Introduction
DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks are malicious attempts to make a server or network resource unavailable to its intended users. Apache web servers are particularly vulnerable to these types of attacks, as they are often the target of malicious actors. Fortunately, Apache provides a module called mod_evasive which can be used to defend against DoS and DDoS attacks. Mod_evasive is an Apache module that provides real-time protection against DoS and DDoS attacks. It works by monitoring the number of requests from a single IP address and, if the number of requests exceeds a certain threshold, it will temporarily block the IP address from making further requests. This helps to protect the server from malicious actors who are attempting to overwhelm it with requests. In this article, we will discuss how to configure mod_evasive on an Apache web server and how to use it to defend against DoS and DDoS attacks.
Defend Against DoS & DDoS on Apache With mod_evasive
mod_evasive is an Apache module that can be used to defend against DoS and DDoS attacks on Apache web servers. It works by monitoring incoming requests and blocking requests from IP addresses that are making too many requests in a given period of time. It also provides logging of all blocked requests, allowing administrators to identify malicious IP addresses and take appropriate action. Additionally, mod_evasive can be configured to send an email alert when an attack is detected.
Introduction
The mod_evasive module is an Apache web services module that helps your server stay running in the event of an attack. A common type of cyber attack comes in the form of a Denial of Service (DoS), Distributed Denial of Service (DDoS), or brute-force attempting to overwhelm your security.
The nature of these attacks is to use several different computers to make repeated requests against your server. This causes the server to run out of processing power, memory, network bandwidth, and become unresponsive.
This guide will walk you through configuring and installing mod_evasive to protect against DoS and DDoS.
Prerequisites
- The LAMP (Linux, Apache, MySQL, PHP) stack installed and configured
- Access to a user account with sudo or root privileges
- A functioning mail server (for email alerts)
How Does Apache mod_evasive Work
The mod_evasive Apache utility works by monitoring incoming server requests. The tool also watches for suspicious activity from one IP, such as:
- Several requests for the same page in one second.
- More than 50 simultaneous requests per second.
- Requests made while the IP is temporarily blacklisted.
The module sends a 403 error if any of these things happen. By default, this also includes a 10-second waiting period on the blacklist. If the IP address making the request tries again in that 10-second window, the waiting time increases.
mod_evasive helps you defend against these kinds of attacks through network detection and management.
Steps to Installing mod_evasive Apache Utility
Step 1: Install Apache Web Server Utility
Before installing the utility, update the package repository with the command for your Linux distribution:
Debian / Ubuntu:
sudo apt update
RedHat / CentOS:
sudo yum update
Allow the system to refresh and update your software listings.
Then, install a helper utility:
Debian / Ubuntu:
sudo apt install apache2-utils
RedHat / CentOS:
sudo yum install httpd-devel
The final section of the output looks like this:
This utility is required for the installation of mod_evasive.
Step 2: Install mod_evasive
Debian / Ubuntu
To install the mod_evasive module on Debian / Ubuntu, enter the following:
sudo apt install libapache2-mod-evasive
When you get a prompt, select Ok and choose your configuration.
When unsure, select No configuration or Local only.
CentOS / RedHat
To install the mod_evasive module on RedHat / CentOS:
Add the EPEL repository:
sudo yum install epel-release
And then, enter:
sudo yum install mod_evasive
Allow the process to complete.
Step 3: Configure mod_evasive
Like most Linux software packages, mod_evasive is controlled by a configuration file. Make the following changes in the config file as the first step in preventing DDoS attacks:
1. Use a text editor of your choice with the following commands:
Debian / Ubuntu:
sudo nano /etc/apache2/mods-enabled/evasive.conf
RedHat / CentOS:
sudo nano /etc/httpd/conf.d/mod_evasive.conf
2. Find the following entry:
#DOSEmailNotify [email protected]
Remove the #
sign, then replace [email protected]
with your actual email address. Use an email that you check regularly – this is where the tool will send alerts.
3. Remove the comment tag from the following entries, so the log file looks as follows:
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify [email protected]
DOSLogDir "/var/log/apache2/"
4. Save the file and exit. Reload the Apache service by entering the following:
Debian / Ubuntu:
sudo systemctl reload apache2
RedHat / CentOS:
sudo systemctl restart httpd.service
Test mod_evasive
Now, let’s verify the module is working correctly.
In this example, use the test.pl script to test mod_evasive.
The script is located at: /usr/share/doc/libapache2-mod-evasive/examples/test.pl.
Use the following command to run the script:
perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
The output should return this message:
Parameters and Settings
There are many mod_evasive parameters you can configure:
DOSSystemCommand
: First, you may have noticed that this option was left disabled as a comment. This command allows you to specify a system command to be run when an IP address is added to the blacklist. You can use this to launch a command to add an IP address to a firewall or IP filter.DOSHashTableSize
: Increase this for busier web servers. This configuration allocates space for running the lookup operations. Increasing the size improves the speed at the cost of memory.DOSPageCount
: The number of requests for an individual page that triggers blacklisting. This is set to 2, which is low (and aggressive) – increase this value to reduce false-positives.DOSSiteCount
: The total number of requests for the same site by the same IP address. By default, this is set to 50. You can increase to 100 to reduce false-positives.DOSPageInterval
: Number of seconds forDOSPageCount
. By default, this is set to 1 second. That means that if you don’t change it, requesting 2 pages in 1 second will temporarily blacklist an IP address.DOSSiteInterval
: Similar toDOSPageInterval
, this option specifies the number of seconds thatDOSSiteCount
monitors. By default, this is set to 1 second. That means that if a single IP address requests 50 resources on the same website in a single second, it will be temporarily blacklisted.DOSBlockingPeriod
: The amount of time an IP address stays on the blacklist. Set to 10 seconds by default, you can change this to any value you like. Increase this value to keep blocked IP addresses in time-out for a more extended period.DOSLogDir
: By default, this is set to write logs to /var/log/mod_evasive. These logs can be reviewed later to evaluate client behavior.
You can create a new directory to save these apache access logs – make sure you change the owner to Apache, then update the location in this entry:
sudo mkdir /var/log/apache/mod_evasive
sudo chown -R apache:apache /var/log/apache/mod_evasive
sudo nano /etc/apache2/mods-enabled/evasive.conf
DOSLogDir "/var/log/apache/mod_evasive"
Whitelisting IP addresses: This option isn’t included in the evasive.conf file by default.
Open the file again for editing, then add the following line:
DOSWhitelist 192.168.0.13
DOSWhitelist 192.168.0.*
Substitute the IP address with the one you want to whitelist. Also, you should list only one entry per line. This is typically used with a trusted client that exchanges a lot of data with your website.
This tool is good at detecting bots and scripts. If there are bots or scripts that you want to allow, you can whitelist them to prevent these bots and scripts from triggering a blacklist action.
Make sure to save the file and exit. Then, reload your Apache service before testing any of these options.
Conclusion
Now you know how to install and configure mod_evasive on Apache.
Between its simplicity to configure and its effectiveness, it has become a favorite tool for protecting Apache and Linux systems. For more information and the manual, please refer to the developer’s GitHub documentation page.
Defend Against DoS & DDoS on Apache With mod_evasive
Distributed Denial of Service (DDoS) attacks are a major threat to the security of web servers. They can cause significant downtime and financial losses for businesses. Apache web servers are particularly vulnerable to these attacks, as they are the most widely used web server software. Fortunately, there are ways to protect Apache web servers from DDoS attacks. One of the most effective methods is to use the mod_evasive module.
What is mod_evasive?
mod_evasive is an Apache module that provides protection against DoS and DDoS attacks. It works by monitoring the number of requests from a single IP address and blocking any requests that exceed a certain threshold. This helps to prevent malicious actors from overwhelming the server with requests and causing it to crash.
How to Install mod_evasive
Installing mod_evasive is relatively straightforward. First, you need to download the module from the Apache website. Once you have the module, you need to install it on your server. This can be done by running the following command:
$ sudo apt-get install libapache2-mod-evasive
Once the module is installed, you need to configure it. This can be done by editing the Apache configuration file. You can find the configuration file in the following location:
/etc/apache2/mods-enabled/mod_evasive.conf
In the configuration file, you can set the parameters for mod_evasive. This includes the threshold for requests from a single IP address, the time period for monitoring requests, and the action to take when the threshold is exceeded. Once you have configured the module, you need to restart Apache for the changes to take effect.
Conclusion
DDoS attacks can be devastating for businesses, but they can be prevented with the right measures. mod_evasive is an effective tool for protecting Apache web servers from DDoS attacks. It works by monitoring the number of requests from a single IP address and blocking any requests that exceed a certain threshold. Installing and configuring mod_evasive is relatively straightforward, and it can provide an extra layer of security for your web server.