How to configure mod_evasive for Apache

Share on Social Media

The mod_evasive is a module for Apache HTTP server, that protects Apache HTTP server against DoS (Denial of Service), DDoS (Distributed Denial of Service), and Brute Force attacks. It can take evasive actions during attacks and report abuses via email and syslog facilities.

The module works by maintaining an internal dynamic table of IP addresses and URIs as well as denying any single IP address for any of the following conditions:

  • Requesting the same page more than n times per second
  • Making more than n concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted

If any of the above conditions are met, a 403 response is sent and the log has been generated for the IP address. Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address.

In this article, we will show you how to install and configure mod_evasive for Apache HTTP Server to defend DoS, DDoS and Brute Force attacks.

Read Also: How to install Fail2ban on CentOS 7

System Specification:

we have configured a Linux machine with following specification.

Operating System:CentOS 7.0
Web Server:Apache 2.4.6

 

Configure mod_evasive:

Check if mod_evasive is already installed.

# httpd -M | grep evasive
Syntax OK

It shows that the mod_evasive is not installed on this machine.

mod_evasive is available on EPEL (Extra Packages for Enterprise Linux) Repository, therefore we should first add EPEL repository to yum.

# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
--2016-04-12 19:28:58--  http://mirrors.nayatel.com/epel/6/x86_64/epel-release-6-8.noarch.rpm
Connecting to 127.0.0.1:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 14540 (14K) [application/octet-stream]
Saving to: “epel-release-6-8.noarch.rpm”

100%[===================================================================================================================>] 14,540      –.-K/s   in 0s

2016-04-12 19:28:58 (221 MB/s) – “epel-release-6-8.noarch.rpm” saved [14540/14540]

# rpm -ivh epel-release-6-8.noarch.rpm
warning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing…                ########################################### [100%]
   1:epel-release           ########################################### [100%]

Install mod_evasive using yum.

# yum install mod_evasive

Create log directory for mod_evasive

# mkdir -p /var/log/mod_evasive 
# chown -R apache:apache /var/log/mod_evasive

mod_evasive do not required any additional configuration and it works fine with default settings. However, it is a good practice to customize the following parameters in /etc/httpd/conf.d/mod_evasive.conf according to your Server’s Traffic.

DOSEmailNotify      ahmer.mansoor@gmail.com 
DOSPageInterval     1
DOSPageCount        2
DOSSiteInterval     1
DOSSiteCount        50
DOSBlockingPeriod   60
DOSLogDir           "/var/log/mod_evasive"

Restart httpd Service to apply changes.

# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Test mod_evasive:

Check is mod_evasive module loaded now.

# httpd -M | grep evasive
Syntax OK
evasive20_module (shared)

A Perl script is provided with mod_evasive to generate the traffic to test the configurations.

# /usr/share/doc/mod_evasive-1.10.1/test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

From the output, it is clear that the mod_evasive is blocking connections. You may play around with mod_evasive parameters to optimize it according to your Server Traffic.

mod_evasive has been configured and it is defending against DoS, DDoS and Brute Force attacks.

Scroll to Top