mod_evasive is an Apache web server module that secures your website against brute force attacks or Distributed Denial of Service (DDoS/DoS) attacks.
This complements mod_security on Apache which allows you to secure your website from a wide range of attacks.
This tool can also be used as a network management tool and can be configured to talk to ipchains, firewalls, routers, and more as well as report abuse via email and Syslog.
This guide assumes that you already have your LAMP stack setup and running.
Step 1: Install mod_evasive
ModEvasive is available from the official software repositories, therefore it can be installed using apt or yum.
Ubuntu/Debian
$ sudo apt install libapache2-modsecurity
CentOS/Fedora
$ sudo yum install mod_security
Then check the status of ModEvasive by running the command below:
$ sudo apachectl -M | grep evasive
You should see the below output if the module is enabled on the server:
evasive20_module (shared)
Step 2: Configure ModEvasive
We need to make a few changes in the configuration file using the following editors:
Ubuntu/Debian
$ sudo nano /etc/apache2/mods-enabled/evasive.conf
You will find the directives commented with a pound sign (#). Uncomment all those lines by removing the ‘#’ sign and entering the email address where you want to receive email reports when ModEvasive intercepts an attack targeted to your web server.
Here is a sample of what your file should look like.
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify <[email protected]>
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>
CentOS / Fedora
Open the following file:
$ sudo nano /etc/httpd/conf/httpd.conf
and enter the following line:
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
Below that section, add the mod_evasive configuration: similar to the one above:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify <[email protected]>
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>
Save and close the file.
Step 3: Create a ModEvasive Log Directory
The default log directory is /tmp but that is not where we want to save our log files. More on this later. We will have to create a mod_evasive log directory and set the appropriate permissions.
Create the directory
$ sudo mkdir /var/log/mod_evasive
Give Apache user ownership of the directory
$ sudo chown -R www-data:www-data /var/log/mod_evasive
Step 4: Restart Apache
Restart Apache web server for the above changes to take effect:
Debian / Ubuntu:
$ sudo systemctl restart apache2
CentOS / Fedora:
$ sudo systemctl restart httpd
mod_evasive Configuration Options Guide
DOSHashTableSize
The hash table size defines the number of top-level nodes for each child’s hash table. Basically, it is the size of the table that tracks the activities of users based on their past IP addresses visits. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record. Increase this if you have a busy web server. take note that doing this will increase server memory usage.
DOSPageCount
This is the threshold for the number of requests a user can make for the same page (or URI) per page interval defined by the DOSPageInterval directive. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount
This is the threshold for the total number of requests for any object by the same client on the same listener per website interval defined in DOSSiteInterval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSPageInterval
The interval for the DOSPageCount threshold; defaults to 1-second intervals.
DOSSiteInterval
The interval for the DOSSiteCount threshold; defaults to 1-second intervals.
DOSBlockingPeriod
The blocking period is the amount of time in seconds that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) error and the timer being reset. Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period in the event of a DoS attack as the timer will keep getting reset.
DOSEmailNotify
If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.
For this to work, make sure MAILER is set correctly in mod_evasive.c (or mod_evasive20.c). The default is “/bin/mail -t %s” where %s is used to denote the destination email address set in the configuration. If your setup uses an alternate mailer then you need to change it.
DOSSystemCommand
If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using /tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.
DOSLogDir
This is the directory where attacks will be logged. You will need to set up an alternate directory writable only to the user Apache is running as (usually root or www-data) as by default “/tmp” will be used for the locking mechanism, which opens some security issues if your system is open to shell users.
If everything is set up correctly you should have an Apache web server that is protected from DoS/DDoS attacks using mod_evasive. Check out how to secure your website with mod_security with Apache.
References:
mod_evasive on GitHub: View
Found this article interesting? Follow Brightwhiz on Facebook, Twitter, and YouTube to read and watch more content we post.