mod_evasive is an Apache web services module that helps your server stay running in the event of an attack.

A common type of cyber attack comes in the form of a Denial of Service (DoS), Distributed Denial of Service (DDoS), or brute-force attempting to overwhelm your security. The nature of these attacks is to use several different computers to make repeated requests against your server. This causes the server to run out of processing cycles, memory, or network bandwidth, causing the website to crash.

The mod_evasive Apache utility works by monitoring incoming server requests. Also, it watches for suspicious requests such as:

  • Several requests for the same page in one second
  • More than 50 simultaneous requests per second
  • Requests made while temporarily blacklisted

The module sends a 403 error if any of these things happen. By default, this also includes a 10-second waiting period on the blacklist. If the IP address making the request tries to request again in that 10-second window, the waitlist is extended.

mod_evasive  helps you defends against these kinds of attacks through network detection and management.

This guide will walk you through configuring and installing mod_evasive to protect against DoS and DDoS.

Prerequisites

  • The LAMP (Linux, Apache, MySQL, PHP) stack installed and configured
  • Access to a user account with sudo or root privileges
  • A functioning mail server (for email alerts)

Steps to Installing mod_evasive Apache Utility

Step 1: Update Packages

1. Update your package listings by entering the following command at the terminal:

Debian / Ubuntu:

sudo apt-get update

RedHat / CentOS:

sudo yum update

Allow the system to refresh and update your software listings.

2. Next, install a helper utility:

Debian / Ubuntu:

sudo apt-get install apache2-utils

RedHat / CentOS:

sudo yum install httpd-devel

This utility is required for the installation of mod_evasive.

Step 2: Install mod_evasive

Debian / Ubuntu

To install the mod_evasive module on Debian / Ubuntu, enter the following:

sudo apt-get install libapache2-mod-evasive

Allow the process to complete.

CentOS / RedHat

To install the mod_evasive module on RedHat / CentOS, enter the following:

sudo yum install mod_evasive

Allow the process to complete.

Configure mod_evasive Options

Like most Linux software packages, mod_evasive is controlled by a configuration file.

1. Open it in a text editor with the following commands:

Debian / Ubuntu:

sudo nano /etc/apache2/mods-enabled/evasive.conf

RedHat / CentOS:

sudo nano /etc/httpd/conf.d/mod_evasive.conf

2. Find the following entry:

#DOSEmailNotify        you@yourdomain.com

The # sign marks this as a comment. Remove the # sign, then replace you@yourdomain.com with your actual email address. Use an email that you check regularly – this is where the tool will send alerts. Want to learn more about how to stop a DDoS attack.

3. Remove the comment tag from the following entries, so the log file looks as follows:

DOSHashTableSize 3097

DOSPageCount 2

DOSSiteCount 50

DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 10

DOSEmailNotify mail@yourdomain.com

DOSLogDir "/var/log/apache2/"

4. Save the file and exit. Reload the Apache service by entering the following:

Debian / Ubuntu:

sudo systemctl reload apache2

RedHat / CentOS:

sudo systemctl restart httpd.service

Test mod_evasive

Now, let’s verify the module is working correctly.

In this example, use thetest.pl script provided by the developers to test mod_evasive.

Th script is located at: /usr/share/doc/libapache2-mod-evasive/examples/test.pl.

Use the following command to run the script:

perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

The output should appear as below:

HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

Parameters and Settings

DOSSystemCommand: First, you may have noticed that this option was left disabled as a comment. This command allows you to specify a system command to be run when an IP address is added to the blacklist. You can use this to launch a command to add an IP address to a firewall or IP filter.

DOSHashTableSize: Increase this for busier web servers. This allocates space for running the lookup operations. Increasing the size improves the speed at the cost of memory.

DOSPageCount: The number of requests for an individual page that triggers blacklisting. This is set to 2, which is low (and aggressive) – increase this value to reduce false-positives.

DOSSiteCount: The total number of requests for the same site by the same IP address. By default, this is set to 50. You can increase to 100 to reduce false-positives.

DOSPageInterval: Number of seconds for DOSPageCount. By default, this is set to 1 second. That means that if you don’t change it, requesting 2 pages in 1 second will temporarily blacklist an IP address.

DOSSiteInterval: Like DOSPageInterval, this specifies the number of seconds that DOSSiteCount monitors. By default, this is set to 1 second. That means that if a single IP address requests 50 resources on the same website in a single second, it will be temporarily blacklisted.

DOSBlockingPeriod: The amount of time an IP address stays on the blacklist. Set to 10 seconds by default, you can change this to any value you like. Increase this value to keep blocked IP addresses in time-out for a more extended period.

DOSLogDir: By default, this is set to write logs to /var/log/mod_evasive. These logs can be reviewed later to evaluate client behavior.

You can create a new directory to save these apache acces logs – make sure you change the owner to Apache, then update the location in this entry:

sudo mkdir /var/log/apache/mod_evasive
sudo chown –R apache:apache /var/log/apache/mod_evasive
sudo nano /etc/apache2/mods-enabled/evasive.conf
DOSLogDir “/var/log/apache/mod_evasive”

Whitelisting IP addresses: This option isn’t included in the evasive.conf file by default.

Open the file for editing as before, then add the following line:

DOSWhitelist 192.168.0.13

DOSWhitelist 192.168.0.*

Substitute the IP address you want to whitelist. Also, you should list only one entry per line. This is typically used with a trusted client that exchanges a lot of data with your website. This tool is good at detecting bots and scripts; if there are bots or scripts that you want to allow, you can whitelist them to prevent them from triggering a blacklist action.

Make sure to save the file and exit, then reload your Apache service before testing any of these options.

Conclusion

Now you know how to install and configure mod_evasive on Apache.

The mod_evasive module is an excellent utility for detecting and blocking IP addresses that are being used in a Denial of Service attack. It does so by putting suspicious IP addresses in a temporary blacklist and keeping them there if they continue their behavior.

Between its simplicity to configure and its effectiveness, it has become a favorite tool for protecting Apache and Linux systems. For more information and the manual, please refer to the developer’s GitHub documentation page.