ItecSoftware Logo

Prevent Denial Of Service attacks with mod_evasive

Written by Peter Gilg on - like this:
prevent denial of service attacks

With today’s widespread use of cloud computing due to low cost and ease of use, the entry level hacker has found an easy playground to pray on the unexperienced and unprotected. It’s just amazing how many attack scripts are running against a new AWS EC2 instance as soon as it’s started. So what to do? How to protect against intruders and hackers and reliably prevent denial of service attacks?

While there are different kind of attacks, in this article we focus on Denial Of Service Attacks. These are the kind of scripts that generate a huge amount of requests to a web server in the attempt to overload it and bring any website to it’s knees. Fortunately, there is an Apache Module called mod_evasive which we can use to detect traffic with malicious traffic pattern and in combination with other tools, such as IPtables to stop and lock a possible intruder out.

mod_evasive – our tool to prevent Denial of Service attacks

Mod_evasive keeps track of requests that originate from the same IP address over a given timeframe and takes appropriate action. It proactively prevents denial of service attacks by locking IP addresses, send email to admins, execute script etc.

Installing mod_evasive

Before installing mod_evasive, we need APXS. On Ubuntu, that means we need to install apache2-threaded-dev. Then we download the source, extract and build the module.

sudo apt-get install apache2-threaded-dev apache2-utils
cd /usr/src
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar xzvf mod_evasive_1.10.1.tar.gz
cd mod_evasive
apxs2 -cia mod_evasive20.c
cd ..
sudo rm -rf mod_evasive

Now let’s enable the module it in apache by adding the load file and then let’s add the following line, save it and close vim:

$ vim /etc/apache2/mods-available/mod_evasive.load
$ LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so

Activate the module

$ sudo a2enmod evasive

(or alternatively create a symlink in /etc/apache2/mods-enabled to /etc/apache2/mods-available)

Next step is to start protecting your site. For this we need to add configuration data to the site’s virtual host configuration file, usually in /etc/apache2/sites-enabled/your-host-config. Add the following code inside the VirtualHost section:

<IfModule mod_evasive20.c>
 DOSHashTableSize 3097   #how much logging data do we want to collect
 DOSPageCount 2   #threshold of requests for the same page per page interval
 DOSSiteCount 50    #threshold of the total number of requests for any object by the same ip address
 DOSPageInterval 1    #interval for the page count threshold
 DOSSiteInterval 1    #interval for the site count threshold
 DOSBlockingPeriod 60    #how long an violator will be blocked
 DOSEmailNotify someone@somewhere.com    #administrator to be notified
 </IfModule>

Restart apache. Your module should be activated and your site protected.

Listed in Linux, Web Development

Tags: apache, ddos, denial of service, dos

One response to “Prevent Denial Of Service attacks with mod_evasive”

  1. hostvark says:

    The other day, while I was at work, my sister stole my apple ipad
    and tested to see if it can survive a 25 foot drop, just so she can be a youtube sensation.
    My apple ipad is now broken and she has 83 views. I know this is completely
    off topic but I had to share it with someone!

Leave a Reply