Please enable JavaScript to view this site.
Apache has a feature for combatting denial of service attacks. It's called mod_evasive and it monitors for excessive page hits by a single IP address.
Here is how you install it for a Debian/Ubuntu system:
Once installed, you will have access to a configuration file:
#DOSHashTableSize 3097
#DOSPageCount 20 #number of requests for an individual page
#DOSSiteCount 100 #number of requests for all pages by a single IP address
#DOSPageInterval 1 #number of seconds for DOSPageCount
#DOSSiteInterval 1 #number of seconds for DOSSiteCount
#DOSBlockingPeriod 3600 #number of seconds an IP address is blacklisted
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand 'su - someuser -c '/sbin/... %s ...'' #sends the IP to jail
#DOSLogDir '/var/log/mod_evasive'
You will need to uncomment the features that you want to activate. Also consider the settings that are appropriate for your site. For instance, I had to raise the levels much, much more than expected based on a literal interpretation of their definitions.
You will also need to create a modevasive log directory:
And then assign apache user ownership of the directory:
Afterwards, restart apache:
My site uses an html event-stream to check for login status. The event-stream makes a call every second and continuously triggered mod_evasive. In particular, I had to keep raising the DOSPageCount and the DOSSiteCount until I was no longer blocked by normal usage.
You will just need to use trial and error to determine the right numbers for your site.
I know that feature works because it blocked me when I had the numbers too low. However, you can check to see if mod-evasive by running a script that comes with it.
The script will send 100 requests to your web server. Your server should then return 400 Bad Request or 403 Forbidden codes indicating that access was denied.
Here is how you install it for a Debian/Ubuntu system:
sudo apt install libapache2-mod-evasive
Once installed, you will have access to a configuration file:
sudo nano /etc/apache2/mods-enabled/evasive.conf
#DOSHashTableSize 3097
#DOSPageCount 20 #number of requests for an individual page
#DOSSiteCount 100 #number of requests for all pages by a single IP address
#DOSPageInterval 1 #number of seconds for DOSPageCount
#DOSSiteInterval 1 #number of seconds for DOSSiteCount
#DOSBlockingPeriod 3600 #number of seconds an IP address is blacklisted
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand 'su - someuser -c '/sbin/... %s ...'' #sends the IP to jail
#DOSLogDir '/var/log/mod_evasive'
You will need to uncomment the features that you want to activate. Also consider the settings that are appropriate for your site. For instance, I had to raise the levels much, much more than expected based on a literal interpretation of their definitions.
You will also need to create a modevasive log directory:
sudo mkdir /var/log/mod_evasive
And then assign apache user ownership of the directory:
sudo chown -R www-data:www-data /var/log/mod_evasive
Afterwards, restart apache:
sudo systemctl restart apache2
My site uses an html event-stream to check for login status. The event-stream makes a call every second and continuously triggered mod_evasive. In particular, I had to keep raising the DOSPageCount and the DOSSiteCount until I was no longer blocked by normal usage.
You will just need to use trial and error to determine the right numbers for your site.
I know that feature works because it blocked me when I had the numbers too low. However, you can check to see if mod-evasive by running a script that comes with it.
perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
The script will send 100 requests to your web server. Your server should then return 400 Bad Request or 403 Forbidden codes indicating that access was denied.
* posted by Robert on Thu, Jul 28, 2022
Reply 1:
I tested the effectiveness of Apache mod_evasive through a denial of service test performed by DDoStest.me. The mod_evasive system sent three emails
during the test stating that the DoS source IP address had been blacklisted. After five hours, the DoS
testing service provided the following reports:
* posted by Robert on Wed, Feb 08, 2023
Reply 2:
Limit HTTP request methods to thwart DDoS and other attacks:
It is unlikely that a client source would ever need to submit an HTTP header with a request method other than GET or POST. (The remaining request methods are PUT, HEAD, DELETE, PATCH, OPTIONS, CONNECT and TRACE.) It is always possible that unnecessary request methods might be abused, e.g. HTTP Verb Tampering.
Therefore, simply block these request methods. To do so, go to your apache2.conf file and add the following code:
<Directory /var/www/>
<LimitExcept GET POST>
Deny from all
</LimitExcept>
</Directory>
It is unlikely that a client source would ever need to submit an HTTP header with a request method other than GET or POST. (The remaining request methods are PUT, HEAD, DELETE, PATCH, OPTIONS, CONNECT and TRACE.) It is always possible that unnecessary request methods might be abused, e.g. HTTP Verb Tampering.
Therefore, simply block these request methods. To do so, go to your apache2.conf file and add the following code:
* posted by Robert on Fri, Jun 21, 2024
Reply 3:
Block ping requests to prevent ping (ICMP) flood DDoS attacks:
Here are two methods. The first is simple. Issue the following command to update the iptables firewall:
You can then doublecheck your iptables rules to verify that the new rule was added:
The second method listed below quit working after upgrading Ubuntu:
Edit the sysctl file:
Add the following lines:
Enter the following command to activate the changes:
For more information on blocking ping, see Vitux.com
Here are two methods. The first is simple. Issue the following command to update the iptables firewall:
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
You can then doublecheck your iptables rules to verify that the new rule was added:
sudo iptables -S
The second method listed below quit working after upgrading Ubuntu:
Edit the sysctl file:
sudo nano /etc/sysctl.conf
Add the following lines:
net.ipv4.icmp_echo_ignore_all = 1
net.ipv6.icmp_echo_ignore_all = 1
net.ipv6.icmp_echo_ignore_all = 1
Enter the following command to activate the changes:
sudo sysctl -p
For more information on blocking ping, see Vitux.com
* posted by Robert on Sun, Jun 23, 2024
Reply 4:
A final method of protection against denial of service attacks is to block all IP addresses that generate 301
status responses.
See the weblog entry on Fail2Ban - Block SQL Injection Attacks
See the weblog entry on Fail2Ban - Block SQL Injection Attacks
* posted by Robert on Sun, Jun 23, 2024
