Posted April 2nd, 2005 by eth00
Security How-To's and Guides
One way to stop one of the more basic attacks on a server is mod_evasive.This how-to will walk though the process of installing and configuring mod_evasive. This apache module will help protect against people sending too many requests to the webserver in an attempt to flood it. If it detects too many connections the offending ip will be blocked from the accessing apache for This is especially useful when the server is continuously getting attacked. With this default configuration it will block the offending ip for 10 minutes. If it continues to try and flood mod_evasive will automatically add more time to this.
*Update* Feb 1 2005 - Now links to the latest version of mod_evasive from the old name of mod_dosevasive.


**NOTE** This module has been known to cause problems with frontpage server extensions. If you them you should not install this module or just be aware of the fact it might break them.

Follow this section for Apache 1.3.x.
-----command-----
cd /usr/local/src
wget
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/local/apache/bin/apxs -cia mod_evasive.c
-----command-----

Follow this section for Apache 2.0.x.
-----command-----
up2date -i httpd-devel
cd /usr/local/src
wget
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c
-----command-----

If you are adding the is module to apache 1.3.x the following lines need to be added to the httpd.conf below the AddModule section.


DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600


If you are using apache 2.0.x you need to scroll to below the LoadModule section in the httpd.conf and add the following:


DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600

Exit and save out of the httpd.conf
Now it should be ready to go. Exit out of pico and restart apache.
-----command-----
service httpd restart
-----command-----

For now I have removed the mailing feature from my configuration. If you would like it you need to add "DOSEmailNotify root" in the IfModule section of your httpd.conf. If you are having trouble with mod_evasive emailing you then you probably need to make sure that the mail configuration is correct. By default the it is set to /bin/mail which you may have to sym-link to the correct mail binary. You can also edit the line containing the following: "#define MAILER "/bin/mail -t %s" in the source code to change which it is pointing to.

links: