Mod Evasive for Apache (First line of defence against DOS attacks)

Though I wanted my first howto to be quite powerful and explanatory, here is what I am starting with, with a short one.

Mod Evasive (mod_evasive) is a module for Apache web server. Within this, you can define certain limits on it for people trying to access a page on your website. Such as ability to access the same page (more than once) within a second. This is normally an idication of DOS attack. Mod_evasive successfully intercepts such attack and returns a 403 (Forbidden) message to the attacker. Here is how it will be implemented.

System / OS: CentOS 5.0

Homepage of mod_evasive : http://www.zdziarski.com/projects/mod_evasive/
Make sure you have httpd-devel installed before you continue. Otherwise you will not get apxs utlity. You have been warned.

cd ~
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar xzf mod_evasive_1.10.1.tar.gz

cd mod_evasive

apxs -i -a -c mod_evasive20.c

vi /etc/httpd/conf/httpd.conf
….

<IfModule mod_evasive20.c>
DOSHashTableSize    3097
DOSPageCount        2
DOSSiteCount        50
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   10
DOSEmailNotify      webmaster@yourdomain.com
#     DOSSystemCommand    “su – someuser -c ‘/sbin/… %s …'” # this is firewall command maybe
DOSLogDir           “/var/log/httpd/mod_evasive.log”
</IfModule>

service httpd restart

Time to test it:

Make sure your website’s document Root has an index.html, otherwise you will not get correct results. I had to adjust a line in test.pl to get /mrtg/index.html .

# chmod +x test.pl  # supplied by source code of mod_evasive.

Execute this test script:

# ./test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK


HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
..

HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *