Apache mod_evasive - DoS Protection
Apache has a feature for combatting denial of service attacks. It's called mod_evasive and it monitors for excessive page hits by a single IP address.
Here is how you install it for a Debian/Ubuntu system:
Once installed, you will have access to a configuration file:
#DOSHashTableSize 3097
#DOSPageCount 20 #number of requests for an individual page
#DOSSiteCount 100 #number of requests for all pages by a single IP address
#DOSPageInterval 1 #number of seconds for DOSPageCount
#DOSSiteInterval 1 #number of seconds for DOSSiteCount
#DOSBlockingPeriod 1 #number of seconds an IP address is blacklisted
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand 'su - someuser -c '/sbin/... %s ...'' #sends the IP to jail
#DOSLogDir '/var/log/mod_evasive'
You will need to uncomment the features that you want to activate. Also consider the settings that are appropriate for your site. For instance, I had to raise the levels much, much more than expected based on a literal interpretation of their definitions.
My site uses an html event-stream to check for login status. The event-stream makes a call every second and continuousy triggered mod_evasive. In particular, I had to keep raising the DOSPageCount and the DOSSiteCount until I was no longer blocked by normal usage.
You will just need to use trial and error to determine the right numbers for your site.
I know that feature works because it blocked me when I had the numbers too low. However, you can check to see if mod-evasive by running a script that comes with it.
Here is how you install it for a Debian/Ubuntu system:
sudo apt install libapache2-mod-evasive
Once installed, you will have access to a configuration file:
sudo nano /etc/apache2/mods-enabled/evasive.conf
#DOSHashTableSize 3097
#DOSPageCount 20 #number of requests for an individual page
#DOSSiteCount 100 #number of requests for all pages by a single IP address
#DOSPageInterval 1 #number of seconds for DOSPageCount
#DOSSiteInterval 1 #number of seconds for DOSSiteCount
#DOSBlockingPeriod 1 #number of seconds an IP address is blacklisted
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand 'su - someuser -c '/sbin/... %s ...'' #sends the IP to jail
#DOSLogDir '/var/log/mod_evasive'
You will need to uncomment the features that you want to activate. Also consider the settings that are appropriate for your site. For instance, I had to raise the levels much, much more than expected based on a literal interpretation of their definitions.
My site uses an html event-stream to check for login status. The event-stream makes a call every second and continuousy triggered mod_evasive. In particular, I had to keep raising the DOSPageCount and the DOSSiteCount until I was no longer blocked by normal usage.
You will just need to use trial and error to determine the right numbers for your site.
I know that feature works because it blocked me when I had the numbers too low. However, you can check to see if mod-evasive by running a script that comes with it.
perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
* posted by Robert on Thu, Jul 28, 2022