Mod_evasive is a module for Apache that automatically takes action when an HTTP DoS attack or brute force attack is detected. Mod_evasive is able to log and report abuse and notify problems via email. Before following this guide, you should already have a LAMP server in place that's functioning correctly.
This guide was written for CentOS and its variations (such as RHEL) and Debian and its variations (such as Ubuntu).
The module creates a table of IP addresses and URLs. If conditions set in the configuration (as described later on in this doc) are met, abusing users will get a 403 (forbidden) error. Also, the IP address is logged, and if the option is set, an email will be sent to the specified email address.
Step 1: Installing httpd-devel
The httpd-devel package contains required files that you need to build Dynamic Shared Objects for Apache. We need this package to install the module, as we will compile it ourselves in the following steps.
On CentOS/RHEL, execute:
yum install httpd-devel
On Debian/Ubuntu, execute:
apt-get install apache2-utils
After this package is successfully installed, proceed to the next step. If the installation is not properly finished, the next step will (most likely) fail.
Step 2: Downloading and Installing mod_evasive
Method 1: Compiling
Download the module:
cd /usr/src
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
Extract the module:
tar xzf mod_evasive*.tar.gz
Navigate to the directory:
cd mod_evasive
Next, we'll be using apxs2
, a tool created for building and installing modules that extend the functionality of Apache. Apxs2
builds a Dynamic Shared Object, which is why we installed httpd-devel
in step #1.
Execute:
apxs2 -cia mod_evasive20.c
Method 2: Installation Using yum
(Recommended)
When you have the epel-release
repository installed, mod_evasive
is available through yum
.
Add the repository:
yum install epel-release
Install the module using yum
:
yum install mod_evasive
Step 3: Adding the Module to Apache
Generally, Apache loads all modules from mods-enabled
, so whenever a module is added to that folder, it does not need to be added to the Apache configuration manually. Open your configuration file to check if this is the case.
On CentOS, the relevant file is: /etc/httpd/conf/httpd.conf
On Ubuntu, the relevant file is: /etc/apache2/apache2.conf
Search for Include
. A line such as Include mods-enabled/*.conf
tells Apache to load all modules. If it is not there, add that line to the top of the file and restart Apache.
For Ubuntu, add the following contents to the bottom of the file:
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
Step 4: Configuring and Altering Settings
Add the following block to the configuration file. The paths are the same as those in step #3.
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify <william@williamdavidedwards.com>
</IfModule>
A quick overview of these parameters can be found in the README
. You can read the README file as follows:
cat /usr/src/cd mod_evasive/README
You will most likely need to tweak these settings from time to time, to make sure they're just right for your server and websites. After all, some servers have more activity and traffic than others.
Step 5: Restarting the Web Server
Restart the Apache web server for the changes to take effect and the module to be loaded:
service httpd restart
Make sure the module is loaded into Apache:
httpd -M | grep evasive
This should return evasive20_module (shared)
. If not, the module was not correctly loaded and we recommend to recheck the configuration files and if they were saved correctly.
Note that this module is not a replacement for DDoS protection as it cannot function when the server capacity is used up. In fact, Rcs offers DDoS Protection which is very useful for better protection of the server (as well as using this module). For simpler threats, especially script-based attacks, the module does its job and is definitely useful.
You have now installed the mod_evasive
module in Apache, and thus made your web app safer.