Hi,

I entered in 2 new IPs into the /etc/asl/whitelist file - one ipv4 and one ipv6 - and then ran asl -f -s which when it checked the mod_evasive settings the ipv4 address showed up as fixed but the ipv6 address didnt show up at all.

Does ASL or mod_evasive not support ipv6 addresses?

I added the ipv6 equivalent of a loopback/localhost address


In response to getting numerous emails from ossec saying that mod_evasive had blocked the ::1 address due to a Ddos

Received From: ehost-services201->/var/log/messages
Rule: 60205 fired (level 7) -> "Possble DoS attack"
Portion of the log(s):

mod_evasive supports it. We dont though, or not in the whitelist anyway.

Well, looks you got a new feature to add in eh

I dont know that we can fix mod_evasive.... that guys kind of a nut.

but you can add in ipv6 support into your white/black lists though right?

We could, but theres no guarantee the downstream packages will work with it.

So in /etc/asl/whitelist I put in the IP ::1

I run asl -f -s

Then I check /etc/httpd/conf.d/mod_evasive.conf and it didnt add it

So I go to /etc/httpd/conf.d/mod_evasive.conf I add in the whitelist line manually
DOSWhitelist ::1

then I run asl -f -s again, go back and check the /etc/httpd/conf.d/mod_evasive.conf file again, and the line is gone.

This basically goes along with what you have mentioned previously, but you can see that running asl -f -s removed my ipv6 address that I already had in there, which to me -- I dont care if its loopback or not -- is a bad thing anytime you remove an IP address.