1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142
|
Index: libapache-mod-dosevasive/README
===================================================================
--- libapache-mod-dosevasive.orig/README 2019-07-08 18:06:20.466325459 +0200
+++ libapache-mod-dosevasive/README 2019-07-08 18:06:20.462325412 +0200
@@ -179,6 +179,7 @@
DOSEmailNotify you@yourdomain.com
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/lock/mod_evasive"
+ DOSHTTPResponseCode 429
You will also need to add this line if you are building with dynamic support:
@@ -316,6 +317,14 @@
directory writable only to the user Apache is running as (usually root),
then set this in your httpd.conf.
+DOSHTTPResponseCode
+---------
+
+Choose an alternative HTTP response code to be returned when an IP is blocked.
+
+By default 403 HTTP_FORBIDDEN will be returned.
+
+
WHITELISTING IP ADDRESSES
IP addresses of trusted clients can be whitelisted to insure they are never
Index: libapache-mod-dosevasive/mod_evasive20.c
===================================================================
--- libapache-mod-dosevasive.orig/mod_evasive20.c 2019-07-08 18:06:20.466325459 +0200
+++ libapache-mod-dosevasive/mod_evasive20.c 2019-07-08 18:15:53.676497555 +0200
@@ -63,6 +63,7 @@
#define DEFAULT_SITE_INTERVAL 1 // Default 1 Second site interval
#define DEFAULT_BLOCKING_PERIOD 10 // Default for Detected IPs; blocked for 10 seconds
#define DEFAULT_LOG_DIR "/tmp" // Default temp directory
+#define DEFAULT_HTTP_RESPONSE_CODE HTTP_FORBIDDEN
/* END DoS Evasive Maneuvers Definitions */
@@ -117,8 +118,8 @@
static char *log_dir = NULL;
static char *system_command = NULL;
static const char *whitelist(cmd_parms *cmd, void *dconfig, const char *ip);
+static int http_response_code = DEFAULT_HTTP_RESPONSE_CODE;
int is_whitelisted(const char *ip);
-
/* END DoS Evasive Maneuvers Globals */
static void * create_hit_list(apr_pool_t *p, server_rec *s)
@@ -158,8 +159,8 @@
if (n != NULL && t-n->timestamp<blocking_period) {
- /* If the IP is on "hold", make it wait longer in 403 land */
- ret = HTTP_FORBIDDEN;
+ /* If the IP is on "hold", make it wait longer on blacklist */
+ ret = http_response_code;
n->timestamp = time(NULL);
/* Not on hold, check hit stats */
@@ -170,9 +171,9 @@
n = ntt_find(hit_list, hash_key);
if (n != NULL) {
- /* If URI is being hit too much, add to "hold" list and 403 */
+ /* If URI is being hit too much, add to "hold" list */
if (t-n->timestamp<page_interval && n->count>=page_count) {
- ret = HTTP_FORBIDDEN;
+ ret = http_response_code;
ntt_insert(hit_list, CLIENT_IP(r->connection), time(NULL));
} else {
@@ -192,9 +193,9 @@
n = ntt_find(hit_list, hash_key);
if (n != NULL) {
- /* If site is being hit too much, add to "hold" list and 403 */
+ /* If site is being hit too much, add to "hold" list */
if (t-n->timestamp<site_interval && n->count>=site_count) {
- ret = HTTP_FORBIDDEN;
+ ret = http_response_code;
ntt_insert(hit_list, CLIENT_IP(r->connection), time(NULL));
} else {
@@ -211,7 +212,7 @@
}
/* Perform email notification and system functions */
- if (ret == HTTP_FORBIDDEN) {
+ if (ret == http_response_code) {
char filename[1024];
struct stat s;
FILE *file;
@@ -246,13 +247,13 @@
} /* if (temp file does not exist) */
- } /* if (ret == HTTP_FORBIDDEN) */
+ } /* if (ret == http_response_code) */
} /* if (r->prev == NULL && r->main == NULL && hit_list != NULL) */
/* END DoS Evasive Maneuvers Code */
- if (ret == HTTP_FORBIDDEN
+ if (ret == http_response_code
&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"client denied by server configuration: %s",
@@ -653,7 +654,21 @@
}
return NULL;
-}
+}
+
+static const char *
+get_http_response_code(cmd_parms *cmd, void *dconfig, const char *value) {
+ int n = strtol(value, NULL, 0);
+ // Allow HTTP response codes between 100 and 599 as per RFC 7231
+ if (n>=100 && n<600) {
+ http_response_code = n;
+ } else {
+ http_response_code = DEFAULT_HTTP_RESPONSE_CODE;
+ }
+
+ return NULL;
+}
+
/* END Configuration Functions */
@@ -689,6 +704,9 @@
AP_INIT_ITERATE("DOSWhitelist", whitelist, NULL, RSRC_CONF,
"IP-addresses wildcards to whitelist"),
+ AP_INIT_TAKE1("DOSHTTPResponseCode", get_http_response_code, NULL, RSRC_CONF,
+ "Set HTTP response code returned when IP is blocked"),
+
{ NULL }
};
|