Mod_evasive is a module for Apache that automatically takes action when an HTTP DoS attack or brute force attack is detected. Mod_evasive is able to log and report abuse and notify problems via email. Before following this guide, you should already have a LAMP server in place that's functioning correctly.
This guide was written for CentOS and its variations (such as RHEL) and Debian and its variations (such as Ubuntu).
The module creates a table of IP addresses and URLs. If conditions set in the configuration (as described later on in this doc) are met, abusing users will get a 403 (forbidden) error. Also, the IP address is logged, and if the option is set, an email will be sent to the specified email address.
The httpd-devel package contains required files that you need to build Dynamic Shared Objects for Apache. We need this package to install the module, as we will compile it ourselves in the following steps.
On CentOS/RHEL, execute:
yum install httpd-devel
On Debian/Ubuntu, execute:
apt-get install apache2-utils
After this package is successfully installed, proceed to the next step. If the installation is not properly finished, the next step will (most likely) fail.
Download the module:
cd /usr/src wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
Extract the module:
tar xzf mod_evasive*.tar.gz
Navigate to the directory:
Next, we'll be using
apxs2, a tool created for building and installing modules that extend the functionality of Apache.
Apxs2 builds a Dynamic Shared Object, which is why we installed
httpd-devel in step #1.
apxs2 -cia mod_evasive20.c
When you have the
epel-release repository installed,
mod_evasive is available through
Add the repository:
yum install epel-release
Install the module using
yum install mod_evasive
Generally, Apache loads all modules from
mods-enabled, so whenever a module is added to that folder, it does not need to be added to the Apache configuration manually. Open your configuration file to check if this is the case.
On CentOS, the relevant file is:
On Ubuntu, the relevant file is:
Include. A line such as
Include mods-enabled/*.conf tells Apache to load all modules. If it is not there, add that line to the top of the file and restart Apache.
For Ubuntu, add the following contents to the bottom of the file:
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
Add the following block to the configuration file. The paths are the same as those in step #3.
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 60 DOSEmailNotify <firstname.lastname@example.org> </IfModule>
A quick overview of these parameters can be found in the
README. You can read the README file as follows:
cat /usr/src/cd mod_evasive/README
You will most likely need to tweak these settings from time to time, to make sure they're just right for your server and websites. After all, some servers have more activity and traffic than others.
Restart the Apache web server for the changes to take effect and the module to be loaded:
service httpd restart
Make sure the module is loaded into Apache:
httpd -M | grep evasive
This should return
evasive20_module (shared). If not, the module was not correctly loaded and we recommend to recheck the configuration files and if they were saved correctly.
Note that this module is not a replacement for DDoS protection as it cannot function when the server capacity is used up. In fact, Vultr offers DDoS Protection which is very useful for better protection of the server (as well as using this module). For simpler threats, especially script-based attacks, the module does its job and is definitely useful.
You have now installed the
mod_evasive module in Apache, and thus made your web app safer.