How to configure mod_evasive for Apache

Share on Social Media

Learn how to configure mod_evasive for Apache with this step-by-step guide. Protect your web server from DoS, DDoS, and brute-force attacks by setting up mod_evasive effectively. #centlinux #linux #cybersecurity

What is mod_evasive?

mod_evasive is an Apache HTTP Server module designed to provide evasive action against HTTP DoS (Denial of Service), DDoS (Distributed Denial of Service), and brute-force attacks. It helps protect your web server by detecting and responding to excessive requests from a single IP address, which might indicate an attack. Here are some key features and benefits of mod_evasive:

  1. Detection: Monitors incoming requests and identifies patterns that may indicate a DoS or DDoS attack.
  2. Throttling: Limits the number of requests a single IP address can make to the server within a specific time frame.
  3. Blocking: Temporarily blocks IP addresses that exceed the request threshold, preventing them from overwhelming the server.
  4. Logging: Logs suspicious activities and blocked IP addresses for further analysis and reporting.
  5. Alerting: Can send email alerts or trigger external commands when an attack is detected, allowing administrators to respond quickly.
  6. Configuration: Offers flexible configuration options to define request thresholds, block durations, and custom responses.

mod_evasive enhances the security of your Apache web server by mitigating the risk of service disruptions caused by malicious traffic, ensuring better availability and performance for legitimate users.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

745772 0021

How mod_evasive Works?

The module works by maintaining an internal dynamic table of IP addresses and URIs as well as denying any single IP address for any of the following conditions:

  • Requesting the same page more than n times per second
  • Making more than n concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted

If any of the above conditions are met, a 403 response is sent and the log has been generated for the IP address. Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address.

In this article, we will show you how to install and configure mod_evasive for Apache HTTP Server to defend DoS, DDoS and Brute Force attacks.

Read Also: How to install Fail2ban on CentOS 7

Linux Server Specification

we have configured a Linux machine with following specification.

Operating System:CentOS 7.0
Web Server:Apache 2.4.6

 

Configure mod_evasive

Check if mod_evasive is already installed.

# httpd -M | grep evasive
Syntax OK

It shows that the mod_evasive is not installed on this machine.

mod_evasive is available on EPEL (Extra Packages for Enterprise Linux) Repository, therefore we should first add EPEL repository to yum.

# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
--2016-04-12 19:28:58--  http://mirrors.nayatel.com/epel/6/x86_64/epel-release-6-8.noarch.rpm
Connecting to 127.0.0.1:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 14540 (14K) [application/octet-stream]
Saving to: “epel-release-6-8.noarch.rpm”

100%[===================================================================================================================>] 14,540      –.-K/s   in 0s

2016-04-12 19:28:58 (221 MB/s) – “epel-release-6-8.noarch.rpm” saved [14540/14540]

# rpm -ivh epel-release-6-8.noarch.rpm
warning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing…                ########################################### [100%]
   1:epel-release           ########################################### [100%]

Install mod_evasive using yum.

# yum install mod_evasive

Create log directory for mod_evasive

# mkdir -p /var/log/mod_evasive 
# chown -R apache:apache /var/log/mod_evasive

mod_evasive do not required any additional configuration and it works fine with default settings. However, it is a good practice to customize the following parameters in /etc/httpd/conf.d/mod_evasive.conf according to your Server’s Traffic.

DOSEmailNotify      ahmer.malik@gmail.com 
DOSPageInterval     1
DOSPageCount        2
DOSSiteInterval     1
DOSSiteCount        50
DOSBlockingPeriod   60
DOSLogDir           "/var/log/mod_evasive"

Restart httpd Service to apply changes.

# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Test mod_evasive

Check is mod_evasive module loaded now.

# httpd -M | grep evasive
Syntax OK
evasive20_module (shared)

A Perl script is provided with mod_evasive to generate the traffic to test the configurations.

# /usr/share/doc/mod_evasive-1.10.1/test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

From the output, it is clear that the mod_evasive is blocking connections. You may play around with mod_evasive parameters to optimize it according to your Server Traffic.

mod_evasive has been configured and it is defending against DoS, DDoS and Brute Force attacks.

If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.

Final Thoughts

Configuring mod_evasive for Apache is a vital step to protect your web server from DoS, DDoS, and brute-force attacks. By following this guide, you can set up mod_evasive effectively to enhance your server’s security and ensure reliable performance.

If you need further assistance or prefer professional help with the configuration, I’m here to assist! Check out my Fiverr service for expert support in configuring mod_evasive and other server-related tasks.

1 thought on “How to configure mod_evasive for Apache”

Leave a Comment