Protecting Linux Apache from DoS and DDoS with Evasive Mod Module


Mod Evasive is one of my favorite modules in Apache with Mod Security . They are a module prepared to cache and handle high requests to the apache server, increasing its load capacity and preventing a good deal of targeted DoS and DDoS attacks.

By running a test with the SlowLoris tool on an Apache Default server for about 30 seconds, more than 10,000 requests were captured and leaving the server unavailable from almost as slow. Slowdown caused by the number of DNS requests made. Let’s install and configure Mod_Evasive.

Installing ModEvasive via repository

 # apt-get install libapache2-mod-evasive

Create the Evasive Mod Log directory

 # mkdir -p /var/log/apache2/evasive # chown -R www-data:root /var/log/apache2/evasive

Now let’s edit the Mod_Evasive configuration file and parameterize our apache to identify an attack

 # vim /etc/apache2/mods-available/evasive.load

You will have to see something like

 LoadModule evasive20_module /usr/lib/apache2/modules/

Now edit the evasive.conf file to set the configuration parameters. You will have to uncomment the items you want to use

 # vim /etc/apache2/mods-available/evasive.conf
 <IfModule mod_evasive20.c> #DOSHashTableSize 3097 #DOSPageCount 2 #DOSSiteCount 50 #DOSPageInterval 1 #DOSSiteInterval 1 #DOSBlockingPeriod 10 #DOSEmailNotify #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" #DOSLogDir "/var/log/apache2/evasive/" </IfModule>
DOSEmailNotify :: E-mail de modificação.  DOSWhitelist :: Whitelist do ModEvasive DOSPageCount 20 :: É o numero de requisições que poderão ser efetuadas pelo mesmo IP dentro de um intervalo de 1 segundo DOSSiteCount 100 :: É o numero de requisições que poderão ser efetuadas pelo mesmo IP vindo de X Web Site DOSBlockingPeriod 10 é a quantidade de tempo em segundos que o site será bloqueado para aquele IP. Durante esse tempo o cliente receberá um 403 forbidden. 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s