How to configure mod_evasive for Apache

Learn how to configure mod_evasive for Apache with this step-by-step guide. Protect your web server from DoS, DDoS, and brute-force attacks by setting up mod_evasive effectively. #centlinux #linux #cybersecurity

What is mod_evasive?

mod_evasive is an Apache HTTP Server module designed to provide evasive action against HTTP DoS (Denial of Service), DDoS (Distributed Denial of Service), and brute-force attacks. It helps protect your web server by detecting and responding to excessive requests from a single IP address, which might indicate an attack. Here are some key features and benefits of mod_evasive:

1. Detection: Monitors incoming requests and identifies patterns that may indicate a DoS or DDoS attack.
2. Throttling: Limits the number of requests a single IP address can make to the server within a specific time frame.
3. Blocking: Temporarily blocks IP addresses that exceed the request threshold, preventing them from overwhelming the server.
4. Logging: Logs suspicious activities and blocked IP addresses for further analysis and reporting.
5. Alerting: Can send email alerts or trigger external commands when an attack is detected, allowing administrators to respond quickly.
6. Configuration: Offers flexible configuration options to define request thresholds, block durations, and custom responses.

mod_evasive enhances the security of your Apache web server by mitigating the risk of service disruptions caused by malicious traffic, ensuring better availability and performance for legitimate users.

How mod_evasive Works?

The module works by maintaining an internal dynamic table of IP addresses and URIs as well as denying any single IP address for any of the following conditions:

• Requesting the same page more than n times per second
• Making more than n concurrent requests on the same child per second
• Making any requests while temporarily blacklisted

If any of the above conditions are met, a 403 response is sent and the log has been generated for the IP address. Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address.

In this article, we will show you how to install and configure mod_evasive for Apache HTTP Server to defend DoS, DDoS and Brute Force attacks.

Recommended Training: Apache Web Server from Vipin Gupta

Read Also: How to install Fail2ban on CentOS 7

Linux Server Specification

we have configured a Linux machine with following specification.

HP 14 Laptop, Intel Celeron N4020, 4 GB RAM, 64 GB Storage, 14-inch Micro-edge HD Display, Windows 11 Home, Thin & Portable, 4K Graphics, One Year of Microsoft 365 (14-dq0040nr, Snowflake White)

(3086)

27% Off $229.99 $166.85 (as of May 22, 2025 19:28 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

READY FOR ANYWHERE – With its thin and light design, 6.5 mm micro-edge bezel display, and 79% screen-to-body ratio, you’ll take this PC anywhere while you see and do more of what you love (1) MORE SCREEN, MORE FUN – With virtually no bezel encircling… read more

Configure mod_evasive

Check if mod_evasive is already installed.

httpd -M | grep evasive

Output:

Syntax OK 

It shows that the mod_evasive is not installed on this machine.

mod_evasive is available on EPEL (Extra Packages for Enterprise Linux) Repository, therefore we should first add EPEL repository to yum.

wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Install EPEL yum repository file.

rpm -ivh epel-release-6-8.noarch.rpm

Output:

warning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY 
Preparing...                ########################################### [100%] 
   1:epel-release           ########################################### [100%]

Install mod_evasive using yum.

yum install mod_evasive

Create log directory for mod_evasive

mkdir -p /var/log/mod_evasive 
chown -R apache:apache /var/log/mod_evasive 

mod_evasive do not required any additional configuration and it works fine with default settings. However, it is a good practice to customize the following parameters in /etc/httpd/conf.d/mod_evasive.conf according to your Server’s Traffic.

DOSEmailNotify      ahmer.malik@gmail.com 
DOSPageInterval     1 
DOSPageCount        2 
DOSSiteInterval     1 
DOSSiteCount        50 
DOSBlockingPeriod   60 
DOSLogDir           "/var/log/mod_evasive" 

Restart httpd Service to apply changes.

service httpd restart

Test mod_evasive

Check is mod_evasive module loaded now.

httpd -M | grep evasive

Output:

Syntax OK 
evasive20_module (shared) 

A Perl script is provided with mod_evasive to generate the traffic to test the configurations.

/usr/share/doc/mod_evasive-1.10.1/test.pl

Output:

HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
HTTP/1.1 403 Forbidden 
HTTP/1.1 403 Forbidden 
HTTP/1.1 403 Forbidden 
HTTP/1.1 403 Forbidden 
HTTP/1.1 403 Forbidden 
HTTP/1.1 403 Forbidden 
HTTP/1.1 403 Forbidden 
HTTP/1.1 403 Forbidden 
HTTP/1.1 403 Forbidden

From the output, it is clear that the mod_evasive is blocking connections. You may play around with mod_evasive parameters to optimize it according to your Server Traffic.

mod_evasive has been configured and it is defending against DoS, DDoS and Brute Force attacks.

Frequently Asked Questions (FAQs)

What is mod_evasive?
mod_evasive is an Apache module that helps protect your server against brute-force and denial-of-service (DoS) attacks by blocking suspiciously frequent requests from a single IP address.

Why should I use mod_evasive?
It helps prevent abuse, such as too many requests from a single visitor, which can slow down or crash your server. It’s useful for improving security against basic attacks.

How does mod_evasive work?
It monitors incoming requests and temporarily blocks IPs that exceed predefined limits (e.g., too many requests per second or to the same page).

Is mod_evasive hard to set up?
No, it requires installing the module and editing Apache’s configuration file with basic settings like request thresholds and block durations.

Can mod_evasive block legitimate traffic?
Yes, if set too aggressively, it might block real users. Adjusting thresholds (like requests per second) helps avoid false positives.

The Linux Command Line Beginner’s Guide: Master Shell, Scripting, and System Administration with Step-by-Step Lessons

12% Off $24.95 $21.83 (as of May 22, 2025 16:42 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Final Thoughts

Configuring mod_evasive for Apache is a vital step to protect your web server from DoS, DDoS, and brute-force attacks. By following this guide, you can set up mod_evasive effectively to enhance your server’s security and ensure reliable performance.

Whether you need cloud optimization, server management, or automation, I provide comprehensive AWS and Linux services. Hire me on Fiverr to elevate your systems.