Here is a quick way to defend FreeBSD 7.2-RELEASE-p4 system from the Recent Apache Slowloris Denial of Service.
1. Install the mod_antiloris freebsd Port
freebsd# cd /usr/ports/www/mod_antiloris
freebsd# make install clean
2. Edit your /usr/local/etc/httpd.conf
Find the following line in your bsd httpd.conf:
#LoadModule antiloris_module libexec/apache2/mod_antiloris.so
As you can see the LoadModule line loading the mod_antiloris slowloris Denial of Service prevention is commented,so you will have to uncomment it to read as:
freebsd# vim /usr/local/etc/httpd.conf
LoadModule antiloris_module libexec/apache2/mod_antiloris.so
Next we restart the Apache Webserver in order to load the newly enabled module mod_antiloris in Apache.
However before the Apache restart, we check Apache configurations are fine to be sure Apache will re-launch,after restart.
freebsd# /usr/local/etc/rc.d/apache2 configtest
Performing sanity check on apache2 configuration:
Syntax OK
Now as we have assured ourselves Apache httpd.conf syntax is fine we restart the Webserver.
freebsd# /usr/local/etc/rc.d/apache2 restart
Syntax OK
Stopping apache2.
Waiting for PIDS: 60920.
Performing sanity check on apache2 configuration:
Syntax OK
Starting apache2.
Of course all the above simplified install example assumes your port tree is uptodate.
I did the install on my FreeBSD box:
FreeBSD pcfreak 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
If your ports tree is update the upper install mod_antiloris FreeBSD install guide will be all you need.
Yet if your port tree is not update you might consider updating your port tree before you proceed.
You might like to use my FreeBSD 7.2 stable supfile downloadable from here
To update simply using the my FreeBSD 7.2 supfile then issue the followingcommands:
freebsd# cd /etc/
freebsd# fetch https://www.pc-freak.net/files/stable-supfile-7.2
freebsd# csup -g -L 2 /etc/stable-supfile-7.2
There as you should have the latest stable port tree for FreeBSD 7.2, then just continue step by step from as explained in Step 1. hereinbefore.
I’m convinced the installation on FreeBSD 7, 7.x and FreeBSD 8 and 8.x will be analogous.
So I hope this small article will be helpful to somebody of the FreeBSD novice crowd out there.
If you want to be absolutely sure The Apache is Secured against the Slowloris attack on your FreeBSD box, download the slowloris denial of service attack tool andissue Attack against your Apache Web Server.
perl slowloris.pl -dns yourdomainname.com -port 80 -timeout 1 -num 300 -cache
That’s all folks!
