Defending Apache on FreeBSD from Slowloris Denial
of Service Attack (DoS) with mod_antiloris
Here is a quick way to defend
FreeBSD 7.2-RELEASE-p4 system
from the Recent
Apache Slowloris Denial of Service.
1. Install the mod_antiloris freebsd Port
freebsd# cd /usr/ports/www/mod_antiloris
freebsd# make install clean
2. Edit your /usr/local/etc/httpd.conf
Find the following line in your
bsd httpd.conf:
#LoadModule antiloris_module
libexec/apache2/mod_antiloris.so
As you can see the LoadModule line loading the mod_antiloris
slowloris Denial of Service prevention is commented, so you will
have to uncomment it to read as:
freebsd# vim /usr/local/etc/httpd.conf
LoadModule antiloris_module
libexec/apache2/mod_antiloris.so
Next we restart the Apache Webserver in order to load the newly
enabled module mod_antiloris in Apache.
However before the Apache restart, we check Apache configurations
are fine to be sure Apache will re-launch, after restart.
freebsd# /usr/local/etc/rc.d/apache2 configtest
Performing sanity check on apache2 configuration:
Syntax OK
Now as we have assured ourselves Apache httpd.conf syntax is fine
we restart the Webserver.
freebsd# /usr/local/etc/rc.d/apache2 restart
Syntax OK
Stopping apache2.
Waiting for PIDS: 60920.
Performing sanity check on apache2 configuration:
Syntax OK
Starting apache2.
Of course all the above simplified install example assumes your
port tree is uptodate.
I did the install on my FreeBSD box:
FreeBSD pcfreak 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0:
Fri Oct 2 12:21:39 UTC 2009
root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
i386
If your ports tree is update the upper install mod_antiloris
FreeBSD install guide will be all you need.
Yet if your port tree is not update you might consider updating
your port tree before you proceed.
You might like to use
my FreeBSD 7.2
stable supfile downloadable from here
To update simply using the
my FreeBSD 7.2
supfile then issue the following commands:
freebsd# cd /etc/
freebsd# fetch
http://pc-freak.net/files/stable-supfile-7.2
freebsd# csup -g -L 2 /etc/stable-supfile-7.2
There as you should have the latest stable port tree for FreeBSD
7.2, then just continue step by step from as explained in Step 1.
hereinbefore.
I'm convinced the installation on FreeBSD 7, 7.x and FreeBSD 8 and
8.x will be analogous.
So I hope this small article will be helpful to somebody of the
FreeBSD novice crowd out there.
If you want to be absolutely sure The Apache is Secured against the
Slowloris attack on your FreeBSD box,
download the slowloris
denial of service attack tool and issue Attack against your
Apache Web Server.
perl slowloris.pl -dns yourdomainname.com -port 80 -timeout 1
-num 300 -cache
That's all folks!