mod_evasive DOSSystemCommand not working

Question

I'm trying to get mod_evasive to fire off a script to add an iptables rule to deny the offending host. I've tried the suggestions from both answers here but I still can't get it working. Apart from the post that's linked, I'm trying to run a script as outlined in this article.

My Apache config has this

DOSSystemCommand "sudo -u root /root/scripts/ban_ip.sh %s"

The script has this

#!/bin/sh

IP=$1
IPTABLES=/sbin/iptables

$IPTABLES -A banned -s $IP -p TCP -j DROP

echo "$IPTABLES -D banned -s $IP -p TCP -j DROP" | at now + 5 minutes

I've created a 'banned' chain (I've also just tried to add it to the INPUT chain to no avail)

My /etc/sudoers looks like this:

apache ALL=(root) NOPASSWD: /root/scripts/ban_ip.sh *

I've disabled SELinux to make sure it's not getting in the way. I can su apache --shell=/bin/bash and run sudo /root/scripts/ban_ip.sh 10.10.10.10 and it works just fine.

But when a source gets flagged as malicious in mod_evasion, it denies the host with 403s but it never runs the script, so I'm not really gaining any advantage here.

What else can I try to get this working?

Hello, I have the same problem. I sudoed apache user and all other configurations looks fine but still doesn't add ip to firewall. Did you found the solution? — Ergec, Sep 11 '13 at 08:25
No, I never did. We had another incident today where this solution would have saved us, so I'm going to give another go at trying to get it to work. I'll let you know if I find anything. — Safado, Sep 19 '13 at 02:00

score 7 · Answer 1 · answered Apr 11 '14 at 09:43

My system works! :)

Requeriments:

sudo
at
OPTIONAL: heirloom-mailx (in my case)

NOTE: You can use other mail agent and modify the script.

Now my configs:

mod_evasive (/etc/apache2/mods-enabled/mod-evasive.conf)

<IfModule mod_evasive20.c>
 DOSHashTableSize    3097
 DOSPageCount        10
 DOSSiteCount        150
 DOSPageInterval     2
 DOSSiteInterval     2
 DOSBlockingPeriod   10
 DOSSystemCommand "sudo /usr/local/bin/ddos_system.sh %s"
 DOSLogDir           "/tmp"
</IfModule>

sudoers

www-data ALL=NOPASSWD: /sbin/iptables *, /usr/bin/at *

ddos_system.sh (copy to /usr/local/bin)

#!/bin/bash
#set -x
[ -z $1 ] && (echo "Usage: $0 <sourceip>"; exit 1)
[ -x /usr/bin/at ] || (echo "Please, install 'at'"; exit 1)

#############
## OPTIONS
#

SOURCEIP="$1"
HOSTNAME=$(/bin/hostname -f)
BODYMAIL="/tmp/bodymailddos"
MODEVASIVE_DOSLogDir="/tmp"

FROM="Anti DDOS System <ddos@yourfromdomain.foo>"

# Multiple accounts separated by commas
TO="admin@yourfromdomain.foo user@yourfromdomain.foo"

# Time-units can be minutes, hours, days, or weeks
BANNEDTIME="1 minute"

#
##
############

# Custom mail message
{
echo "Massive connections has been detected from this source IP: $SOURCEIP

The system has blocked the IP in the firewall for $BANNEDTIME. If the problem persist you should block that IP permanently.

- Anti DDOS System -"
} > $BODYMAIL

/sbin/iptables -I INPUT -s $SOURCEIP -j DROP
echo "/sbin/iptables -D INPUT -s $SOURCEIP -j DROP" | at now + $BANNEDTIME
cat $BODYMAIL | /usr/bin/mail -r "$FROM" -s "DDOS Attack Detected - $HOSTNAME" $TO
rm -f "$MODEVASIVE_DOSLogDir/dos-$SOURCEIP"

MINI FAQ

Q: What about the last line? (rm -f ...)

A: When mod_evasive detect some attacks It create file (lock file) in "DOSLogDir" with the name "dos-[sourceip]" (ex. dos-8.8.8.8) and execute the "DOSSystemCommand" once until that file disappear. So when you execute "iptables" you should remove the lock file for the next check.

Tested in Debian 7.

Good luck, regards.

score 3 · Answer 2 · answered Jul 03 '15 at 16:16

I tried the approach from Beast response (thanks!!) and had to change this fragment to make it work:

/sbin/iptables -I INPUT -s $SOURCEIP -j DROP
echo "/sbin/iptables -D INPUT -s $SOURCEIP -j DROP" | at now + $BANNEDTIME

Basically I had to add sudo to the commands /sbin/iptables and at inside the script:

sudo /sbin/iptables -I INPUT -s $SOURCEIP -j DROP
echo "sudo /sbin/iptables -D INPUT -s $SOURCEIP -j DROP" | sudo at now + $BANNEDTIME

It took me a while to notice this so I hope posting here can help others trying this solution.

jit · Answer 3 · 2022-02-25T16:08:02.847

I was working on a project recently when I came upon this question about mod_evasive. While the most voted answer was the one I needed which partially solved my problem, I wouldn't recommend it to anybody as it has a serious security loophole. While it is not recommended to allow www-data user to run sudo, no user should be allowed to run the at command with sudo privileges with NOPASSWD! The at command can be used to escalate privileges to root with just a simple command if it is allowed to run with sudo without password. For e.g, take a look at this image:- privilege escalation with at command

┌──(rootPhoenix)-[~/Documents]
└─# su - www-data --shell=/bin/bash
www-data@Phoenix:~$ 
www-data@Phoenix:~$ sudo -l
Matching Defaults entries for www-data on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on localhost:
    (root) NOPASSWD: /sbin/iptables *, /usr/bin/at *
www-data@Phoenix:~$ 
www-data@Phoenix:~$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | sudo at now; tail -f /dev/null
warning: commands will be executed using /bin/sh
job 2 at Fri Feb 25 20:16:00 2022
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# 
# whoami
root
#

Yes, its as simple and dangerous as that! So, how to solve the problem without using the at command? This is how I did it.

/etc/sudoers

www-data ALL=NOPASSWD: /sbin/iptables *

anti-ddos.sh

#!/bin/bash


IP=$1

sudo /sbin/iptables -t nat -I PREROUTING -p tcp -s $IP --dport 443 -j DNAT --to-destination 127.0.0.1:8080

sleep 60

sudo /sbin/iptables -t nat -D PREROUTING -p tcp -s $IP --dport 443 -j DNAT --to-destination 127.0.0.1:8080

rm -f "/var/log/mod_evasive/dos-$IP"

Here, I used the sleep command to delete the iptables IP block rule after 60 seconds which has the same effect as running at now + 1 minute. For sake of brevity I'm not giving all my configs. You can refer other answers as they have made a pretty good explanation of it. Stay secure, stay safe.

Note:- I don't have enough privileges to post images. Also, I don't like posting online like this but I couldn't withstand the serious security issue here and so, I created an account. :)

otterslide · Answer 4 · 2018-02-04T22:03:47.677

I managed to use the above answer by Beast to get it to work, but some tweaks were needed.

The sudoers file (/etc/sudoers) should have this line added, otherwise the script was not running:

www-data ALL=NOPASSWD: /usr/local/bin/ddos_system.sh *

These commands are needed as well to give proper permissions and safeguard the script.

mkdir /var/log/mod_evasive
chown www-data /var/log/mod_evasive

chown root /usr/local/bin/ddos_system.sh 
chmod 700 /usr/local/bin/ddos_system.sh

and I did not have to modify the script to add any sudo command.

I used

DOSLogDir           "/var/log/mod_evasive"

And also updated the script to use this path.