mod_evasive

mod_evasive is a detection and network management tool, and can be easily configured to talk to IP chains, firewalls,
routers, etc . Detection is performed by creating an internal dynamic hash table of IP Addresses and URLs, and denying
any single IP address that matches the criteria.

#cd /usr/src
#wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
#tar xzf mod_evasive_1.10.1.tar.gz
#cd mod_evasive
#apxs -cia mod_evasive20.c

LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so

Add configuration rules to the Apache conf file: /etc/httpd/conf/httpd.conf

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify someone@somewhere.com
</IfModule>

Restart Apache :

/etc/init.d/httpd restart

DOSHashTableSize : It is the size of the hash table that is created for the IP addresses monitored.
DOSPageCount : It is the number of pages allowed to be loaded for the DOSPageInterval setting. In this case, 2 pages per 1 second before the IP gets flagged.
DOSSiteCount : It is the number of objects (ie: images, style sheets, javascripts, SSI, etc) allowed to be accessed in theDOSSiteInterval second. In this case, 50 objects per 1 second.
DOSPageInterval : It is the number of seconds the intervals are set for DOSPageCount
DOSSiteInterval : It is the number of seconds the intervals are set for DOSSiteCount
DOSBlockingPeriod : It is the number of seconds the IP address will recieve the Error 403 (Forbidden) page when they have been flagged.

DOSBlockingPeriod : If an IP is determined to be malicious, it is banned for this period of time. Each infraction that occurs will blacklisted adds an additional interval of this amount.

Whitelisting IP Addresses

For whitelisting an address (or range) which is sure not to be an attacker, add an entry to the Apache configuration like this.

DOSWhitelist 127.0.0.1 DOSWhitelist 127.0.0.*

/etc/init.d/httpd restart

Leave a Reply