Select Page

mod_evasive howto step by step

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted (on a blocking list)


This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.

This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on ‘reload’ should not be affected unless they do it maliciously. mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use. from  http://www.zdziarski.com/projects/mod_evasive/

click read more for my HowTo

 
 Download the actual version of mod_evasive

#  wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

Unpack it

#  tar xvzf mod_evasive_1.10.1.tar.gz /usr/local/src/mod_evasive

Move to that directory

#  cd  /usr/local/src/mod_evasive

And edit the file mod_evasive20.c, we will have to change the line 45 to

#define MAILER  "/bin/mail -t %s"

We compile the module:

Apache2Apache2-Prefork
#  /usr/sbin/apxs2 -cia mod_evasive20.c#  /usr/sbin/apxs2-prefork -cia mod_evasive20.c

Now we have to create a config file for mod_evasive:

# touch /etc/apache2/conf.d/mod_evasive.conf

and edit it

# vi /etc/apache2/conf.d/mod_evasive.conf

content of file

Apache2Apache2-Prefork
LoadModule evasive20_module     /usr/lib/apache2/mod_evasive20.so
<IfModule mod_evasive20.c>
  DOSHashTableSize 3097
  DOSPageCount 5
  DOSSiteCount 100
  DOSPageInterval 2
  DOSSiteInterval 2
  DOSBlockingPeriod 600
  DOSEmailNotify [email protected]
</IfModule>
LoadModule evasive20_module     /usr/lib/apache2-prefork/mod_evasive20.so
<IfModule mod_evasive20.c>
  DOSHashTableSize 3097
  DOSPageCount 5
  DOSSiteCount 100
  DOSPageInterval 2
  DOSSiteInterval 2
  DOSBlockingPeriod 600
  DOSEmailNotify [email protected]
</IfModule>

Restart Apache2 either  with:

# rcapache2 stop
# rcapache2 start

or

# /etc/init.d/apache2 restart

Mod_evasive also deliver a sall perl script to try a DOS attack on your own webserver

# cd /usr/src/mod_evasive
# perl test.pl

You should read http ok but after some seconds you will only get HTTP error 403 showing that mod_evasive is correctly running!

About The Author

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Categories