<IfModule mod_bw> BandWidthModule On ForceBandWidthModule On LargeFileLimit .cvd 1 40000 LargeFileLimit .cdiff 1 400000 MaxConnection all 50 MinBandwidth all 20000 </IfModule>If run lighttpd you can use the following:
$HTTP["url"] =~ "\.cvd$" {
server.max-connections = 50
connection.kbytes-per-second = 40
}
$HTTP["url"] =~ "\.cdiff$" {
server.max-connections = 50
connection.kbytes-per-second = 400
}
if you run Nginx , you can use the following (without simultaneous connections limit):
if ( $request_uri ~ "\.cvd$" ) {
set $limit_rate 40k;
}
if ( $request_uri ~ "\.cdiff$" ) {
set $limit_rate 400k;
}
You can also use mod_cband to limit the download-speed.
The Source is available at http://cband.linux.pl/download/ or http://sourceforge.net/projects/cband/
Just run
./configure make make installAdd the module to your apache-config by manual adding it to /etc/apache2/httpd.conf
LoadModule cband_module /usr/lib/apache2/modules/mod_cband.soEdit the config for the vhost and add
<IfModule mod_cband.c> CBandSpeed 20kb/s 100 300 CBandRemoteSpeed 20kb/s 100 300 </IfModule>This limits the downloadspeed to 20kb/s, allows 100 requests/second and a max of 300 connections. To improve mod_cband's performance add
CBandScoreFlushPeriod 1 CBandRandomPulse Onto /etc/httpd/conf/httpd.conf Done. Now restart apache. If you would like a scoreboard, set something like
<IfModule mod_cband.c>
CBandSpeed 20kb/s 100 300
CBandRemoteSpeed 20kb/s 100 300
<Location /cband-status>
SetHandler cband-status
</Location>
</IfModule>
Create the directory for CBandScoreboard and make it writeable by the apache-user: chown wwwrun.www /srv/www/scoreboard/
The status page can be found on http://your-domain/cband-status.
With mod_cband you can also limit the downloadspeed based on monthly traffic or the source-ip. For more information see http://codee.pl/cband_documentation.html
-- FlorianSchaal - 2011-07-14
or for lighttpd:#!/bin/bash . $HOME/etc/clam-clientsync.conf export RSYNC_PASSWORD rsync $RSYNC_USER@rsync.clamav.net::$MODULE/local_blacklist_apache $TO/.htaccess
#!/bin/bash . $HOME/etc/clam-clientsync.conf export RSYNC_PASSWORD rsync $RSYNC_USER@rsync.clamav.net::$MODULE/local_blacklist_lighttpd /path/local_blacklist_lighttpdAn alternative script is available here:
$HTTP["host"] =~ "^(clamav\.yourhostname\.tld|.*\.clamav\.net)$" {
include "/path/local_blacklist_lighttpd"
SetEnvIfNoCase User-Agent "^clamav/0.6" bad_clamav SetEnvIfNoCase User-Agent "^clamav/devel-2008" bad_clamav SetEnvIfNoCase User-Agent "^ClamWin/0.6" bad_clamav
lighttpd:<verbatim><Location "/"> Order allow,deny Allow from all Deny from env=bad_clamav </Location></verbatim>
$HTTP["useragent"] =~ "^clam(av|Win)\/(0.[67]|.*devel).*$" {
url.access-deny = ( "" )
}
Nginx:
if ( $http_user_agent ~* "^clam(av|win)\/(0\.[67]|devel-200[0-8]|devel-0\.[0-8]).*$" ) {
return 404;
}
-- LucaGibelli - 2009-10-12
LogFormat "%h %v %l %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\"" syslog
CustomLog /var/log/apache2/access.log syslog
As long as the log file runs only through the pipe, no entries are stored. The configuration used here evaluates merely the log file. To receive an Access Log as a file, you must extend either syslog-ng by a destination or the apache-config by a CustomLog.
2. Configure syslog-ng
source s_apache_access {
pipe("/var/log/apache2/access.log");
};
destination d_clamav-403 {
file("/proc/net/xt_recent/clamav-403"
template("+${APACHE.SRC-IP}\n"));
};
filter f_clamav_403 {
message('clamav.net')
and message(' 403 ');
};
parser p_apache_src_ip {
csv-parser(columns("APACHE.SRC-IP")
delimiters(': ')
flags(escape-none,greedy)
template("${MSGHDR}") );
};
log {
source(s_apache_access);
filter(f_clamav_403);
parser(p_apache_src_ip);
destination(d_clamav-403);
};
3. Iptables
iptables -A INPUT -p tcp --dport 80 -m recent --rcheck --name clamav-403 --seconds 3600 --hitcount 5 -j DROP
4. how it works
Syslog-ng filters apache messages with the contents clamav.net and 403. As destination /proc/net/xt_recent/clamav-403 is defined. The template adds the IP to the firewall. With reach from "hitcount" the IP is blocked "seconds".
If you replace the “–rcheck” here with an “–update” statement, the block will last even longer. The “–rcheck” option means: we will block you the next hour. While “–update” means: we don’t want to see you for an hour, but if we see you again during this time, we’ll block you again. It means that you actually need to be quiet for 60 minutes to be able to log in again.
By default xt_recent stores 100 IP. You can change the limit with "modprobe ipt_recent ip_list_tot=10000" (here 10000). This is only possible before the first iptables rule is put on.
Use| I | Attachment | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|
| |
clam-getbl | manage | 0.4 K | 2010-09-13 - 09:28 | LucaGibelli | clam-getbl - a script by Imre Gergely |