Page 1 of 1

csf - mod_qos not working ?

Posted: 13 Aug 2019, 13:05
by chrismfz
I had issues with a weird attack so I've installed mod_qos on a cPanel server.
It seems to work:

Code: Select all

[root@earth ~]# cat  /var/log/apache2/error_log | grep qos
[Tue Aug 13 13:26:01.064302 2019] [mpm_event:notice] [pid 25623:tid 47999883764800] AH00489: Apache/2.4.39 (cPanel) OpenSSL/1.0.2s Apache mod_bwlimited/1.4 mod_qos/11.63 configured -- resuming normal operations
[Tue Aug 13 13:26:23.753500 2019] [mpm_event:notice] [pid 25623:tid 47999883764800] AH00489: Apache/2.4.39 (cPanel) OpenSSL/1.0.2s Apache mod_bwlimited/1.4 mod_qos/11.63 configured -- resuming normal operations
[Tue Aug 13 13:26:31.793775 2019] [qos:error] [pid 17608:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in:0): min=762, this connection=0, c=182.86.191.201
[Tue Aug 13 13:26:32.767286 2019] [qos:error] [pid 17473:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=694, this connection=0, c=114.236.17.84
[Tue Aug 13 13:26:33.772598 2019] [qos:error] [pid 17509:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=642, this connection=0, c=113.143.58.38
[Tue Aug 13 13:26:38.787867 2019] [qos:error] [pid 17607:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=778, this connection=0, c=119.7.85.23
[Tue Aug 13 13:26:39.771696 2019] [qos:error] [pid 17353:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=834, this connection=0, c=119.115.65.115
[Tue Aug 13 13:26:45.788533 2019] [qos:error] [pid 17607:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=838, this connection=0, c=114.236.18.114
[Tue Aug 13 13:26:50.774190 2019] [qos:error] [pid 17509:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in:0): min=774, this connection=0, c=114.103.176.21
[Tue Aug 13 13:26:52.769251 2019] [qos:error] [pid 17473:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in:0): min=890, this connection=0, c=87.202.125.201
[Tue Aug 13 13:26:53.773015 2019] [qos:error] [pid 17353:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=890, this connection=0, c=112.114.88.131
[Tue Aug 13 13:26:54.773176 2019] [qos:error] [pid 17353:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=866, this connection=0, c=123.179.87.235
[Tue Aug 13 13:27:01.790201 2019] [qos:error] [pid 17607:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=850, this connection=0, c=119.115.70.120
[Tue Aug 13 13:27:01.790226 2019] [qos:error] [pid 17607:tid 48000214398720] mod_qos(034): access denied, QS_SrvMinDataRate rule (in): min=850, this connection=0, c=114.223.165.61
....
....
....

And ruled out ~1600 IPs:

Code: Select all

[root@earth ~]# cat  /var/log/apache2/error_log | grep qos | grep denied | wc -l
1609
but none of them in csf / ipset firewall.

In csf.conf I got:

Code: Select all

# [*]Enable detection of repeated Apache mod_qos rule triggers
LF_QOS = "1"
LF_QOS_PERM = "7200"
so even with 1 rule it will block the IP
but still, zero IPs blocked.

Do I forgot something ?