Enabling mod_evasive on Apache

Mod_evasive is a module for Apache that automatically takes action when an HTTP DoS attack or brute force attack is detected. Mod_evasive is able to log and report abuse and notify problems via email. Before following this guide, you should already have a LAMP server in place that’s functioning correctly.

This guide was written for CentOS and its variations (such as RHEL) and Debian and its variations (such as Ubuntu).

The module creates a table of IP addresses and URLs. If conditions set in the configuration (as described later on in this doc) are met, abusing users will get a 403 (forbidden) error. Also, the IP address is logged, and if the option is set, an email will be sent to the specified email address.

Step 1: Installing httpd-devel

The httpd-devel package contains required files that you need to build Dynamic Shared Objects for Apache. We need this package to install the module, as we will compile it ourselves in the following steps.

On CentOS/RHEL, execute:

yum install httpd-devel

On Debian/Ubuntu, execute:

apt-get install apache2-utils

After this package is successfully installed, proceed to the next step. If the installation is not properly finished, the next step will (most likely) fail.

Step 2: Downloading and Installing mod_evasive

Method 1: Compiling

Download the module:

cd /usr/src
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz

Extract the module:

tar xzf mod_evasive*.tar.gz

Navigate to the directory:

cd mod_evasive

Next, we’ll be using apxs2, a tool created for building and installing modules that extend the functionality of Apache. Apxs2 builds a Dynamic Shared Object, which is why we installed httpd-devel in step #1.

Execute:

apxs2 -cia mod_evasive20.c

Method 2: Installation Using yum (Recommended)

When you have the epel-release repository installed, mod_evasive is available through yum.

Add the repository:

yum install epel-release

Install the module using yum:

 yum install mod_evasive

Step 3: Adding the Module to Apache

Generally, Apache loads all modules from mods-enabled, so whenever a module is added to that folder, it does not need to be added to the Apache configuration manually. Open your configuration file to check if this is the case.

On CentOS, the relevant file is: /etc/httpd/conf/httpd.conf

On Ubuntu, the relevant file is: /etc/apache2/apache2.conf

Search for Include. A line such as Include mods-enabled/*.conf tells Apache to load all modules. If it is not there, add that line to the top of the file and restart Apache.

For Ubuntu, add the following contents to the bottom of the file:

LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so

Step 4: Configuring and Altering Settings

Add the following block to the configuration file. The paths are the same as those in step #3.

<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 60
    DOSEmailNotify <william@williamdavidedwards.com>
</IfModule>

A quick overview of these parameters can be found in the README. You can read the README file as follows:

cat /usr/src/cd mod_evasive/README

You will most likely need to tweak these settings from time to time, to make sure they’re just right for your server and websites. After all, some servers have more activity and traffic than others.

Step 5: Restarting the Web Server

Restart the Apache web server for the changes to take effect and the module to be loaded:

service httpd restart

Make sure the module is loaded into Apache:

httpd -M | grep evasive

This should return evasive20_module (shared). If not, the module was not correctly loaded and we recommend to recheck the configuration files and if they were saved correctly.

Note that this module is not a replacement for DDoS protection as it cannot function when the server capacity is used up. In fact, Vultr offers DDoS Protection which is very useful for better protection of the server (as well as using this module). For simpler threats, especially script-based attacks, the module does its job and is definitely useful.

You have now installed the mod_evasive module in Apache, and thus made your web app safer.