1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
Description: Handle conn_rec->remote_ip split in Apache 2.4
Author: Colin Watson <cjwatson@debian.org>
Forwarded: no
Last-Update: 2013-07-08
Index: b/mod_evasive20.c
===================================================================
--- a/mod_evasive20.c
+++ b/mod_evasive20.c
@@ -44,6 +44,13 @@
module AP_MODULE_DECLARE_DATA evasive20_module;
+#if AP_SERVER_MAJORVERSION_NUMBER > 2 || \
+ (AP_SERVER_MAJORVERSION_NUMBER == 2 && AP_SERVER_MINORVERSION_NUMBER >= 4)
+#define CLIENT_IP(conn) ((conn)->client_ip)
+#else
+#define CLIENT_IP(conn) ((conn)->remote_ip)
+#endif
+
/* BEGIN DoS Evasive Maneuvers Definitions */
#define MAILER "/bin/mail %s"
@@ -143,11 +150,11 @@
time_t t = time(NULL);
/* Check whitelist */
- if (is_whitelisted(r->connection->remote_ip))
+ if (is_whitelisted(CLIENT_IP(r->connection)))
return OK;
/* First see if the IP itself is on "hold" */
- n = ntt_find(hit_list, r->connection->remote_ip);
+ n = ntt_find(hit_list, CLIENT_IP(r->connection));
if (n != NULL && t-n->timestamp<blocking_period) {
@@ -159,14 +166,14 @@
} else {
/* Has URI been hit too much? */
- snprintf(hash_key, 2048, "%s_%s", r->connection->remote_ip, r->uri);
+ snprintf(hash_key, 2048, "%s_%s", CLIENT_IP(r->connection), r->uri);
n = ntt_find(hit_list, hash_key);
if (n != NULL) {
/* If URI is being hit too much, add to "hold" list and 403 */
if (t-n->timestamp<page_interval && n->count>=page_count) {
ret = HTTP_FORBIDDEN;
- ntt_insert(hit_list, r->connection->remote_ip, time(NULL));
+ ntt_insert(hit_list, CLIENT_IP(r->connection), time(NULL));
} else {
/* Reset our hit count list as necessary */
@@ -181,14 +188,14 @@
}
/* Has site been hit too much? */
- snprintf(hash_key, 2048, "%s_SITE", r->connection->remote_ip);
+ snprintf(hash_key, 2048, "%s_SITE", CLIENT_IP(r->connection));
n = ntt_find(hit_list, hash_key);
if (n != NULL) {
/* If site is being hit too much, add to "hold" list and 403 */
if (t-n->timestamp<site_interval && n->count>=site_count) {
ret = HTTP_FORBIDDEN;
- ntt_insert(hit_list, r->connection->remote_ip, time(NULL));
+ ntt_insert(hit_list, CLIENT_IP(r->connection), time(NULL));
} else {
/* Reset our hit count list as necessary */
@@ -209,27 +216,27 @@
struct stat s;
FILE *file;
- snprintf(filename, sizeof(filename), "%s/dos-%s", log_dir != NULL ? log_dir : DEFAULT_LOG_DIR, r->connection->remote_ip);
+ snprintf(filename, sizeof(filename), "%s/dos-%s", log_dir != NULL ? log_dir : DEFAULT_LOG_DIR, CLIENT_IP(r->connection));
if (stat(filename, &s)) {
file = fopen(filename, "w");
if (file != NULL) {
fprintf(file, "%ld\n", getpid());
fclose(file);
- LOG(LOG_ALERT, "Blacklisting address %s: possible DoS attack.", r->connection->remote_ip);
+ LOG(LOG_ALERT, "Blacklisting address %s: possible DoS attack.", CLIENT_IP(r->connection));
if (email_notify != NULL) {
snprintf(filename, sizeof(filename), MAILER, email_notify);
file = popen(filename, "w");
if (file != NULL) {
fprintf(file, "To: %s\n", email_notify);
- fprintf(file, "Subject: HTTP BLACKLIST %s\n\n", r->connection->remote_ip);
- fprintf(file, "mod_evasive HTTP Blacklisted %s\n", r->connection->remote_ip);
+ fprintf(file, "Subject: HTTP BLACKLIST %s\n\n", CLIENT_IP(r->connection));
+ fprintf(file, "mod_evasive HTTP Blacklisted %s\n", CLIENT_IP(r->connection));
pclose(file);
}
}
if (system_command != NULL) {
- snprintf(filename, sizeof(filename), system_command, r->connection->remote_ip);
+ snprintf(filename, sizeof(filename), system_command, CLIENT_IP(r->connection));
system(filename);
}
|
