Please enable JavaScript to view this site.
Apache mod_evasive - DoS Protection
Apache has a feature for combatting denial of service attacks. It's called mod_evasive and it monitors for excessive page hits by a single IP address.
Here is how you install it for a Debian/Ubuntu system:
Once installed, you will have access to a configuration file:
#DOSHashTableSize 3097
#DOSPageCount 20 #number of requests for an individual page
#DOSSiteCount 100 #number of requests for all pages by a single IP address
#DOSPageInterval 1 #number of seconds for DOSPageCount
#DOSSiteInterval 1 #number of seconds for DOSSiteCount
#DOSBlockingPeriod 3600 #number of seconds an IP address is blacklisted
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand 'su - someuser -c '/sbin/... %s ...'' #sends the IP to jail
#DOSLogDir '/var/log/mod_evasive'
You will need to uncomment the features that you want to activate. Also consider the settings that are appropriate for your site. For instance, I had to raise the levels much, much more than expected based on a literal interpretation of their definitions.
You will also need to create a modevasive log directory:
And then assign apache user ownership of the directory:
Afterwards, restart apache:
My site uses an html event-stream to check for login status. The event-stream makes a call every second and continuously triggered mod_evasive. In particular, I had to keep raising the DOSPageCount and the DOSSiteCount until I was no longer blocked by normal usage.
You will just need to use trial and error to determine the right numbers for your site.
I know that feature works because it blocked me when I had the numbers too low. However, you can check to see if mod-evasive by running a script that comes with it.
The script will send 100 requests to your web server. Your server should then return 400 Bad Request or 403 Forbidden codes indicating that access was denied.
Here is how you install it for a Debian/Ubuntu system:
sudo apt install libapache2-mod-evasive
Once installed, you will have access to a configuration file:
sudo nano /etc/apache2/mods-enabled/evasive.conf
#DOSHashTableSize 3097
#DOSPageCount 20 #number of requests for an individual page
#DOSSiteCount 100 #number of requests for all pages by a single IP address
#DOSPageInterval 1 #number of seconds for DOSPageCount
#DOSSiteInterval 1 #number of seconds for DOSSiteCount
#DOSBlockingPeriod 3600 #number of seconds an IP address is blacklisted
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand 'su - someuser -c '/sbin/... %s ...'' #sends the IP to jail
#DOSLogDir '/var/log/mod_evasive'
You will need to uncomment the features that you want to activate. Also consider the settings that are appropriate for your site. For instance, I had to raise the levels much, much more than expected based on a literal interpretation of their definitions.
You will also need to create a modevasive log directory:
sudo mkdir /var/log/mod_evasive
And then assign apache user ownership of the directory:
sudo chown -R www-data:www-data /var/log/mod_evasive
Afterwards, restart apache:
sudo systemctl restart apache2
My site uses an html event-stream to check for login status. The event-stream makes a call every second and continuously triggered mod_evasive. In particular, I had to keep raising the DOSPageCount and the DOSSiteCount until I was no longer blocked by normal usage.
You will just need to use trial and error to determine the right numbers for your site.
I know that feature works because it blocked me when I had the numbers too low. However, you can check to see if mod-evasive by running a script that comes with it.
perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
The script will send 100 requests to your web server. Your server should then return 400 Bad Request or 403 Forbidden codes indicating that access was denied.
* posted by Robert on Thu, Jul 28, 2022
Apache mod_evasive - DoS Protection
Reply 1:
I tested the effectiveness of Apache mod_evasive through a denial of service test performed by DDoStest.me. The mod_evasive system sent three emails
during the test stating that the DoS source IP address had been blacklisted. After five hours, the DoS
testing service provided the following reports:
* posted by Robert on Wed, Feb 08, 2023
Site built and hosted by RJdesign.one