How to Configure mod_evasive With Apache on Debian/Ubuntu

mod_evasive With Apache

mod_evasive is an Apache web server module that secures your website against brute force attacks or Distributed Denial of Service (DDoS/DoS) attacks.

This complements mod_security on Apache which allows you to secure your website from a wide range of attacks.

This tool can also be used as a network management tool, and can be configured to talk to ipchains, firewalls, routers, and more as well as report abuse via email and syslog.

This guide assumes that you already have your LAMP stack setup and running.

Step 1: Install mod_evasive

ModEvasive is available from the official software repositories, therefore it can be installed using apt or yum.

Ubuntu/Debian

$ sudo apt install libapache2-modsecurity

CentOS/Fedora

$ sudo yum install mod_security

Then check the status of ModEvasive by running the command below:

$ sudo apachectl -M | grep evasive

You should see the below output if the module is enabled on the server:

evasive20_module (shared)

Step 2: Configure ModEvasive

We need to make some few changes in the configuration file using the following editors:

Ubuntu/Debian

$ sudo nano /etc/apache2/mods-enabled/evasive.conf

You will find the directives commented with a pound sign (#). Uncomment all those lines by removing the ‘#’ sign and enter the email address where you want to receive email reports when ModEvasive intercepts an attack targeted to your web server.

Here is a sample of what your file should look like.

<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 60
    DOSEmailNotify <[email protected]>
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           "/var/log/mod_evasive"
</IfModule>

CentOS / Fedora

Open the following file:

$ sudo nano /etc/httpd/conf/httpd.conf

and enter the following line:

LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so

Below that section, add the mod_evasive configuration: similar to the one above:

<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 60
    DOSEmailNotify <[email protected]>
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           "/var/log/mod_evasive"
</IfModule>

Save and close the file.

Read Also  A Case for Photo-realism in Computer Graphics

Step 3: Create a ModEvasive Log Directory

The default log directory is /tmp but that is not where we want to save our log files. More on this later. We will have to create a mod_evasive log directory and set the appropriate permissions.

Create the directory

$ sudo mkdir /var/log/mod_evasive

Give Apache user ownership of the directory

$ sudo chown -R www-data:www-data /var/log/mod_evasive

Step 4: Restart Apache

Restart Apache web server for the above changes to take effect:

Debian / Ubuntu:

$ sudo systemctl restart apache2

CentOS / Fedora:

$ sudo systemctl restart httpd

mod_evasive Configuration Options Guide

DOSHashTableSize

The hash table size defines the number of top-level nodes for each child’s hash table. Basically it is the size of the table that tracks activities of users based on their past IP addresses visits. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record. Increase this if you have a busy web server. take note that doing this will increase server memory usage.

Read Also  Using .htaccess to Redirect HTTP to HTTPS

DOSPageCount

This is the threshold for the number of requests a user can make for the same page (or URI) per page interval defined by the DOSPageInterval directive. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSSiteCount

This is the threshold for the total number of requests for any object by the same client on the same listener per website interval defined in DOSSiteInterval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSPageInterval

The interval for the DOSPageCount threshold; defaults to 1-second intervals.

DOSSiteInterval

The interval for the DOSSiteCount threshold; defaults to 1-second intervals.

DOSBlockingPeriod

The blocking period is the amount of time in seconds that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) error and the timer being reset. Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period in the event of a DoS attack as the timer will keep getting reset.

DOSEmailNotify

If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.

Read Also  Of Speed, Memory and the Data Set in Computers

For this to work, make sure MAILER is set correctly in mod_evasive.c (or mod_evasive20.c). The default is “/bin/mail -t %s” where %s is used to denote the destination email address set in the configuration. If your setup uses an alternate mailer then you need to change it.

DOSSystemCommand

If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using /tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.

DOSLogDir

This is the directory where attacks will be logged. You will need to set up an alternate directory writable only to the user Apache is running as (usually root or www-data) as by default “/tmp” will be used for the locking mechanism, which opens some security issues if your system is open to shell users.

If everything is set up correctly you should have an Apache web server that is protected from DoS/DDoS attacks using mod_evasive. Check out how to secure your web site with mod_security with Apache.

References:

mod_evasive on GitHub: View