mod_evasive is an evasive manoeuvres module for Apache 2 to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It works by limiting object requests within a time frame.
Whilst it is not effective against high traffic DoS/DDoS attacks (where the attack exceeds the bandwidth you can consume), it can help in preventing the casual DoS/DDoS attacks where an attacker my request many copies of the same page.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted (on a blocking list)
Installing on CentOs/Fedora is easy. (Install the EPEL Repo)
yum install mod_evasive
This will create you a /etc/httpd/conf.d/mod_evasive.conf file. Tweak and restart Apache.
Installing from source with APXS isn’t much more difficult[codesyntax lang=”bash”]
tar xzf mod_evasive_1.10.1.tar.gz
apxs -cia mod_evasive20.c
I found that all the options were pretty much perfect for my requirements. I tested by rapidly refreshing the page and I got a 503 Error. Easy!
I changed the following;
DOSEmailNotify – So I get an email when an attack happens.
Make sure you have /bin/mail installed.
yum install mailx
DOSSystemCommand – This is the most interesting option. What to actually do when an attack takes place apart from email me. We want to block the offending IP address for a period of time.
My DOSSystemCommand looks like this;
DOSSystemCommand “sudo /sbin/iptables -A INPUT -s %s -j DROP && sudo /sbin/iptables -D INPUT -s %s -j DROP | at now + 2 hours”
This runs an iptables command to block the offending IP and then delete it two hours later. You may want to ban the offender for longer, or even permanently.
For this to work, you need to make sure the apache user has access to the iptables command which is done via sudo.
yum install sudo
Edit /etc/sudoers and add the following line
apache ALL=(ALL) NOPASSWD: /sbin/iptables
DOSWhitelist – I added my subnet to the white list so I don’t block myself accidentally.