mod_evasive is a detection and network management tool, and can be easily configured to talk to IP chains, firewalls,
routers, etc . Detection is performed by creating an internal dynamic hash table of IP Addresses and URLs, and denying
any single IP address that matches the criteria.
#tar xzf mod_evasive_1.10.1.tar.gz
#apxs -cia mod_evasive20.c
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
Add configuration rules to the Apache conf file: /etc/httpd/conf/httpd.conf
Restart Apache :
DOSHashTableSize : It is the size of the hash table that is created for the IP addresses monitored.
DOSPageCount : It is the number of pages allowed to be loaded for the DOSPageInterval setting. In this case, 2 pages per 1 second before the IP gets flagged.
DOSPageInterval : It is the number of seconds the intervals are set for DOSPageCount
DOSSiteInterval : It is the number of seconds the intervals are set for DOSSiteCount
DOSBlockingPeriod : It is the number of seconds the IP address will recieve the Error 403 (Forbidden) page when they have been flagged.
DOSBlockingPeriod : If an IP is determined to be malicious, it is banned for this period of time. Each infraction that occurs will blacklisted adds an additional interval of this amount.
Whitelisting IP Addresses
For whitelisting an address (or range) which is sure not to be an attacker, add an entry to the Apache configuration like this.
DOSWhitelist 127.0.0.1 DOSWhitelist 127.0.0.*