possible countermeasure to these DoS attacks

hi all -

it seems the wordpress login attempts continue to get worse. although i have taken the countermeasures such as login-rename and blocking the wp-login.php in the .htaccess file, the problem is that the floods still overwhelm apache.

so, i am now taking the mod_qos approach by doing the following using this link as my guide:

1) yum install mod_qos;

2) i added this line to httpd.conf and restarted apache:

LoadModule qos_module /usr/lib64/httpd/modules/mod_qos.so

3) and added these lines to /etc/httpd/conf.d/mod_qos.conf:

## QoS Settings
<IfModule mod_qos.c>
QS_LocRequestLimitMatch ^/wp-login.php 5
QS_LocRequestPerSecLimitMatch ^/wp-login.php 1
# handles connections from up to 100000 different IPs
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 70%
# minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything):
QS_SrvMinDataRate 150 1200
# and limit request header and body (careful, that limits uploads and post requests too):
# LimitRequestFields 30
# QS_LimitRequestBody 102400
</IfModule>

the log files are now filling up with messages that contain "mod_qos" so i figure i am on the right track here.

my goal at this point is just to make sure apache does not overload again.

thoughts, suggestions?
 
Top