X
    Categories: Tutorials

Prevent DoS/Brute-Force attacks with mod_evasive

What is mod_evasive?

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, etc. mod_evasive presently reports abuses via email and syslog facilities.

The following article is all about how to install and configure mod_evasive on the following gnu/linux distributions running on our virtual private servers:

So, let’s start by following the above un-ordered list.

Installation on Debian / Ubuntu

The installation of mod_evasive in a Debian / Ubuntu based VPS is identical. Before we go any steps further with the installation, make sure you have an up-to date system by issuing:

# apt-get update && apt-get upgrade --show-upgraded

Next, install Apache’s module mod_evasive by executing:

# apt-get install libapache2-mod-evasive -y

Once the installation is finished, execute the following commands to configure Apache to use mod_evasive module:

# cat >> /etc/httpd/conf.d/mod_evasive.conf <<EOF
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify your@email.com
DOSLogDir /var/log/apache2/evasive
</IfModule>
EOF
# chown www-data: -R /var/log/apache2/
# /etc/init.d/apache2 restart

Installation on CentOS 5

First, make sure your CentOS 5 VPS is fully up to date by executing:

# yum update -y

then proceed with adding the EPEL repository to your CentOS 5 so you can install mod_evasive through yum:

# rpm -Uvh ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/5/i386/epel-release-5-4.noarch.rpm

Once it is added, protect the base packages from EPEL:

# yum install yum-protectbase.noarch -y

Refresh the repositories using:

# yum update -y

and finally install mod_evasive by executing:

# yum install mod_evasive -y

Then, proceed with configuring Apache to use the mod_evasive module:

# echo -e "### LOAD EVASIVE ###\nLoadModule evasive20_module \
 modules/mod_evasive20.so\n###\n" > /etc/httpd/conf.d/mod_evasive.conf
# cat >> /etc/httpd/conf.d/mod_evasive.conf <<EOF
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify your@email.com
DOSLogDir /var/log/httpd/evasive
</IfModule>
EOF
# chown apache: -R /var/log/httpd
# /etc/init.d/httpd restart

Installation on CentOS 6

Before installing mod_evasive on your CentOS 6 VPS, make sure your operating system is fully up-to date by running:

# yum update -y

then proceed with adding the EPEL repository to your CentOS 6 so you can install mod_evasive through yum:

# rpm -Uvh ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/6/i386/epel-release-6-8.noarch.rpm

Once it is added, protect the base packages from EPEL:

# yum install yum-plugin-protectbase.noarch -y

Refresh the repositories using:

# yum update -y

and finally install mod_evasive by executing:

# yum install mod_evasive -y

Then, proceed with configuring Apache to use the mod_evasive module:

# echo -e "### LOAD EVASIVE ###\nLoadModule evasive20_module \
 modules/mod_evasive20.so\n###\n" > /etc/httpd/conf.d/mod_evasive.conf
# cat >> /etc/httpd/conf.d/mod_evasive.conf <<EOF
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify your@email.com
DOSLogDir /var/log/httpd/evasive
</IfModule>
EOF
# chown apache: -R /var/log/httpd
# /etc/init.d/httpd restart

Installation on Arch Linux

Since mod_evasive is in AUR (Archlinux User Repository) you need to build the package and then install it via ‘pacman’. This can be accomplished either by using some AUR wrapper like ‘packer’, ‘yaourt’, ‘cower’ etc… or by building the package manually via makepkg and then installing it via ‘pacman’.

We are going to use the ‘makepkg’ method here because those wrappers are all based on ‘makepkg’ and ‘pacman’, so create the build directory:

# mkdir -p /home/build/ && cd /home/build/

download the tar package containing the PKGBUILD for mod_evasive:

# wget http://aur.archlinux.org/packages/mo/mod_evasive/mod_evasive.tar.gz

extract the tarball and change to the extracted directory by executing:

# tar zxvf mod_evasive.tar.gz && cd mod_evasive/

before you proceed with building the package, make sure you have GCC installed on your Arch Linux VPS:

# pacman -Sy gcc

then proceed with building and installing the mod_evasive package:

# makepkg -si --asroot

Once the installation is finished, proceed with creating a configuration for mod_evasive by executing:

# echo 'LoadModule evasive20_module modules/mod_evasive20.so' > /etc/httpd/conf/extra/mod_evasive.conf
# cat >> /etc/httpd/conf/extra/mod_evasive.conf <<EOF
<IfModule mod_evasive20.c>
DOSHashTableSize    3097
DOSPageCount        5
DOSSiteCount        50
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   60
DOSEmailNotify 		your@email.com
DOSLogDir           /var/lock/mod_evasive
</IfModule>
EOF
# echo -e "# Include mod_evasive options\nInclude conf/extra/mod_evasive.conf" >> /etc/httpd/conf/httpd.conf
# rc.d restart httpd

Installation on Gentoo Linux

Firstly, it is recommended to update the ‘portage’ tree by executing:

# emerge --sync

Once the tree is updated, you need to compile the mod_evasive module using ’emerge’. Before doing that, a ‘keyword’ needs to be added for the package so if you’re on a x86 architecture execute the command below, else replace ‘x86’ with ‘amd64’:

# echo '=www-apache/mod_evasive-1.10.1 ~x86' >> /etc/portage/package.accept_keywords

with that in place, compile the module using:

# emerge -av www-apache/mod_evasive

once the package is compiled and installed, run:

# revdep-rebuild

and then proceed with creating mod_evasive’s configuration:

# cat > /etc/apache2/modules.d/10_mod_evasive.conf <<EOF
<IfDefine EVASIVE>
	LoadModule evasive_module modules/mod_evasive.so
	DOSHashTableSize 3097
	DOSPageCount 5
	DOSSiteCount 50
	DOSPageInterval 1
	DOSSiteInterval 1
	DOSBlockingPeriod 60
	DOSEmailNotify your@email.com
	DOSLogDir /var/log/apache2/evasive
</IfDefine>
EOF
# chown apache: -R /var/log/apache2/

Next, you need to tell your Apache to use the newly compiled mod_evasive module. In Gentoo this can be done by editing ‘/etc/conf.d/apache2’ and adding ‘-D EVASIVE’ to ‘APACHE2_OPTS’, for example:

APACHE2_OPTS="-D DEFAULT_VHOST -D PHP5 -D EVASIVE"

finally, restart apache for the changes to take effect:

# /etc/init.d/apache2 restart

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

View Comments