Jaime Frutos Morales's blog

25/06/2009

Installation & configuration of mod_evasive in Ubuntu Server 9.04

Filed under: SysAdmin, Ubuntu — acidborg @ 14:44

From its README file:

Mod_evasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack. It
is also designed to be a detection tool, and can be easily configured to talk
to ipchains, firewalls, routers, and etcetera.

Detection is performed by creating an internal dynamic hash table of IP
Addresses and URIs, and denying any single IP address from any of the following:

  • Requesting the same page more than a few times per second.
  • Making more than 50 concurrent requests on the same child per second.
  • Making any requests while temporarily blacklisted (on a blocking list).”

Its installation is quite easy:

apt-get install libapache2-mod-evasive

To configure it, create a directory to place its log files:

mkdir /var/log/apache2/mod_evasive
chown www-data:www-data /var/log/apache2/mod_evasive

Afterwards, create its configuration file with a default content (change “]” and “[” for “>” and “<" respectively):

[ifmodule mod_evasive20.c]
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/apache2/mod_evasive
DOSEmailNotify root@localhost
DOSWhitelist 127.0.0.1
[/ifmodule]

This values should be optimized depending on the use of your server. Here are the params’ descriptions:

  • DOSHashTableSize: Size of the hash table used to store the IPs.
  • DOSPageCount: Number of pages allowed per DOSPageInterval.
  • DOSPageInterval: Time in seconds used by DOSPageCount.
  • DOSSiteCount: Number of objects allowed per DOSSiteInterval.
  • DOSSiteInterval: Time in seconds used by DOSSiteCount.
  • DOSBlockingPeriod: Time in seconds that IPs will be banned. If an IP tries to access the server within this period, the count will be restarted.
  • DOSLogDir: Optional. Directory to store the logs. If not specified, /tmp will be used.
  • DOSEmailNotify: Optional. Mail where notifications will be sent.
  • DOSSystemCommand: Optional. Command to execute if an IP is blocked. For example:
  • DOSSystemCommand "/sbin/iptables -I INPUT -p tcp --dport 80 -s %s -j DROP"

  • DOSWhitelist: Optional. List of IPs which won’t be blocked.
  • To finish the configuration process, restart Apache:

    /etc/init.d/apache2 restart

    You can test whether it works using a script included in the deb package:

    perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

    Advertisements

    Blog at WordPress.com.

    %d bloggers like this: