Protecting Debian Lenny against Slowloris Denial
of Service attack with mod_antiloris
I've written in my previous posts some possible ways to protect
against slowloris on Debian with the
mod_qos module.
For more on
mod_qos see
here
This solution to the denial of service attack against which
probably at least 40 percents of the Apache webservers online are
still vulnerable is not really applicable on 64 bit Debian GNU
Linux.
I installed the mod-qos on a Debian Linux running an amd64 bit
kernel and used the Apache server with this module for just a few
days on a newly configured productive Linux server running mostly
some PHP applications based on top of
Zend Framework .
At first all looked fine, the mod-qos was up and running and
defending the Apache Webserver from the nasty slowloris DoS attack,
however at a certain point.
The PHP application developers reported that Apache is crashing
while executing some of the PHP codes developed by the programmers
team.
After quick examination of the Apache error logs I realized the
Apache crashes are caused by misbehaving behavior of the mod-qos
module.
Realizing that mod_qos is creating the Apache segfaults on the
amd64 architecture I abandoned the idea of using it and after a
some time spend in researching what can I use as a substitute to
protect against the Slowloris DoS attack I found the
mod_antiloris.
Mod_antiloris is a tiny Apache module dedicated only as a work
around (fix) for Apache against the Slowloris denial of
service.
Though the package is officially included as a package for Debian
Sid and is in the testing/unstable Debian repositories.
It's still not available via official Debian repositories in Lenny,
neither through Debian Lenny backports.
Therefore the only way to install this In my humble view compulsory
module to guarantee some security against modern Denial of Service
Attacks, you will need to compile the module from source.
So here is how to install the mod_antiloris module on Debian Lenny
via source:
1. Download and untar (unarchive) the mod_antiloris
debian-server:~# wget
ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.4.tar.bz2
debian-server:~# tar -jxvvf mod_antiloris-0.4.tar.bz2
debian-server:~# cd mod_antiloris-0.4/
2. Install necessery header files and Apache development
programs necessery for the compilation of mod_antiloris
debian-server:~# apt-get install gcc
apache2-threaded-dev
3. Compile the mod_antiloris module
debian-server:~# /usr/bin/apxs2 -i -c
mod_antiloris.c
4. Create necessery configuration files and Enable the
mod_antiloris module in Apache
debian-server:~# echo "LoadModule antiloris_module
/usr/lib/apache2/modules/mod_antiloris.so" >
/etc/apache2/mods-available/antiloris.load
debian-server:~# a2enmod antiloris
Enabling module antiloris.
Run '/etc/init.d/apache2 restart' to activate new
configuration!
5. Restart the Apache WebServer
debian-server~:~# /etc/init.d/apache2 restart
6. Use the slowloris.pl Denial of Service tool to ensure
yourself Apache is Secured by mod_antiloris and no longer
vulnerable to the slowloris attack
debian-server:~# perl slowloris.pl -dns yourdomainname.com
-port 80 -timeout 1 -num 200 -cache
Open an SSH connection to some free shell with a a text browser
lynx or links or some other Linux system you have access to or use
some proxy to test if your WebServer is responding while the above
attack is taking action.
In case if after the test your webserver opens normally your hosted
webpages then congrats you're secure!
You can sleep well at night with less worries about Denial of
Service attacks :)