Web Servers

Configure mod_evasive To Prevent DoS and DDoS Attack On CentOS

In this article, we will learn how to install and configure mod_evasive to prevent DoS and DDoS attack on CentOS.

For this demonstration, we have used CentOS 7 64 bit dedicated server.

Let’s get started.

The mod_evasive Apache module. It helps to sustain Distributed Denial of Service (DoS & DDoS) Attack and brute force attacks on the Apache webserver. The mod_evasive operate by monitoring incoming requests and report abuse via email and syslog facilities. It is intended to be a detection and network management tool and quickly configured to communicate with ipchains, firewalls, routers, and more.

The mod_evasive watches suspicious requests and deny any single IP address from any of the following:

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted

Prerequisites

  • CentOS 7 64-bit dedicated server or cloud server (It’s also work with CentOS 6)
  • Apache Webserver LAMP (Linux, Apache, MySQL, PHP) installed and configured
  • Mail Server

1. Keep the server updated:

# yum update -y

2. Install EPEL (Extra Packages for Enterprise Linux):

# yum install epel-release -y

3. Install prerequisite of mod_evasive:

# yum install httpd-devel

4. Install mod_evasive:

# yum install mod_evasive -y

Now, mod_evasive is installed

5. To add the mod_evasive configuration to your Apache configuration file:

By default, LoadModule line will be added in configuration file mod_evasive.conf. Open file and add following line if its not already present.

# vi /etc/httpd/conf.d/mod_evasive.conf

LoadModule evasive20_module modules/mod_evasive24.so

Open configuration file mod_evasive.conf and check following entries.

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify <someone@somewhere.com>

You can configure above entries as per your requirement. Modify DOSEmailNotify to your email id.

To whitelist IP address add following line in configuration file:

DOSWhitelist 127.0.0.1

DOSWhitelist 127.0.0.*

You can add multiple IP addresses too.

One more entry need to change DOSLogDir. By default, it refers to /tmp for a locking mechanism.

Create new directory in /var/log/ :

# mkdir /var/log/mod_evasive

Set the ownership to apache user:

# chown -R apache:apache /var/log/mod_evasive

Now, edit following line in mod_evasive configuration and modify directory path:

DOSLogDir  /var/log/mod_evasive

Save and exit the mod_evasive configuration file.

Next, restart the Apache:

# systemctl restart httpd.service

That’s it, mod_evasive installed and configured.

Learn more about mod_evasive configuration options
These configuration option descriptions were taken directly from the README file.

DOSHashTableSize

The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_evasive.c for a list of primers used).

DOSPageCount

This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSSiteCount

This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSPageInterval

The interval for the page count threshold; defaults to 1-second intervals.

DOSSiteInterval

The interval for the site count threshold; defaults to 1-second intervals.

DOSBlockingPeriod

The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer is reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.

DOSEmailNotify

If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.

Note:

Be sure MAILER is set correctly in mod_evasive.c (or mod_evasive20.c). The default is “/bin/mail -t %s” where %s is used to denote the destination email address set in the configuration. If you are running on linux or some other operating system with a different type of mailer, you’ll need to change this.

DOSSystemCommand

If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using /tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.

DOSLogDir

Choose an alternative temp directory
By default “/tmp” will be used for locking mechanism, which opens some security issues if your system is open to shell users. In the event you have nonprivileged shell users, you’ll want to create a directory writable only to the user Apache is running as (usually root), then set this in your httpd.conf.

In this article, we have covered how our support engineer install and configure mod_evasive to prevent DoS and DDoS attack on CentOS.

[Need assistance to fix this error or install tools? We’ll help you.]

Related Articles