Prevent DoS/DDoS attacks with Apache and mod_evasive

mod_evasive is an evasive manoeuvres module for Apache 2 to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It works by limiting object requests within a time frame.
Whilst it is not effective against high traffic DoS/DDoS attacks (where the attack exceeds the bandwidth you can consume), it can help in preventing the casual DoS/DDoS attacks where an attacker my request many copies of the same page.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted (on a blocking list)

Installing on CentOs/Fedora is easy. (Install the EPEL Repo)

[codesyntax lang=”bash”]
yum install mod_evasive

This will create you a /etc/httpd/conf.d/mod_evasive.conf file. Tweak and restart Apache.

Installing from source with APXS isn’t much more difficult[codesyntax lang=”bash”]
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar xzf mod_evasive_1.10.1.tar.gz
cd mod_evasive
apxs -cia mod_evasive20.c

I found that all the options were pretty much perfect for my requirements. I tested by rapidly refreshing the page and I got a 503 Error. Easy!

I changed the following;

DOSEmailNotify – So I get an email when an attack happens.
Make sure you have /bin/mail installed.

[codesyntax lang=”bash”]
yum install mailx

DOSSystemCommand – This is the most interesting option. What to actually do when an attack takes place apart from email me. We want to block the offending IP address for a period of time.
My DOSSystemCommand looks like this;

[codesyntax lang=”apache”]
DOSSystemCommand “sudo /sbin/iptables -A INPUT -s %s -j DROP && sudo /sbin/iptables -D INPUT -s %s -j DROP | at now + 2 hours”

This runs an iptables command to block the offending IP and then delete it two hours later. You may want to ban the offender for longer, or even permanently.
For this to work, you need to make sure the apache user has access to the iptables command which is done via sudo.

[codesyntax lang=”bash”]
yum install sudo

Edit /etc/sudoers and add the following line

[codesyntax lang=”bash”]
apache ALL=(ALL) NOPASSWD: /sbin/iptables

DOSWhitelist – I added my subnet to the white list so I don’t block myself accidentally.

Author: Kieran Barnes

Kieran is a PHP developer with 15 years commercial experience. Specialist in WordPress, CakePHP, CubeCart and all things PHP.

3 thoughts on “Prevent DoS/DDoS attacks with Apache and mod_evasive”

  1. Hello! It is my first comment here well, i just wanted
    to allow for an instant shout out and say I genuinely enjoy reading your
    articles. Can you really suggest some other
    blogs/websites/forums that cover the same subjects?
    Regards!

  2. You have still got a very wonderful website, Gladiola
    I detected it through yahoo.

  3. Do you have a spam issue on this site; I also am a blogger, and I was curious about your situation;
    many of us have developed some nice procedures and we are looking to trade methods with others, please shoot me an e-mail if interested.

Leave a Reply

Your email address will not be published. Required fields are marked *