Bug 173388 - Review Request: mod_evasive - Denial of Service evasion module for Apache
Review Request: mod_evasive - Denial of Service evasion module for Apache
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ruben Kerkhof
Fedora Package Reviews List
Depends On:
  Show dependency treegraph
Reported: 2005-11-16 15:35 EST by Konstantin Ryabitsev
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-12 12:49:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ruben: fedora‑review+
petersen: fedora‑cvs+

Attachments (Terms of Use)

  None (edit)
Description Konstantin Ryabitsev 2005-11-16 15:35:49 EST
Spec Name or Url: http://linux.duke.edu/~icon/misc/fe/mod_evasive.spec
SRPM Name or Url: http://linux.duke.edu/~icon/misc/fe/mod_evasive-1.10.1-0.1.src.rpm
mod_evasive is an evasive maneuvers module for Apache to provide evasive 
action in the event of an HTTP DoS or DDoS attack or brute force attack. It 
is also designed to be a detection and network management tool, and can be 
easily configured to talk to ipchains, firewalls, routers, and etcetera. 
mod_evasive presently reports abuses via email and syslog facilities.
Comment 1 Konstantin Ryabitsev 2005-11-25 10:31:16 EST
Comment 2 Jeff Carlson 2005-11-30 09:32:16 EST
Regarding the %description, "et cetera" are two words, and the Latin word "et"
means "and," so it is redundant to say "and et...."  Also, I think it is more
appropriate to mention iptables instead of ipchains.  So, I suggest that
penultimate sentence should end "iptables, firewalls, routers, et cetera."  Or
just "etc."
Comment 3 Konstantin Ryabitsev 2005-12-01 10:29:01 EST
It's just a copy-paste of the description provided by the author on the website.
I'll make the changes.
Comment 4 Iago Rubio 2005-12-01 11:33:35 EST
> "et cetera" are two words

I disagree. "Et cetera" are two words in latin, but it have been adopted as one
word in most languages with latin roots such as Spanish, Italian, Portuguese,
etcetera ... ;)

It have been adopted by english from Spanish - I think - an exists in english
dictionaries, so if you're not going to tranlate the whole description to latin,
to separate "et cetera" makes no sense for me.

Comment 5 Michael A. Peters 2005-12-01 11:48:40 EST
I've never seen it as one word in English - though I have seen it simply
abbreviated etc. :)
Comment 6 Matthew Miller 2005-12-01 11:55:40 EST
Iago -- In English, both are valid but have slightly different meanings and
connotations. In this case, "et cetera" is correct. However, it's probably
better to avoid entirely in %description and actually be specific.

Also, this is ridiculously pedantic and none of us should care. :)
Comment 7 Konstantin Ryabitsev 2005-12-01 12:00:43 EST
Yes, can I get some comments that don't deal with orthography? :)
Comment 8 Iago Rubio 2005-12-01 13:28:17 EST
>> Also, this is ridiculously pedantic and none of us should care

Completely agree :)

>> Yes, can I get some comments that don't deal with orthography? :)

Not too much from my side, but it rebuilds fine - warning user icon does not
exist - installs cleanly, and rpmlint is happy.

Comment 9 Joe Orton 2005-12-06 09:19:31 EST
The module license is not ideal (w.r.t GPL/ASL 2.0 incompatibility) otherwise
looks fine.
Comment 10 Konstantin Ryabitsev 2005-12-06 09:47:14 EST
I've made a few cosmetic changes to the package:


* Tue Dec 06 2005 Konstantin Ryabitsev <icon@fedoraproject.org> - 1.10.1-1
- Cleaning up description
- Cleaning up install
- Slight modification to default config (add DOSWhitelist entries)
- Disttagging
- Adding test.pl to docs

If I can get it approved, I'll finish up the process of adding it to extras.

(PS: Not much I can do about the license. :))
Comment 11 Konstantin Ryabitsev 2005-12-19 16:19:42 EST

This has been in the approval queue for over a month now. Can someone finally
approve it, please? :) Pretty please?
Comment 12 Michael A. Peters 2005-12-20 08:03:58 EST
* rpmlint clean:
[mpeters@jerusalem result]$ ls *.rpm && rpmlint *.rpm
mod_evasive-1.10.1-1.fc4.i386.rpm  mod_evasive-debuginfo-1.10.1-1.fc4.i386.rpm
[mpeters@jerusalem result]$
* proper naming of package and spec file
* licensed with open source nice license (GPL) - BUT - incompat w/ Apache license
* Spec file American English, readable, etc.
* md5sum matches upstream - 784fca4a124f25ccff5b48c7a69a65e5
* Compiles in FC4 x86 mock
* Correct %files section


It should restart the apache webserver

The license thing - can you ask upstream to change it?
Otherwise I think that is a block because GNU specifies that Apache Software
License is not compat with GPL, and the module uses httpd-devel to build, so I'm
not sure it can go into extras under the GPL license.
Comment 13 Konstantin Ryabitsev 2005-12-20 14:53:59 EST
OK, I've emailed the developer telling him about the situation. Hopefully he'll
consider switching licenses.

I don't agree that the package should automatically restart apache, though.
Apache restarts are rarely sane, so I'd rather be cautious and let the admin do
the restart on eir own.
Comment 14 Michael A. Peters 2005-12-20 15:44:29 EST
(In reply to comment #13)

> I don't agree that the package should automatically restart apache, though.
> Apache restarts are rarely sane, so I'd rather be cautious and let the admin do
> the restart on eir own.

If they are installing the module, they can't use it unless they restart it.
Furthermore, there is the update issue.

Security hole found in package - update issued.
Sysadmin has yum running as a service to update his system.
He checks the rpm - thinks he's safe because it's at patch level, but since
apache hasn't restarted he's vulnerable.

Any comments from packaging veterans on this?
Comment 15 Konstantin Ryabitsev 2005-12-20 15:58:37 EST
Yeah, but this isn't any different from any other security update to apache.
Currently, rpm -q --scripts httpd show:

preinstall scriptlet (using /bin/sh):
# Add the "apache" user
/usr/sbin/useradd -c "Apache" -u 48 \
        -s /sbin/nologin -r -d /var/www apache 2> /dev/null || :
postinstall scriptlet (using /bin/sh):
# Register the httpd service
/sbin/chkconfig --add httpd
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
        /sbin/service httpd stop > /dev/null 2>&1
        /sbin/chkconfig --del httpd

If the main apache package isn't doing automatic restarts for updated packages,
then I don't think an apache module package should act differently.

Comment 16 Joe Orton 2005-12-20 19:17:28 EST
IMO doing anything to running services on package upgrades is generally evil. 
(occasionally a necessary evil, but not in this case).  General case is that the
admin may have made config changes which they do not yet want to apply.  They
may want to do a graceful restart to avoid kicking off active clients.  etc.

Doing an httpd restart for a module upgrade would definitely be very evil
(imagine "yum update mod_foo mod_bar mod_baz ...").
Comment 17 Michael A. Peters 2005-12-20 19:59:36 EST
That's fine then.
Comment 18 Tim Jackson 2006-08-05 19:58:24 EDT
Anything standing in the way of this being approved now?
Comment 19 Christian Iseli 2006-10-18 09:05:32 EDT
Normalize summary field for easy parsing
Comment 20 Konstantin Ryabitsev 2007-01-02 15:21:18 EST
This has been in review queue for over a year now. :)

Can we please approve it or discard it?
Comment 21 Kevin Fenzi 2007-01-03 22:27:51 EST
There is a policy to deal with this sort of thing: 

Consider this to indicate that the review is stalled and that a response is
needed soon.

If there is no response in 1 week, we will move this back to NEW and someone 
else can review it. 
Comment 22 Mamoru TASAKA 2007-01-27 02:32:00 EST
(In reply to comment #21)
> If there is no response in 1 week, we will move this back to NEW and someone 
> else can review it. 

Switching to FE-NEW
Comment 23 Ruben Kerkhof 2007-01-27 19:59:07 EST
Hi Konstant,

Review for release 1.10.1-1
* RPM name is OK
* Builds fine in mock
* rpmlint looks OK
* File list looks OK
* Config files of mod_evasive look OK

Needs work:
* Source 0 is not available (http://www.nuclearelephant.com/projects/mod_evasive/
mod_evasive_1.10.1.tar.gz). The project is now at http://www.zdziarski.com/projects/mod_evasive/
* Spec file: some paths are not replaced with RPM macros
  Please replace /usr/sbin/apxs with %{_sbindir}/apxs

Comment 25 Ruben Kerkhof 2007-02-03 16:28:17 EST
Looks perfect. This package is APPROVED.
Comment 26 Ruben Kerkhof 2007-03-15 13:45:01 EDT
Hi Konstantin

Are you still planning on adding this package to Extras?
Comment 27 Ruben Kerkhof 2007-03-18 06:00:21 EDT
Setting fedora-review flag as per http://fedoraproject.org/wiki/PackageReviewProcess
Comment 28 Konstantin Ryabitsev 2007-04-03 12:22:11 EDT
New Package CVS Request
Package Name: mod_evasive
Short Description: Denial of Service evasion module for Apache
Owners: icon@fedoraproject.org
Branches: FC-6, EL-4, EL-5
Comment 29 Jens Petersen 2007-04-06 02:23:27 EDT
Comment 30 Ruben Kerkhof 2007-05-12 12:25:28 EDT
Konstantin, are you still planning on building this?
Comment 31 Konstantin Ryabitsev 2007-05-12 12:49:10 EDT
It's build for apache-2.0 systems, which pretty much means EL-4. It doesn't work
under apache-2.2 at the moment.

Note You need to log in before you can comment on or make changes to this bug.