is whether you see a significant performance hit by adding another link into the proxy chain. Running before and after tests with Jmeter is a good way to benchmark this.

Your final configuration would look something like:

(Apache --> Pound) --> (Apache)

You'd be using a lot of ProxyPass and/or mod_rewrite on the external-facing Apache. You could potentially enable mod_cache on your external Apache and see an actual performance increase depending on what you're serving on the backend.
posted by larsks at 6:41 PM on December 9, 2008


Response by poster: That's an interesting idea. We're running load balanced to alleviate the load - having Apache out front to channel all traffic could defeat the purpose (especially as our load balancer is the most underpowered of all the boxes).

Although I guess if the front Apache is just passing through without rendering pages - the comparative load would be very small.
posted by Dag Maggot at 6:49 PM on December 9, 2008


Why pound + something? Couldn't you front end everything with apache + mod_proxy_balancer + mod_evasive?

You might also look into nginx. It gets a lot of use as a front end for load balancing and serving static files. I think the ngx_http_limit_zone_module can be used to deal with excessive connections from a given client, though it doesn't look as flexible as mod_evasive, but it might do the job for you
posted by Good Brain at 10:47 PM on December 9, 2008


Best answer:
but now Apache is behind a a load balancer and so does not see the external IPs
Not that it solves this problem, as I assume you want to drop the bad connections before getting as far as receiving their headers, but Pound does add an X-Forwarded-For header, so Apache actually can still see the clients' IPs. (Clients behind their own proxies may have a comma-separated list of IPs in there, however, so watch out for that.)
posted by finite at 11:18 PM on December 9, 2008


You could do the IP blacklisting at the shorewall level [via].
posted by Tobu at 1:55 AM on December 10, 2008


Denyhosts? Works for me on my Linux box. Since installing it and turning on auto-update of known bad hosts the number of login attempt entries in my security log have gone down to practically nothing.
posted by caution live frogs at 7:52 AM on December 10, 2008


Response by poster: We wound up putting mod_evasive on both instances of the backend web servers - and using the X-Forwarded-For header to get the original IP address. Thanks heaps!
posted by Dag Maggot at 8:42 PM on December 14, 2008


« Older How can I turn my money into money?   |   Fast Food (Parody) Nation Newer »
This thread is closed to new comments.


Tags

Share