Configure mod_evasive to protect Apache against DDOS attacks - CentLinux

Latest

Tuesday, 12 April 2016

Configure mod_evasive to protect Apache against DDOS attacks

Configure mod_evasive to protect Apache against DDOS attacksThe mod_evasive is a module for Apache HTTP server, that protects Apache HTTP server against DoS (Denial of Service), DDoS (Distributed Denial of Service), and Brute Force attacks. It can take evasive actions during attacks and report abuses via email and syslog facilities.

The module works by maintaining an internal dynamic table of IP addresses and URIs as well as denying any single IP address for any of the following conditions:

  • Requesting the same page more than n times per second
  • Making more than n concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted

If any of the above conditions are met, a 403 response is sent and the log has been generated for the IP address. Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address.

In this article, we will show you how to install and configure mod_evasive for Apache HTTP Server to defend DoS,DDoS and Brute Force attacks.

 

This Article Provides:

     

    System Specification:

    we have configured a Linux machine with following specification.

    Operating System: CentOS 7.0
    Web Server: Apache 2.4.6

     

    Configure mod_evasive:

    Check if mod_evasive is already installed.

    [root@appserver ~]# httpd -M | grep evasive
    Syntax OK

    It shows that the mod_evasive is not installed on this machine.

    mod_evasive is available on EPEL (Extra Packages for Enterprise Linux) Repository, therefore we should first add EPEL repository to yum.

    [root@appserver ~]# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
    --2016-04-12 19:28:57--  http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
    Connecting to 127.0.0.1:3128... connected.
    Proxy request sent, awaiting response... 302 Found
    Location: http://mirrors.nayatel.com/epel/6/x86_64/epel-release-6-8.noarch.rpm [following]
    --2016-04-12 19:28:58--  http://mirrors.nayatel.com/epel/6/x86_64/epel-release-6-8.noarch.rpm
    Connecting to 127.0.0.1:3128... connected.
    Proxy request sent, awaiting response... 200 OK
    Length: 14540 (14K) [application/octet-stream]
    Saving to: “epel-release-6-8.noarch.rpm”

    100%[===================================================================================================================>] 14,540      --.-K/s   in 0s

    2016-04-12 19:28:58 (221 MB/s) - “epel-release-6-8.noarch.rpm” saved [14540/14540]

    [root@appserver ~]# rpm -ivh epel-release-6-8.noarch.rpm
    warning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
    Preparing...                ########################################### [100%]
       1:epel-release           ########################################### [100%]
    [root@appserver ~]#

    Install mod_evasive using yum.

    [root@appserver ~]# yum install mod_evasive
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    * base: centos-hcm.viettelidc.com.vn
    * epel: epel.mirror.net.in
    * epel-testing: epel.mirror.net.in
    * epel-testing-debuginfo: epel.mirror.net.in
    * epel-testing-source: epel.mirror.net.in
    * extras: centos.excellmedia.net
    * updates: centos.excellmedia.net
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package mod_evasive.x86_64 0:1.10.1-10.el6 will be installed
    --> Finished Dependency Resolution

    Dependencies Resolved

    =============================================================================================================================================================
    Package                                 Arch                               Version                                   Repository                        Size
    =============================================================================================================================================================
    Installing:
    mod_evasive                             x86_64                             1.10.1-10.el6                             epel                              24 k

    Transaction Summary
    =============================================================================================================================================================
    Install       1 Package(s)

    Total download size: 24 k
    Installed size: 52 k
    Is this ok [y/N]: y
    Downloading Packages:
    mod_evasive-1.10.1-10.el6.x86_64.rpm                                                                                                  |  24 kB     00:00
    warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
    Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
    Importing GPG key 0x0608B895:
    Userid : EPEL (6) <epel@fedoraproject.org>
    Package: epel-release-6-8.noarch (installed)
    From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
    Is this ok [y/N]: y
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
    Warning: RPMDB altered outside of yum.
      Installing : mod_evasive-1.10.1-10.el6.x86_64                                                                                                          1/1
      Verifying  : mod_evasive-1.10.1-10.el6.x86_64                                                                                                          1/1

    Installed:
      mod_evasive.x86_64 0:1.10.1-10.el6

    Complete!
    [root@appserver ~]#

    Create log directory for mod_evasive

    [root@appserver ~]# mkdir -p /var/log/mod_evasive
    [root@appserver ~]# chown -R apache:apache /var/log/mod_evasive

    mod_evasive do not required any additional configuration and it works fine with default settings. However, it is a good practice to customize the following parameters in /etc/httpd/conf.d/mod_evasive.conf according to your Server's Traffic.

    DOSEmailNotify      ahmer_mansoor@hotmail.com
    DOSPageInterval     1
    DOSPageCount        2
    DOSSiteInterval     1
    DOSSiteCount        50
    DOSBlockingPeriod   60
    DOSLogDir           "/var/log/mod_evasive"

    Restart httpd Service to apply changes.

    [root@appserver mod_evasive]# service httpd restart
    Stopping httpd:                                            [  OK  ]
    Starting httpd:                                            [  OK  ]
    [root@appserver mod_evasive]#

     

    Test mod_evasive:

    Check is mod_evasive module loaded now.

    [root@appserver ~]# httpd -M | grep evasive
    Syntax OK
    evasive20_module (shared)
    [root@appserver ~]#

    A Perl script is provided with mod_evasive to generate the traffic to test the configurations.

    [root@appserver html]# /usr/share/doc/mod_evasive-1.10.1/test.pl
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 403 Forbidden
    HTTP/1.1 403 Forbidden
    HTTP/1.1 403 Forbidden
    HTTP/1.1 403 Forbidden
    HTTP/1.1 403 Forbidden
    HTTP/1.1 403 Forbidden
    HTTP/1.1 403 Forbidden
    HTTP/1.1 403 Forbidden
    HTTP/1.1 403 Forbidden

    From the output, it is clear that the mod_evasive is blocking connections. You may play around with mod_evasive parameters to optimize it according to your Server Traffic.

    mod_evasive has been configured and it is defending against DoS, DDoS and Brute Force attacks.

    2 comments: