Page 1 of 1

Add mod_qos to CSF

Posted: 26 Sep 2011, 05:42
by Sergio
Hi Jonathan,
is it possible to add mod_qos to CSF?

Regards,

Sergio

Re: Add mod_qos to CSF

Posted: 30 Sep 2011, 10:28
by chirpy
Do you mean the tos (Type of Service) option in iptables, or something else?

Code: Select all

iptables -m tos -h

Re: Add mod_qos to CSF

Posted: 01 Oct 2011, 05:40
by Sergio
Hi Jonathan,
I am referring to the new apache option called "mod_QoS" (quality of service) it is kind of new. I have been working with it for a few days and I like it.

What it does is to check what IPs are iddle and discard them, I like it and could be a nice addition to CSF.

Regards,

Sergio

Re: Add mod_qos to CSF

Posted: 13 Oct 2011, 10:51
by chirpy
I don't really see how csf would have anything to do with it - what log lines are you thinking csf should scan to block IP addresses from?

Re: Add mod_qos to CSF

Posted: 14 Oct 2011, 04:53
by Sergio
Mod_qos checks for IPs that are doing nothing on the server, just wasting a connection slot, look at an example of few IPs on my server today, errors are in the apache error log:
The first list of blocked IPs looked very suspicious to me, this could be blocked automatically by CSF in my server:
[Thu Oct 13 16:43:16 2011] [error] [client 94.25.192.198 (Russia)] mod_qos(045): access denied, invalid request line: can't parse uri, c=94.25.192.198, id=TpdbdK6E8RIAAG3VUF8AAAAE
[Thu Oct 13 16:43:19 2011] [error] [client 46.118.40.130 (Ukraine)] mod_qos(045): access denied, invalid request line: can't parse uri, c=46.118.40.130, id=Tpdbd66E8RIAAGq2vkwAAAAD
[Thu Oct 13 16:43:22 2011] [error] [client 95.220.249.74 (Russia)] mod_qos(045): access denied, invalid request line: can't parse uri, c=95.220.249.74, id=Tpdbeq6E8RIAAGxWKVgAAAAC
[Thu Oct 13 16:43:26 2011] [error] [client 95.220.249.74 (Russia)] mod_qos(045): access denied, invalid request line: can't parse uri, c=95.220.249.74, id=Tpdbfq6E8RIAAG3OTUgAAAAA
[Thu Oct 13 16:43:34 2011] [error] [client 109.225.15.90 (Russia)] mod_qos(045): access denied, invalid request line: can't parse uri, c=109.225.15.90, id=Tpdbhq6E8RIAAG3OTUoAAAAA
[Thu Oct 13 16:43:36 2011] [error] [client 109.225.15.90 (Russia)] mod_qos(045): access denied, invalid request line: can't parse uri, c=109.225.15.90, id=TpdbiK6E8RIAAG7wYOsAAAAG
[Thu Oct 13 16:48:14 2011] [error] [client 77.191.188.33 (Germany)] mod_qos(045): access denied, invalid request line: can't parse uri, c=77.191.188.33, id=Tpdcnq6E8RIAAHl9hikAAAAO
[Thu Oct 13 16:57:30 2011] [error] [client 77.191.188.33 (Germany)] mod_qos(045): access denied, invalid request line: can't parse uri, c=77.191.188.33, id=Tpdeya6E8RIAAAve8MUAAAAG
[Thu Oct 13 16:58:21 2011] [error] [client 213.5.217.111 (Russia)] mod_qos(045): access denied, invalid request line: can't parse uri, c=213.5.217.111, id=Tpde-K6E8RIAAArfyWsAAAAT
Or this other blocks from IPs trying to laid in my server with nothing to do:
[Thu Oct 13 20:24:39 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=166, this connection=0, c=190.114.144.162 (Argentine)
[Thu Oct 13 20:29:09 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c=190.225.220.97 (Argentine)
[Thu Oct 13 20:29:12 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=174, this connection=0, c=190.225.220.97 (Argentine)
[Thu Oct 13 20:38:50 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c=190.127.237.139 (Colombia)
[Thu Oct 13 21:10:21 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=230, this connection=0, c=190.179.172.185 (Argentine)
[Thu Oct 13 21:25:03 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c=66.87.71.191 (USA)
[Thu Oct 13 21:25:15 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=178, this connection=0, c=66.87.71.191 (USA)
[Thu Oct 13 21:25:26 2011] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=198, this connection=0, c=66.87.71.191 (USA)
The IPs could be blocked just in case it is a denial of service in the form of a "SlowLoris" attack.

Regards,

Sergio

Re: Add mod_qos to CSF

Posted: 01 Mar 2012, 13:01
by Sergio
Thank you Chirpy, I see that finally it was added to CSF, appreciated.

Sergio

Re: Add mod_qos to CSF

Posted: 18 Dec 2013, 09:52
by craigedmonds
[Thu Oct 13 16:43:16 2011] [error] [client 94.25.192.198 (Russia)] mod_qos(045): access denied, invalid request line: can't parse uri, c=94.25.192.198, id=TpdbdK6E8RIAAG3VUF8AAAAE
Sergio, how do you get your logs to display the country name after the ip?

Mine just says... [Wed Dec 18 09:46:49 2013] [error] [client 78.175.166.177] mod_qos(045): access denied, invalid request line: can't parse uri, c=78.175.166.177, id=UrFvCW1LpMgAAF8qHLUAAAKI

Re: Add mod_qos to CSF

Posted: 24 Dec 2013, 01:26
by Sergio
craigedmonds wrote:
[Thu Oct 13 16:43:16 2011] [error] [client 94.25.192.198 (Russia)] mod_qos(045): access denied, invalid request line: can't parse uri, c=94.25.192.198, id=TpdbdK6E8RIAAG3VUF8AAAAE
Sergio, how do you get your logs to display the country name after the ip?

Mine just says... [Wed Dec 18 09:46:49 2013] [error] [client 78.175.166.177] mod_qos(045): access denied, invalid request line: can't parse uri, c=78.175.166.177, id=UrFvCW1LpMgAAF8qHLUAAAKI
Hi Craigedmonds,
I haven't done anything to CSF, it already displays the country name if your server is using geolite as part of the CSF script.

Sergio

Re: Add mod_qos to CSF

Posted: 22 Dec 2015, 07:58
by craigedmonds
Hi Craigedmonds,
I haven't done anything to CSF, it already displays the country name if your server is using geolite as part of the CSF script.

Sergio
Oh thats cool. How do I enable that in CSF.

I can see geolite blocking under Country Code Lists and Settings but not any way to make it display the country in the logs.