Mod_evasive on Apache: Install & Configure to Defend DDoS Attacks

Introduction

The mod_evasive module is an Apache web services module that helps your server stay up and running in the event of an attack. A common type of cyberattack comes in the form of denial of service (DoS), distributed denial of service (DDoS), or brute force that attempts to overwhelm your security.

The nature of these attacks is to use several different computers to make repeated requests against your server. This causes the server to run out of processing power, memory, network bandwidth and stop responding.

This guide will walk you through setting up and installing mod_evasive to protect against DoS and DDoS.

prerequisites

  • The LAMP stack (Linux, Apache, MySQL, PHP) installed and configured
  • Access to a user account with sudo or root privileges
  • A working mail server (for email alerts)

How

Apache works mod_evasive

The Apache utility mod_evasive works by monitoring incoming requests from the server. The tool also keeps an eye out for suspicious IP activity, such as:

  • Multiple requests for the same page in one
  • second.

  • More than 50 simultaneous requests per second
  • .

  • Requests made while the IP is temporarily blacklisted

.

The module sends a 403 error if any of these things happen. By default, this also includes a 10-second blacklisted waiting period. If the requesting IP address tries again in that 10-second window, the timeout increases.

mod_evasive helps you defend against these types of attacks through network discovery and management.

Steps to install

mod_evasive

Apache Utility

Step 1: Install the Apache Web Server Utility

Before installing the utility, update the

package repository with the command for your Linux distribution

:

Debian / Ubuntu

: sudo apt update

RedHat / CentOS:

sudo yum update

Allow the system to update and update its software listings.

Next, install a helper

utility: Debian / Ubuntu: sudo apt install apache2-utils

RedHat / CentOS

: sudo yum install httpd-devel

The final section of the output looks like this

:

This utility is required for mod_evasive installation.

Step 2: Install

mod_evasive Debian / Ubuntu

To install the mod_evasive module on Debian / Ubuntu, enter the following:

sudo apt install libapache2-mod-evasive

When you

receive a message, select OK and choose your settings. When

you’re not sure, select No settings or Local only.

CentOS / RedHat To install the

mod_evasive module on RedHat / CentOS:

Add the EPEL repository

: sudo yum install epel-release

And then, enter

: sudo yum install mod_evasive

Allow the process to complete

.

Step 3: Configure

mod_evasive Like most Linux software packages, a configuration file mod_evasive

controlled. Make the following changes to the configuration file as a first step to prevent DDoS attacks:

1. Use a text editor of your choice with the following commands

:

Debian / Ubuntu

: sudo nano /etc/apache2/mods-enabled/evasive.conf

RedHat / CentOS:

sudo nano /etc/httpd/conf.d/mod_evasive.conf

2. Look for the following entry:

#DOSEmailNotify you@yourdomain.com

Delete the # sign, and then replace you@yourdomain.com with your actual email address. Use an email that you check regularly – this is where the tool will send alerts.

3. Remove the comment tag from the following entries, so that the log file looks like this:

DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSEmailNotify mail@yourdomain.com DOSLogDir “/var/log/apache2/”

4. Save the file and exit. Reload the Apache service by entering the following

:

Debian / Ubuntu

: sudo systemctl reload apache2

RedHat / CentOS:

sudo systemctl restart httpd.service

Test

mod_evasive

Now, let’s verify that the module is working properly

.

In this example, use the test.pl script to test mod_evasive.

The script is located at: /usr/share/doc/libapache2-mod-evasive/examples/ test.pl

.

Use the following command to run the script

: perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

The result should return this message

:

Parameters and configuration

There are many mod_evasive parameters you can configure

:

  • DOSSystemCommand: First, you may have noticed that this option was left disabled as a comment. This command allows you to specify a system command to run when an IP address is added to the blacklist. You can use this to launch a command to add an IP address to a firewall or IP filter.
  • DOSHashTableSize: Increase this for busier web hosts. This setting allocates space to run search operations. Increasing the size improves speed at the expense of memory.
  • DOSPageCount: The number of requests for an individual page that triggers the blacklist. This is set to 2, which is low (and aggressive): increase this value to reduce false positives.
  • DOSSiteCount: The total number of requests for the same site by the same IP address. By default, it is set to 50. You can increase to 100 to reduce false positives.
  • DOSPageInterval: Number of seconds for DOSPageCount. By default, this is set to 1 second. That means if you don’t change it, requesting 2 pages in 1 second will temporarily blacklist an IP address.
  • DOSSiteInterval: Similar to DOSPageInterval, this option specifies the number of seconds that DOSSiteCount monitors. By default, this is set to 1 second. That means if a single IP address requests 50 resources on the same website in a single second, it will be temporarily blacklisted.
  • DOSBlockingPeriod: The amount of time an IP address remains blacklisted. Set to 10 seconds by default, you can change this to any value you want. Increase this value to keep blocked IP addresses timed out for a longer period.
  • DOSLogDir: By default, it is set to write logs to /var/log/mod_evasive. These logs can be reviewed later to assess customer behavior.

You can create a new directory to save these apache access logs – make sure to change the owner to Apache, then update the location in this entry

: sudo mkdir /var/log/apache/mod_evasive sudo chown -R apache:apache /var/log/apache/mod_evasive sudo nano /etc/apache2/mods-enabled/evasive.conf DOSLogDir “/var/log/apache/mod_evasive”

IP address whitelist: This option is not included in the evasive.conf file by default.

Open the file again for editing, and then add the following line:

DOSWhitelist 192.168.0.13 DOSWhitelist 192.168.0.*

Replace the IP address with the one you want to whitelist. Also, you should list only one entry per line. This is usually used with a trusted client that exchanges a lot of data with your website.

This tool is good at detecting bots and scripts. If there are bots or scripts that you want to allow, you can whitelist them to prevent these bots and scripts from triggering a blacklist action.

Be sure to save the file and exit. Then, reload the Apache service before trying any of these options.

Conclusion

Now you know how to install and configure mod_evasive in Apache

.

Between its simplicity of configuration and its effectiveness, it has become a favorite tool for protecting Apache and Linux systems. For more information and the manual, see the developer’s GitHub documentation page.

Contact US