Release 2.3.0

Author: Joris Vandermeersch

CHANGELOG

@@ -1,3 +1,12 @@
+Version 2.3.0
+-----------
+
+[20240728] WebReusAbuse + jvdmr: Bugfix: segfault on empty config
+
+[20240728] jvdmr: Bugfix: count initialisation in apache 2.0 and windows apache 2.4
+
+[20240728] jvdmr: Add DOSWhitelistUri config option for Windows [EXPERIMENTAL/UNTESTED]
+
 Version 2.2.0
 -----------
 

Dockerfile

@@ -1,16 +1,45 @@
-FROM jvdmr/apache-dev:latest
+FROM jvdmr/apache-dev:latest AS build
 MAINTAINER @jvdmr
 
-EXPOSE 80
-
 ADD . /opt/jvdmr/apache2/mod_evasive
 WORKDIR /opt/jvdmr/apache2/mod_evasive
 
 RUN mv mod_evasive24.c mod_evasive.c && \
     /usr/bin/apxs -i -a -c -l pcre2-8 mod_evasive.c && \
 		apache2ctl configtest
 
-RUN cp mod_evasive.conf /etc/apache2/conf-enabled/mod_evasive.conf
-RUN cp test/sites.conf /etc/apache2/sites-enabled/sites.conf
+CMD bash
+
+
+FROM debian:stable AS test
+
+EXPOSE 80
+
+WORKDIR /opt/jvdmr/apache2/mod_evasive
+
+ARG test_path test/00_regular_config
 
+RUN apt-get update
+RUN apt-get -y install apache2
+
+COPY --from=build /usr/lib/apache2/modules/mod_evasive.so /usr/lib/apache2/modules/mod_evasive.so
+COPY --from=build /etc/apache2/mods-available/evasive.load /etc/apache2/mods-available/evasive.load
+
+RUN mkdir -p /opt/jvdmr/apache2/mod_evasive
+COPY ${test_path}/www /opt/jvdmr/apache2/mod_evasive/www
+COPY ${test_path}/etc/mod_evasive.conf /etc/apache2/conf-enabled/mod_evasive.conf
+COPY ${test_path}/etc/sites.conf /etc/apache2/sites-enabled/sites.conf
+
+RUN a2enmod evasive
 CMD service apache2 start && bash
+
+
+FROM jvdmr/apache-dev:latest AS package
+
+WORKDIR /opt/jvdmr/apache2/mod_evasive
+
+COPY --from=build /usr/lib/apache2/modules/mod_evasive.so /usr/lib/apache2/modules/mod_evasive.so
+COPY mod_evasive.conf /etc/apache2/conf-enabled/mod_evasive.conf
+COPY debian-build.sh debian-build.sh
+
+CMD bash

README.md

@@ -50,14 +50,14 @@ it maliciously.
 
 Five different module sources have been provided:
 
-* Apache v1.3 API: mod_evasive13.c (outdated)
-* Apache v2.0 API: mod_evasive20.c
 * Apache v2.4 API: mod_evasive24.c
 * Apache v2.4 API (windows): mod_evasive24win.c
+* Apache v2.0 API: mod_evasive20.c
+* Apache v1.3 API: mod_evasive13.c (outdated)
 * NSAPI (iPlanet): mod_evasiveNSAPI.c
 
 NOTE: mod_evasiveNSAPI is a port submitted by Reine Persson <[email protected]>
-      and is not officially supported as part of the mod_evasive project.
+	and is not officially supported as part of the mod_evasive project.
 
 # How it works
 
@@ -170,24 +170,24 @@ following block to your httpd.conf:
 ## Apache (1.3/2.0/2.4)
 ```
 <IfModule mod_evasive.c>
-    DOSEnabled          true
-    DOSHashTableSize    3097
-    DOSPageCount        2
-    DOSSiteCount        50
-    DOSPageInterval     1
-    DOSSiteInterval     1
-    DOSBlockingPeriod   10
+	DOSEnabled          true
+	DOSHashTableSize    3097
+	DOSPageCount        2
+	DOSSiteCount        50
+	DOSPageInterval     1
+	DOSSiteInterval     1
+	DOSBlockingPeriod   10
 </IfModule>
 ```
 
 Optionally you can also add the following directives:
 
 ```
     DOSEmailNotify  [email protected]
-    DOSSystemCommand  "su - someuser -c '/sbin/... %s ...'"
-    DOSLogDir   "/var/lock/mod_evasive"
-    DOSWhitelist  127.0.0.1
-    DOSWhitelistUri  whitelist.*regex
+	DOSSystemCommand  "su - someuser -c '/sbin/... %s ...'"
+	DOSLogDir   "/var/lock/mod_evasive"
+	DOSWhitelist  127.0.0.1
+	DOSWhitelistUri  whitelist.*regex
     DOSHTTPStatus       429
 ```
 
@@ -209,13 +209,13 @@ LoadModule evasive_module modules/mod_evasive.so
 
 ## NSAPI
 SunONE (iPlanet,Netscape) Configuration
-                                                                                
+
 ### Configure iPlanet 4.1
 
 Edit obj.conf:
 ```
 Init fn="load-modules" funcs="mod_evasive_init,mod_evasive_check" shlib="/opt/ns-4.1/plugins/lib/mod_evasive.sl"
-                                                                                
+
 Init fn="mod_evasive_init" DOSPageCount=2 DOSSiteCount=50 DOSPageInterval=1 DOSSiteInterval=1 DOSBlockingPeriod=10 DOSWhitelist="10.60.0.7,10.65.0.10"
 ```
 
@@ -236,7 +236,7 @@ NameTrans fn=mod_evasive_check
 Edit magnus.conf:
 ```                                                                                
 Init fn="load-modules" funcs="mod_evasive_init,mod_evasive_check" shlib="/opt/iplanet-6.0/plugins/lib/mod_evasive.sl"
-                                                                                
+
 Init fn="mod_evasive_init" DOSWhitelist="10.60.0.7,10.65.0.10"
 ```
 
@@ -325,7 +325,7 @@ Choose an alternative temp directory
 By default "/tmp" will be used for locking mechanism, which opens some 
 security issues if your system is open to shell users.
 
-    http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
+	http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
 
 In the event you have nonprivileged shell users, you'll want to create a
 directory writable only to the user Apache is running as (usually root),
@@ -353,8 +353,8 @@ blocked.
 To whitelist an address (or range) add an entry to the Apache configuration 
 in the following fashion:
 
-		DOSWhitelist  127.0.0.1
-		DOSWhitelist  127.0.0.*
+	DOSWhitelist  127.0.0.1
+	DOSWhitelist  127.0.0.*
 
 Wildcards can be used on up to the last 3 octets if necessary.  Multiple
 DOSWhitelist commands may be used in the configuration.
@@ -372,14 +372,18 @@ Use with caution.
 To whitelist a URI add an entry to the Apache configuration 
 in the following fashion:
 
-		DOSWhitelistUri  /path/to/whitelisted/resource
-		DOSWhitelistUri  .*whitelisted.*
+	DOSWhitelistUri  /path/to/whitelisted/resource
+	DOSWhitelistUri  .*whitelisted.*
 
 `DOSWhitelistUri` supports perl-style regex and matches the whole request URI
 (everything between the domain name and the ?) against this regex.
 
 You can add several entries.
 
+> [!CAUTION]
+> This is currently UNTESTED on Windows, I'm not sure it will even compile. Let
+> me know about any issues, or even if it does work as expected! :pray:
+
 # Tweaking Apache
 
 The keep-alive settings for your children should be reasonable enough to 
@@ -411,8 +415,8 @@ Please don't use this script to DoS others without their permission.
 # Known bugs and Issues
 
 - This module appears to conflict with the Microsoft Frontpage Extensions.
-  Frontpage sucks anyway, so if you're using Frontpage I assume you're asking
-  for problems, and not really interested in conserving server resources anyway.
+	Frontpage sucks anyway, so if you're using Frontpage I assume you're asking
+	for problems, and not really interested in conserving server resources anyway.
 
 - When used together with mod_rewrite, mod_rewrite seems to take priority over
 	this. This means that Apache will always rewrite the url even during an
@@ -421,6 +425,9 @@ Please don't use this script to DoS others without their permission.
 	https, the redirect to https will always happen. In this case you should
 	enable mod_evasive on the https virtualhost only, as it will not have any
 	effect on the http virtualhost.
+
+- Using mpm_itk instead of the default mpm_event will cause mod_evasive to never
+	get triggered.
   
 # Feedback
 

dist/libapache2-mod-evasive.deb

@@ -1,7 +1,21 @@
 #!/bin/bash
 
-docker build . -t mod_evasive || exit 1
-docker run -t -d -p 1980:80 mod_evasive
-./test/test.pl
-docker ps -a | grep mod_evasive | awk -F "  +" '{print $7}' | xargs docker stop
-docker run -t -v `pwd`/dist:/opt/jvdmr/apache2/mod_evasive/dist mod_evasive bash debian-build.sh
+for tp in test/*
+do
+	echo
+	echo "Building test container"
+	docker build . --target test --build-arg "test_path=${tp}" -t mod_evasive_test || exit 1
+	echo "Starting test container"
+	docker run --rm -t --name=mod_evasive_test -d -p 1980:80 mod_evasive_test
+	echo "Running test"
+	${tp}/test.sh
+	echo "Stopping test container"
+	docker kill mod_evasive_test
+done
+
+echo
+echo "Building packaging container"
+docker build . --target package -t mod_evasive_package || exit 1
+echo "Packaging mod for Debian"
+docker run --rm -t --name=mod_evasive_package -v `pwd`/dist:/opt/jvdmr/apache2/mod_evasive/dist mod_evasive_package bash debian-build.sh
+echo "Done."

dist/libapache2-mod-evasive/usr/lib/apache2/modules/mod_evasive.so

@@ -322,11 +322,13 @@ int is_whitelisted(const char *ip, evasive_config *cfg) {
 
 static apr_status_t destroy_config(void *dconfig) {
     evasive_config *cfg = (evasive_config *) dconfig;
-    ntt_destroy(cfg->hit_list);
-    free(cfg->email_notify);
-    free(cfg->log_dir);
-    free(cfg->system_command);
-    free(cfg);
+    if (cfg != NULL) {
+        ntt_destroy(cfg->hit_list);
+        free(cfg->email_notify);
+        free(cfg->log_dir);
+        free(cfg->system_command);
+        free(cfg);
+    }
     return APR_SUCCESS;
 }
 
@@ -446,7 +448,7 @@ struct ntt_node *ntt_insert(struct ntt *ntt, const char *key, time_t timestamp)
     /* Create a new node */
     new_node = ntt_node_create(key);
     new_node->timestamp = timestamp;
-    new_node->timestamp = 0;
+    new_node->count = 0;
 
     ntt->items++;
 

docker-build.sh

@@ -421,11 +421,11 @@ int is_uri_whitelisted(const char *path, evasive_config *cfg) {
 static apr_status_t destroy_config(void *dconfig) {
     evasive_config *cfg = (evasive_config *) dconfig;
     if (cfg != NULL) {
-      ntt_destroy(cfg->hit_list);
-      free(cfg->email_notify);
-      free(cfg->log_dir);
-      free(cfg->system_command);
-      free(cfg);
+        ntt_destroy(cfg->hit_list);
+        free(cfg->email_notify);
+        free(cfg->log_dir);
+        free(cfg->system_command);
+        free(cfg);
    }
    return APR_SUCCESS;
 }