Install mod_evasive for Apache to Prevent DDOS Attacks

mod_evasive, formerly known as mod_dosevasive is a Apache module that provides evasive maneuvers action in the event of an HTTP DoS or DDoS (Denial of Service) attack or brute force attack at the web server. When possible attacks are detected, mod_evasive will block the traffic from the source for a specific duration of time, while reports abuses via email and syslog facilities. Or administrators can configure mod_evasive to talk to iptables, ipchains, firewalls, routers, and etc. to build a comprehensive DDOS prevention system for the high traffic busy web server.

Although mod_evasive is not a foolproof and complete DOS prevention system, but installing mod_evasive module for Apache will likely to reduce and stop certain DDOS attacks, minimizing the risks of web hosts and web sites been completely brought down inaccessible by malicious denial of service attack attempts.

How to Install mod_evasive

  1. Login to web server via SSH.
  2. For Apache 2.0.x, execute the following command:

    up2date -i httpd-devel

  3. Continue with the following commands one by one for all version of Apache HTTPD server. wget command will download the current stable version 1.10.1 source tarball.

    cd /usr/local/src
    wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
    tar -zxvf mod_evasive_1.10.1.tar.gz
    cd mod_evasive

  4. For Apache 2.0.x , execute the following command:

    /usr/sbin/apxs -cia mod_evasive20.c

    Else, for Apache 1.3.x,

    /usr/local/apache/bin/apxs -cia mod_evasive.c

    Above commands will compile mod_evasive to .so and subsequently add corrensponding AddModule and LoadModule lines into httpd.conf.

  5. mod_evasive comes with default configuration value preset, however, if webmasters want to configure and set the value themselves, the following parameters have to be added into httpd.conf Apache configuration file below the AddModule section.

    For Apache 2.0.x, add the following text to httpd.conf below AddModule section:

    <IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 5
    DOSSiteCount 100
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 600
    </IfModule>

    For apache 1.3.x, add the following text to httpd.conf below AddModule section:

    <IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 5
    DOSSiteCount 100
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 600
    </IfModule>

    Save and exit the httpd.conf Apache configuration file.

  6. Restart the Apache server with the following command:

    /etc/init.d/httpd restart

Note: If apxs is not found, it can be installed via “yum install httpd-devel” command.

Installation is completed. Note that mod_evasive has known issues with FrontPage Server Extensions. Administrator can configure the variables such as enlarging the DOSHashTableSize especially for busy server. But note that whenever when a sournce of attack is blocked, the blocking duration is automatically extended whenever the source attempts to connect again, thus the DOSBlockingPeriod needs not to be too long. Beside, the blocking is based on each sessions of Apache child process, thus the blocking has the lifespan of that particular session only. If webmaster set the maximum clients per process to a very low value, the blocking may not be very effective. All definitions of mod_evasive directives can be found on README file comes with the source codes.

Other than above common configuration parameters, mod_evasive also supports the following three advanced directives:

DOSEmailNotify users@example.com
DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’”
DOSLogDir “/var/lock/mod_evasive”

The DOSEmailNotify is particular useful, where you can set mod_evasive to send a notification email whenever a possible DOS attack is detected and blocked. For example, “DOSEmailNotify root” will send the email to root user. But note that mailer configuration (by default is “/bin/mail -t %s”) in mod_evasive.c or mod_evasive20.c is correct. You can create a symbolic link if needed to or modify the source code file.


7 Responses to “Install mod_evasive for Apache to Prevent DDOS Attacks”

  1. Securing apache the hackers way -
    July 5th, 2009 23:35
    7

    [...] [...]

  2. Webagentur
    November 17th, 2008 23:44
    6

    Ich habe dieses Modul auch bereits im Einsatz auf meinem Suse Linux 10.3 … die Installation war ein Kinderspiel für mich, nur würde ich gerne mal dieses neue Modul testen, weiss aber nicht wie ich das machen soll. Daher weiss ich auch nicht, ob es 100% funktioniert.

  3. Nick
    November 9th, 2008 22:07
    5

    It is a great module. The only problem is that the e-mail notification is not working. It is a bug for years now, not fixed yet. Although I have set DOSEmailNotify directive and I know that some IPs are blocked periodically, I never get any mail notification.

  4. Ömer Ersöz » Blog Archive » Mod_evasive Apache ddos Önlemi
    November 5th, 2008 17:47
    4

    [...] http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-prevent-ddos-attacks/ [...]

  5. geri1590
    September 15th, 2008 23:52
    3

    Buenas, he seguido al pie de la letra todos los tutoriales que me he encontrado para el mod_evasive. Todos decian practimamente lo mismo.. asi que decidi postear en este.
    Cuando tengo el mod_evasive .. ejecuto el siguente comando:
    /usr/bin/apxs2 -c -i -a mod_evasive20.c
    y me muestra lo siguiente:
    /usr/share/apr-1.0/build/libtool –silent –mode=compile –tag=disable-static i4 86-linux-gnu-gcc -prefer-pic -DLINUX=2 -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -D_RE ENTRANT -I/usr/include/apr-1.0 -I/usr/include/openssl -I/usr/include/postgresql -I/usr/include/xmltok -pthread -I/usr/include/apache2 -I/usr/include/apr-1. 0 -I/usr/include/apr-1.0 -I/usr/include/postgresql -c -o mod_evasive20.lo mod _evasive20.c && touch mod_evasive20.slo
    /usr/share/apr-1.0/build/libtool: line 1222: i486-linux-gnu-gcc: command not fou nd
    apxs:Error: Command failed with rc=65536
    .

    **Tengo la version 2.2 de Apache corriendo sobre Debian 4. – Si alguien me puede ayudar se lo agradecere :)

  6. Carros Brasilia
    June 24th, 2008 23:17
    2

    Hi resimleri, you don’t need to uninstall the module.

  7. resimleri
    June 3rd, 2008 16:07
    1

    Hello
    why mod_evasive uninstall?

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to comments feature has been disabled. To receive notification of latest comments posted, subscribe to My Digital Life Comments RSS feed or register to receive new comments in daily email digest.
Custom Search

New Articles

Incoming Search Terms for the Article

apache mod_evasive - mod_evasive configuration - apache ddos - apache dos prevention - mod_evasive apache 2.2 - ddos apache - apache dos attack - Apache DDOS prevention - mod_evasive - mod_evasive config - mod_evasive apache - apache ddos module - configure mod_evasive - DOSEmailNotify - Install Mod_Evasive - install mod_evasive cPanel - mod_evasive windows - mod_evasive iptables - mod_evasive email - prevent dos attack apache - apache prevent dos - apache2 ddos - mod_evasive centos - cpanel mod_evasive - apache ddos attack - apache2 mod evasive - apache prevent dos attack - mod_evasive for windows - ddos apache2 - download mod_evasive - apache dos attacks - apache dos mod - debian mod_evasive - mod ddos - mod_evasive in centos - mod_dosevasive apache - install mod_evasive centos - mod_evasive configure - mod evasive apache - mod evasive windows - install mod_evasive on cpanel - mod_evasive correct value - apache+ddos - installing mod_evasive - mod_evasive parameters - mod evasive for windows - install mod_dosevasive debian - mod_evasive + centos - instalar mod_evasive centos 5 whm - how to install mod evasive -