Prevent Denial Of Service attacks with mod_evasive
With today’s widespread use of cloud computing due to low cost and ease of use, the entry level hacker has found an easy playground to pray on the unexperienced and unprotected. It’s just amazing how many attack scripts are running against a new AWS EC2 instance as soon as it’s started. So what to do? How to protect against intruders and hackers and reliably prevent denial of service attacks?
While there are different kind of attacks, in this article we focus on Denial Of Service Attacks. These are the kind of scripts that generate a huge amount of requests to a web server in the attempt to overload it and bring any website to it’s knees. Fortunately, there is an Apache Module called mod_evasive which we can use to detect traffic with malicious traffic pattern and in combination with other tools, such as IPtables to stop and lock a possible intruder out.
mod_evasive – our tool to prevent Denial of Service attacks
Mod_evasive keeps track of requests that originate from the same IP address over a given timeframe and takes appropriate action. It proactively prevents denial of service attacks by locking IP addresses, send email to admins, execute script etc.
Before installing mod_evasive, we need APXS. On Ubuntu, that means we need to install apache2-threaded-dev. Then we download the source, extract and build the module.
sudo apt-get install apache2-threaded-dev apache2-utils cd /usr/src wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz tar xzvf mod_evasive_1.10.1.tar.gz cd mod_evasive apxs2 -cia mod_evasive20.c cd .. sudo rm -rf mod_evasive
Now let’s enable the module it in apache by adding the load file and then let’s add the following line, save it and close vim:
$ vim /etc/apache2/mods-available/mod_evasive.load $ LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so
Activate the module
$ sudo a2enmod evasive
(or alternatively create a symlink in /etc/apache2/mods-enabled to /etc/apache2/mods-available)
Next step is to start protecting your site. For this we need to add configuration data to the site’s virtual host configuration file, usually in /etc/apache2/sites-enabled/your-host-config. Add the following code inside the VirtualHost section:
<IfModule mod_evasive20.c> DOSHashTableSize 3097 #how much logging data do we want to collect DOSPageCount 2 #threshold of requests for the same page per page interval DOSSiteCount 50 #threshold of the total number of requests for any object by the same ip address DOSPageInterval 1 #interval for the page count threshold DOSSiteInterval 1 #interval for the site count threshold DOSBlockingPeriod 60 #how long an violator will be blocked DOSEmailNotify firstname.lastname@example.org #administrator to be notified </IfModule>
Restart apache. Your module should be activated and your site protected.