Bug 173388

Summary: Review Request: mod_evasive - Denial of Service evasion module for Apache
Product: [Fedora] Fedora Reporter: Konstantin Ryabitsev <icon>
Component: Package ReviewAssignee: Ruben Kerkhof <ruben>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Package Reviews List <fedora-package-review>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: cweyl, jorton, kevin, rpm
Target Milestone: ---Flags: ruben: fedora-review+
petersen: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.nuclearelephant.com/projects/mod_evasive/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-12 16:49:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 163779    

Description Konstantin Ryabitsev 2005-11-16 20:35:49 UTC
Spec Name or Url: http://linux.duke.edu/~icon/misc/fe/mod_evasive.spec
SRPM Name or Url: http://linux.duke.edu/~icon/misc/fe/mod_evasive-1.10.1-0.1.src.rpm
Description:
mod_evasive is an evasive maneuvers module for Apache to provide evasive 
action in the event of an HTTP DoS or DDoS attack or brute force attack. It 
is also designed to be a detection and network management tool, and can be 
easily configured to talk to ipchains, firewalls, routers, and etcetera. 
mod_evasive presently reports abuses via email and syslog facilities.

Comment 1 Konstantin Ryabitsev 2005-11-25 15:31:16 UTC
Ping.

Comment 2 Jeff Carlson 2005-11-30 14:32:16 UTC
Regarding the %description, "et cetera" are two words, and the Latin word "et"
means "and," so it is redundant to say "and et...."  Also, I think it is more
appropriate to mention iptables instead of ipchains.  So, I suggest that
penultimate sentence should end "iptables, firewalls, routers, et cetera."  Or
just "etc."


Comment 3 Konstantin Ryabitsev 2005-12-01 15:29:01 UTC
It's just a copy-paste of the description provided by the author on the website.
I'll make the changes.

Comment 4 Iago Rubio 2005-12-01 16:33:35 UTC
> "et cetera" are two words

I disagree. "Et cetera" are two words in latin, but it have been adopted as one
word in most languages with latin roots such as Spanish, Italian, Portuguese,
etcetera ... ;)

It have been adopted by english from Spanish - I think - an exists in english
dictionaries, so if you're not going to tranlate the whole description to latin,
to separate "et cetera" makes no sense for me.

http://dictionary.reference.com/search?q=etcetera

Comment 5 Michael A. Peters 2005-12-01 16:48:40 UTC
I've never seen it as one word in English - though I have seen it simply
abbreviated etc. :)

Comment 6 Matthew Miller 2005-12-01 16:55:40 UTC
Iago -- In English, both are valid but have slightly different meanings and
connotations. In this case, "et cetera" is correct. However, it's probably
better to avoid entirely in %description and actually be specific.

Also, this is ridiculously pedantic and none of us should care. :)

Comment 7 Konstantin Ryabitsev 2005-12-01 17:00:43 UTC
Yes, can I get some comments that don't deal with orthography? :)

Comment 8 Iago Rubio 2005-12-01 18:28:17 UTC
>> Also, this is ridiculously pedantic and none of us should care

Completely agree :)

>> Yes, can I get some comments that don't deal with orthography? :)

Not too much from my side, but it rebuilds fine - warning user icon does not
exist - installs cleanly, and rpmlint is happy.





Comment 9 Joe Orton 2005-12-06 14:19:31 UTC
The module license is not ideal (w.r.t GPL/ASL 2.0 incompatibility) otherwise
looks fine.


Comment 10 Konstantin Ryabitsev 2005-12-06 14:47:14 UTC
I've made a few cosmetic changes to the package:

http://linux.duke.edu/~icon/misc/fe/mod_evasive.spec
http://linux.duke.edu/~icon/misc/fe/mod_evasive-1.10.1-1.src.rpm

* Tue Dec 06 2005 Konstantin Ryabitsev <icon> - 1.10.1-1
- Cleaning up description
- Cleaning up install
- Slight modification to default config (add DOSWhitelist entries)
- Disttagging
- Adding test.pl to docs

If I can get it approved, I'll finish up the process of adding it to extras.

(PS: Not much I can do about the license. :))

Comment 11 Konstantin Ryabitsev 2005-12-19 21:19:42 UTC
Ping.

This has been in the approval queue for over a month now. Can someone finally
approve it, please? :) Pretty please?

Comment 12 Michael A. Peters 2005-12-20 13:03:58 UTC
* rpmlint clean:
[mpeters@jerusalem result]$ ls *.rpm && rpmlint *.rpm
mod_evasive-1.10.1-1.fc4.i386.rpm  mod_evasive-debuginfo-1.10.1-1.fc4.i386.rpm
mod_evasive-1.10.1-1.fc4.src.rpm
[mpeters@jerusalem result]$
* proper naming of package and spec file
* licensed with open source nice license (GPL) - BUT - incompat w/ Apache license
* Spec file American English, readable, etc.
* md5sum matches upstream - 784fca4a124f25ccff5b48c7a69a65e5
* Compiles in FC4 x86 mock
* Correct %files section

NEEDS

It should restart the apache webserver

The license thing - can you ask upstream to change it?
Otherwise I think that is a block because GNU specifies that Apache Software
License is not compat with GPL, and the module uses httpd-devel to build, so I'm
not sure it can go into extras under the GPL license.

Comment 13 Konstantin Ryabitsev 2005-12-20 19:53:59 UTC
OK, I've emailed the developer telling him about the situation. Hopefully he'll
consider switching licenses.

I don't agree that the package should automatically restart apache, though.
Apache restarts are rarely sane, so I'd rather be cautious and let the admin do
the restart on eir own.

Comment 14 Michael A. Peters 2005-12-20 20:44:29 UTC
(In reply to comment #13)

> I don't agree that the package should automatically restart apache, though.
> Apache restarts are rarely sane, so I'd rather be cautious and let the admin do
> the restart on eir own.

If they are installing the module, they can't use it unless they restart it.
Furthermore, there is the update issue.

Security hole found in package - update issued.
Sysadmin has yum running as a service to update his system.
He checks the rpm - thinks he's safe because it's at patch level, but since
apache hasn't restarted he's vulnerable.

-=-
Any comments from packaging veterans on this?

Comment 15 Konstantin Ryabitsev 2005-12-20 20:58:37 UTC
Yeah, but this isn't any different from any other security update to apache.
Currently, rpm -q --scripts httpd show:

preinstall scriptlet (using /bin/sh):
# Add the "apache" user
/usr/sbin/useradd -c "Apache" -u 48 \
        -s /sbin/nologin -r -d /var/www apache 2> /dev/null || :
postinstall scriptlet (using /bin/sh):
# Register the httpd service
/sbin/chkconfig --add httpd
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
        /sbin/service httpd stop > /dev/null 2>&1
        /sbin/chkconfig --del httpd
fi

If the main apache package isn't doing automatic restarts for updated packages,
then I don't think an apache module package should act differently.



Comment 16 Joe Orton 2005-12-21 00:17:28 UTC
IMO doing anything to running services on package upgrades is generally evil. 
(occasionally a necessary evil, but not in this case).  General case is that the
admin may have made config changes which they do not yet want to apply.  They
may want to do a graceful restart to avoid kicking off active clients.  etc.

Doing an httpd restart for a module upgrade would definitely be very evil
(imagine "yum update mod_foo mod_bar mod_baz ...").


Comment 17 Michael A. Peters 2005-12-21 00:59:36 UTC
OK.
That's fine then.

Comment 18 Tim Jackson 2006-08-05 23:58:24 UTC
Anything standing in the way of this being approved now?

Comment 19 Christian Iseli 2006-10-18 13:05:32 UTC
Normalize summary field for easy parsing

Comment 20 Konstantin Ryabitsev 2007-01-02 20:21:18 UTC
This has been in review queue for over a year now. :)

Can we please approve it or discard it?

Comment 21 Kevin Fenzi 2007-01-04 03:27:51 UTC
There is a policy to deal with this sort of thing: 
http://fedoraproject.org/wiki/Extras/Policy/StalledReviews

Consider this to indicate that the review is stalled and that a response is
needed soon.

If there is no response in 1 week, we will move this back to NEW and someone 
else can review it. 


Comment 22 Mamoru TASAKA 2007-01-27 07:32:00 UTC
(In reply to comment #21)
> If there is no response in 1 week, we will move this back to NEW and someone 
> else can review it. 
> 

Switching to FE-NEW

Comment 23 Ruben Kerkhof 2007-01-28 00:59:07 UTC
Hi Konstant,

Review for release 1.10.1-1
* RPM name is OK
* Builds fine in mock
* rpmlint looks OK
* File list looks OK
* Config files of mod_evasive look OK

Needs work:
* Source 0 is not available (http://www.nuclearelephant.com/projects/mod_evasive/
mod_evasive_1.10.1.tar.gz). The project is now at http://www.zdziarski.com/projects/mod_evasive/
* Spec file: some paths are not replaced with RPM macros
  Please replace /usr/sbin/apxs with %{_sbindir}/apxs



Comment 25 Ruben Kerkhof 2007-02-03 21:28:17 UTC
Looks perfect. This package is APPROVED.

Comment 26 Ruben Kerkhof 2007-03-15 17:45:01 UTC
Hi Konstantin

Are you still planning on adding this package to Extras?

Comment 27 Ruben Kerkhof 2007-03-18 10:00:21 UTC
Setting fedora-review flag as per http://fedoraproject.org/wiki/PackageReviewProcess

Comment 28 Konstantin Ryabitsev 2007-04-03 16:22:11 UTC
New Package CVS Request
=======================
Package Name: mod_evasive
Short Description: Denial of Service evasion module for Apache
Owners: icon
Branches: FC-6, EL-4, EL-5
InitialCC: 

Comment 29 Jens Petersen 2007-04-06 06:23:27 UTC
done

Comment 30 Ruben Kerkhof 2007-05-12 16:25:28 UTC
Konstantin, are you still planning on building this?

Comment 31 Konstantin Ryabitsev 2007-05-12 16:49:10 UTC
It's build for apache-2.0 systems, which pretty much means EL-4. It doesn't work
under apache-2.2 at the moment.