Invalid command 'DOSHashTableSize' while adding the Mod_evasive Module In Apache

nikos 2017-02-15 09:48:38 UTC #1

Hello,

I am trying to add the Mod_evasive Module In Apache as described here:
https://docs.bitnami.com/aws/components/apache/#enable_mod_evasive_html

I followed all the instructions but when I try to restart Apache I get the following error:
"Invalid command 'DOSHashTableSize', perhaps misspelled or defined by a module not included in the server configuration apache config test fails, aborting"

Any help would be appreciated!!

jariza 2017-02-15 16:44:10 UTC #2

Hello @nikos

I just followed the guide and I could configure Mod_evasive in Apache without any issue. Could you please doublecheck that you followed all the steps and you didn't find any error on any of them?

The step:

 $ sudo tee /opt/bitnami/apache2/conf/modevasion.conf <<EOF
 #increases size of hash table. Good, but uses more RAM."
 DOSHashTableSize    3097"
 #Interval, in seconds, of the page interval."
 DOSPageInterval     1"
 #Interval, in seconds, of the site interval."
 DOSSiteInterval     1"
 #period, in seconds, a client is blocked.  The counter is reset to 0 with every access within this interval."
 DOSBlockingPeriod   10"
 #threshold of requests per page, per page interval.  If hit == block."
 DOSPageCount        2"
 #threshold of requests for any object by the same ip, on the same listener, per site interval."
 DOSSiteCount        50"
 #locking mechanism prevents repeated calls.  email can be sent when host is blocked (leverages the following by default  "/bin/mail -t %s")"
 DOSEmailNotify      mbrown@domainy.com"
 #locking mechanism prevents repeated calls.  A command can be executed when a host is blocked.  %s is the host IP."
 #DOSSystemCommand    \"su - someuser -c \'/sbin/... %s ...\'\""
 #DOSLogDir           \"/var/lock/mod_evasive\""
 #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.*"
 #DOSWhiteList 127.0.0.1"
 EOF

Can be also done opening with a edito (vim for example) the file /opt/bitnami/apache2/conf/modevasion.conf and adding the content:

 #increases size of hash table. Good, but uses more RAM."
 DOSHashTableSize    3097"
 #Interval, in seconds, of the page interval."
 DOSPageInterval     1"
 #Interval, in seconds, of the site interval."
 DOSSiteInterval     1"
 #period, in seconds, a client is blocked.  The counter is reset to 0 with every access within this interval."
 DOSBlockingPeriod   10"
 #threshold of requests per page, per page interval.  If hit == block."
 DOSPageCount        2"
 #threshold of requests for any object by the same ip, on the same listener, per site interval."
 DOSSiteCount        50"
 #locking mechanism prevents repeated calls.  email can be sent when host is blocked (leverages the following by default  "/bin/mail -t %s")"
 DOSEmailNotify      mbrown@domainy.com"
 #locking mechanism prevents repeated calls.  A command can be executed when a host is blocked.  %s is the host IP."
 #DOSSystemCommand    \"su - someuser -c \'/sbin/... %s ...\'\""
 #DOSLogDir           \"/var/lock/mod_evasive\""
 #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.*"
 #DOSWhiteList 127.0.0.1"

Best Regards,

Juan Ariza

nikos 2017-02-15 18:47:37 UTC #3

I went through the same procedure again and I modified the /opt/bitnami/apache2/conf/modevasion.conf file with the editor(nano).
I can see that this file is included at the end of the /opt/bitnami/apache2/conf/httpd.conf file (Include "/opt/bitnami/apache2/conf/modevasion.conf") but again I get the same error when I try to restart Apache.

I am trying to add the evasive module in order to control some weird traffic on my website. Actually everything started from the high CPU usage of php-fpm that I noticed couple of days ago.
I've already tried the following:

https://docs.bitnami.com/aws/components/apache/#how-to-deny-connections-from-botsattackers
Disabled php-fpm( https://docs.bitnami.com/aws/components/php-fpm/#how-to-disable-php-fpm)
Disable pageSpeed( https://docs.bitnami.com/aws/components/pagespeed/#how-to-disable-pagespeed)
As mentioned here: https://community.bitnami.com/t/high-cpu-usage-on-my-bitnami-lamp-stack/22025/9

Nothing works so far. The CPU usage is most of the time around 90-100%(httpd now). Shall I start another topic about this issue?

Thank you!!!

Nikos

jariza 2017-02-16 12:58:31 UTC #4

Hello @nikos

The performance issues are not easy to debug since there could be many reasons for it. Could you please provide us this information?

Server instance type.
Information on any additional cron jobs being run.
Could you check the list of processes consuming CPU and memory. Please log in to your machine console via SSH, execute the following command and provide us with the output:

ps -e -orss=,args= | sort -b -k1,1n | pr -TW$COLUMNS
ps -e -o pcpu,nice,state,cputime,args --sort -pcpu | head -10

In case of problems with the disk size, check the free disk space and which directories have a large number of files:

df -ih
df -h
cd /opt/bitnami
sudo find . -type f | cut -d "/" -f 2 | sort | uniq -c | sort -n
du -h -d

Best Regards,

Juan Ariza

nikos 2017-02-16 16:00:15 UTC #5

Hi again @jariza ,

Please see the answers of your questions below.

Server instance type: AWS EC2 m1.large (Ubuntu 12.04.5 LTS)
Information on any additional cron jobs being run: There are no additional cron jobs running.
Could you check the list of processes consuming CPU and memory. Please log in to your machine console via SSH, execute the following command and provide us with the output:

**ps -e -orss=,args= | sort -b -k1,1n | pr -TW$COLUMNS**
    0 [ata_sff]
    0 [bdi-default]
    0 [cpuset]
    0 [crypto]
    0 [devfreq_wq]
    0 [ecryptfs-kthrea]
    0 [ext4-dio-unwrit]
    0 [flush-202:1]
    0 [flush-202:80]
    0 [fsnotify_mark]
    0 [jbd2/xvda1-8]
    0 [kblockd]
    0 [kdevtmpfs]
    0 [khelper]
    0 [khubd]
    0 [khungtaskd]
    0 [khvcd]
    0 [kintegrityd]
    0 [kjournald]
    0 [ksmd]
    0 [ksoftirqd/0]
    0 [ksoftirqd/1]
    0 [kswapd0]
    0 [kthreadd]
    0 [kthrotld]
    0 [kworker/0:0]
    0 [kworker/0:1]
    0 [kworker/1:0]
    0 [kworker/1:1]
    0 [kworker/u:0]
    0 [kworker/u:1]
    0 [md]
    0 [migration/0]
    0 [migration/1]
    0 [netns]
    0 [sync_supers]
    0 [watchdog/0]
    0 [watchdog/1]
    0 [xenbus]
    0 [xenwatch]
  376 atd
  392 upstart-socket-bridge --daemon
  600 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
  640 upstart-udev-bridge --daemon
  660 acpid -c /etc/acpi/events -s /var/run/acpid.socket
  724 /sbin/udevd --daemon
  736 /bin/sh /opt/bitnami/mysql/bin/mysqld_safe --defaults-file=/opt/bitnami/mysql/my.cnf --port=3306 --socket=/opt/bitnami/mysql/tmp/mysql.sock --datadir=/opt/bitnami/mysql/data --log-error=/opt/bitnami/mysql/data/mysqld.log --pid-file=/opt/bitnami/mysql/data/mysqld.pid
  760 /sbin/udevd --daemon
  816 /sbin/getty -8 38400 tty1
  836 pr -TW272
  844 sort -b -k1,1n
  932 dbus-daemon --system --fork --activation=upstart
  972 /sbin/getty -8 38400 tty2
  972 /sbin/getty -8 38400 tty3
  972 /sbin/getty -8 38400 tty4
  972 /sbin/getty -8 38400 tty5
  972 /sbin/getty -8 38400 tty6
 1012 cron
 1044 ps -e -orss=,args=
 1172 top
 1192 /usr/sbin/nscd
 1288 /sbin/udevd --daemon
 1372 /usr/sbin/vsftpd
 1376 su
 1376 /usr/bin/monit -c /etc/monit/monitrc
 1380 su
 1476 rsyslogd -c5
 1580 sshd: user1@pts/4
 1584 sshd: user2@pts/0
 1636 sudo -u myApp ./myApp
 1640 sudo su
 1812 sudo su
 2080 bash
 2240 bash
 2280 /sbin/init
 2904 /usr/sbin/sshd -D
 3512 sshd: user1 [priv]
 3520 sshd: user2 [priv]
 4260 whoopsie
 4580 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
 5380 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
 8492 -bash
 8592 -bash
16896 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
29916 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
31128 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
43600 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
45824 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
46864 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
47716 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
49348 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
52556 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
52700 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
55528 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
56892 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
58348 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
58420 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
58576 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
59592 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
60040 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
60764 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
61204 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
62656 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
63632 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
63844 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
64964 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
64980 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
65324 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
66720 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
71720 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
75408 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
81268 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
81852 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
87864 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
213584 /opt/bitnami/mysql/bin/mysqld.bin --defaults-file=/opt/bitnami/mysql/my.cnf --basedir=/opt/bitnami/mysql --datadir=/opt/bitnami/mysql/data --plugin-dir=/opt/bitnami/mysql/lib/plugin --user=mysql --lower-case-table-names=1 --log-error=/opt/bitnami/mysql/data/mysqld.
362908 java -Xms1024m -Xmx1024m -XX:ReservedCodeCacheSize=128m -Duser.dir=/opt/bitnami/apps/myApp/htdocs -cp /opt/bitnami/apps/myApp/htdocs/lib/myApp.myApp-2.2.jar:/opt/bitnami/apps/myApp/htdocs/lib/junit-4.11.jar:/opt/bitnami/apps/myApp/htdocs/lib/dom4j-1.6.1.jar:/opt/bitnami/apps/d

ps -e -o pcpu,nice,state,cputime,args --sort -pcpu | head -10
    %CPU  NI S     TIME COMMAND
     6.0   0 S 00:01:40 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
     5.2   0 S 00:01:28 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
     5.1   0 S 00:01:18 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
     5.1   0 S 00:00:59 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
     5.0   0 S 00:01:23 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
     4.6   0 S 00:01:17 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
     4.6   0 S 00:00:28 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
 4.5   0 S 00:01:16 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf
 4.5   0 S 00:01:09 /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf

And here's the output of the "top" command. It's mostly a few processes going up to 100% but now there are more processes with less CPU usage which has as a result to be again around 100% in total.

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 2240 daemon    20   0  304m  63m 7272 R    4  0.8   1:16.94 httpd
 2418 daemon    20   0  316m  75m 6856 R    4  1.0   0:23.89 httpd
 2431 daemon    20   0  314m  72m 6456 R    4  1.0   0:13.14 httpd
 2447 daemon    20   0  318m  76m 6208 R    4  1.0   0:07.08 httpd
 1892 daemon    20   0  330m  89m 7624 R    4  1.2   1:33.30 httpd
 2462 daemon    20   0  306m  65m 6052 R    4  0.9   0:01.83 httpd
 2463 daemon    20   0  281m  40m 5968 R    4  0.5   0:00.80 httpd
 1427 daemon    20   0  302m  77m  20m R    3  1.0   2:12.00 httpd
 1431 daemon    20   0  319m  79m 7732 R    3  1.1   1:18.83 httpd
 1433 daemon    20   0  324m  83m 7756 R    3  1.1   2:22.04 httpd
 1437 daemon    20   0  308m  66m 7752 R    3  0.9   2:51.50 httpd
 1441 daemon    20   0  315m  76m 7812 R    3  1.0   1:35.96 httpd
 1443 daemon    20   0  317m  78m 7772 R    3  1.1   1:41.97 httpd
 1452 daemon    20   0  319m  96m  23m R    3  1.3   1:53.84 httpd
 1886 daemon    20   0  328m  87m 7596 R    3  1.2   1:38.73 httpd
 1891 daemon    20   0  326m  86m 7536 R    3  1.2   1:59.52 httpd
 2239 daemon    20   0  329m  88m 7592 R    3  1.2   1:23.53 httpd
 2241 daemon    20   0  316m  76m 7596 R    3  1.0   0:57.01 httpd
 2263 daemon    20   0  319m  79m 7232 R    3  1.1   2:23.45 httpd
 2368 daemon    20   0  318m  78m 6532 R    3  1.0   0:28.54 httpd
 2369 daemon    20   0  317m  77m 7068 R    3  1.0   0:26.80 httpd
 2370 daemon    20   0  316m  76m 6940 R    3  1.0   0:27.66 httpd
 2373 daemon    20   0  294m  55m 7088 R    3  0.7   0:31.71 httpd
 2374 daemon    20   0  281m  42m 7076 R    3  0.6   0:22.60 httpd
 2419 daemon    20   0  316m  75m 6468 R    3  1.0   0:25.09 httpd
 2425 daemon    20   0  324m  83m 6432 R    3  1.1   0:18.67 httpd
 2428 daemon    20   0  315m  73m 6288 R    3  1.0   0:16.75 httpd
 2430 daemon    20   0  316m  74m 6300 R    3  1.0   0:15.89 httpd
 2435 daemon    20   0  307m  65m 6488 R    3  0.9   0:12.75 httpd
 2436 daemon    20   0  318m  78m 6208 R    3  1.1   0:09.53 httpd
 2437 daemon    20   0  318m  77m 6916 R    3  1.0   0:16.94 httpd
 2439 daemon    20   0  319m  79m 6336 R    3  1.1   0:09.54 httpd
 2441 daemon    20   0  327m  85m 6208 R    3  1.1   0:09.69 httpd
 2443 daemon    20   0  314m  74m 6720 R    3  1.0   0:09.49 httpd
 2444 daemon    20   0  318m  77m 6216 R    3  1.0   0:08.30 httpd
 2445 daemon    20   0  308m  67m 6264 R    3  0.9   0:02.58 httpd
 2446 daemon    20   0  321m  80m 6428 R    3  1.1   0:04.70 httpd
 2448 daemon    20   0  317m  76m 5892 R    3  1.0   0:06.64 httpd
 2449 daemon    20   0  314m  73m 6288 R    3  1.0   0:04.83 httpd
 2450 daemon    20   0  316m  75m 6088 R    3  1.0   0:04.70 httpd
 2455 daemon    20   0  311m  69m 6036 R    3  0.9   0:02.85 httpd
 2456 daemon    20   0  316m  74m 5936 R    3  1.0   0:03.33 httpd
 2459 daemon    20   0  290m  50m 5988 R    3  0.7   0:01.37 httpd
 2465 daemon    20   0  284m  43m 6072 R    3  0.6   0:01.01 httpd
 2466 daemon    20   0  293m  53m 6148 R    3  0.7   0:00.99 httpd
 2472 daemon    20   0  271m  30m 5588 R    3  0.4   0:00.26 httpd
 2474 daemon    20   0  303m  60m 5936 R    3  0.8   0:01.39 httpd
 1428 daemon    20   0  320m  97m  27m R    3  1.3   1:18.53 httpd

In case of problems with the disk size, check the free disk space and which directories have a large number of files:
I am using two EBS volumes, 10GB(79% available) and 100GB(58% available)

sudo find . -type f | cut -d "/" -f 2 | sort | uniq -c | sort -n
      1 changelog.txt
      1 ctlscript.sh
      1 img
      1 manager-linux-x64.run
      1 properties.ini
      1 README.txt
      1 use_joomla
      3 var
      6 sqlite
      6 stats
      8 config
     13 scripts
     31 opensslfix
     64 licenses
    919 mysql
   3650 common
   9597 php
  22641 apache2
 237825 apps

Thank you for your help.

Nikos

tomasp 2017-02-17 15:30:43 UTC #6

Hello @nikos,

Would you mind send us the content of your "/opt/bitnami/apache2/conf/modevasion.conf" so we can try on our side?

There are a lot of httpd process running. Could you please check if your apache server is running in prefork, worker or event mode? To check this, please open the file /opt/bitnami/apache2/conf/httpd.conf and look for the following lines:

LoadModule mpm_event_module modules/mod_mpm_event.so
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so

Only one of the three above should be uncommented. In the above example apache is configured to work on event mode.

Please check the following guide to know about the recommended configuration for production.

https://docs.bitnami.com/?page=components&name=apache&section=why-mpm-event-and-php-fpm-is-recommended-for-production

Tomas

nikos 2017-02-20 10:08:26 UTC #7

Hello @tomasp,

I found what was causing the httpd processes to ran. I believe it's worth mentioning it for other users who might have a similar behavior in the future.
I have a Joomla application running on the server and I found that some files were containing malicious content. I used a tool from https://myjoomla.com/ to identify and remove these files and the CPU usage came back to normal again. Of course this has nothing to do with the bitnami configuration and it is most probable the file permissions and old Joomla plugins and components I had on the application.

As for the modevasion.conf file, you can find the content below:

#increases size of hash table. Good, but uses more RAM."
 DOSHashTableSize    3097"
 #Interval, in seconds, of the page interval."
 DOSPageInterval     1"
 #Interval, in seconds, of the site interval."
 DOSSiteInterval     1"
 #period, in seconds, a client is blocked.  The counter is reset to 0 with every access within this interval."
 DOSBlockingPeriod   10"
 #threshold of requests per page, per page interval.  If hit == block."
 DOSPageCount        2"
 #threshold of requests for any object by the same ip, on the same listener, per site interval."
 DOSSiteCount        50"
 #locking mechanism prevents repeated calls.  email can be sent when host is blocked (leverages the following by default  "/bin/mail -t %s")"
 DOSEmailNotify      mbrown@domainy.com"
 #locking mechanism prevents repeated calls.  A command can be executed when a host is blocked.  %s is the host IP."
 #DOSSystemCommand    \"su - someuser -c \'/sbin/... %s ...\'\""
 #DOSLogDir           \"/var/lock/mod_evasive\""
 #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.*"
 #DOSWhiteList 127.0.0.1"

Kind regards,

Nikos

davidg 2017-03-03 09:48:42 UTC #8

Thanks a lot for sharing your solution, I'm sure it will help other users. We are glad you found the issue.

Best regards.

Powered by Discourse, best viewed with JavaScript enabled

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!

SugarCRM

Drupal

WordPress

Joomla!

Redmine