Differences

This shows you the differences between two versions of the page.

--- mod_evasive [2009/05/12 14:16] – created k2patel
+++ mod_evasive [2020/08/10 02:35] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== mod_evasive (module to prevent DDOS) ======
+Short Brief [[http://www.zdziarski.com/projects/mod_evasive|Source]]
+mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.\\
+It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.\\
+mod_evasive presently reports abuses via email and syslog facilities.\\
+Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
+  * Requesting the same page more than a few times per second
+  * Making more than 50 concurrent requests on the same child per second
+  * Making any requests while temporarily blacklisted (on a blocking list)
+This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, \\
+is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to \\
+receive/process/respond to invalid requests), which is why it's a good idea to integrate this with your firewalls and routers for maximum protection.\\
+This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities.\\
+Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks.\\
+Even a user repeatedly clicking on 'reload' should not be affected unless they do it maliciously. \\
+mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.
+<code bash>
+cd /usr/local/src
+</code>
+Download Source from
+<code bash>
+http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
+</code>
+OR
+<code bash>
+http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
+</code>
+Extract it
+<code bash>
+tar -zxvf mod_evasive_1.10.1.tar.gz
+cd mod_evasive
+</code>
+Install it
+Apache 2.0.x , execute the following command:
+<code bash>
+/usr/sbin/apxs -cia mod_evasive20.c
+</code bash>
+for Apache 1.3.x,
+<code bash>
+/usr/local/apache/bin/apxs -cia mod_evasive.c
+</code>
+Good Configuration (add it to the /www/apache/conf/httpd.conf)
+<code apache>
+IF Apache 2.x
+<IfModule mod_evasive20.c>
+IF Apache 1.3.x
+ <IfModule mod_evasive.c>
+   DOSHashTableSize    3097
+   DOSPageCount        2
+   DOSSiteCount        50
+   DOSPageInterval     1
+   DOSSiteInterval     1
+   DOSBlockingPeriod   1600
+   DOSSystemCommand "/sbin/ipfw add 1 deny all from %s to any" (works with Apache 2.x smoothly)
+   DOSEmailNotify <email_address> (works with Apache 2.x smoothly)
+   DOSWhitelist 127.0.0.1
+</IfModule>
+</code>
+**DOSHashTableSize**
+The hash table size defines the number of top-level nodes for each child's hash table.\\
+Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record,\\
+but consume more memory for table space. You should increase this if you have a busy web server.\\
+The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_evasive.c for a list of primes used).\\
+**DOSPageCount**
+This is the threshhold for the number of requests for the same page (or URI) per page interval.\\
+Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
+**DOSSiteCount**
+This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval.\\
+Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
+**DOSPageInterval**
+The interval for the page count threshhold; defaults to 1 second intervals.\\
+**DOSSiteInterval**
+The interval for the site count threshhold; defaults to 1 second intervals.\\
+**DOSBlockingPeriod**
+The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list.\\
+During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).\\
+Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack,\\
+this timer will keep getting reset.
+**DOSEmailNotify**
+If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted.\\
+A locking mechanism using /tmp prevents continuous emails from being sent.
+NOTE: //Be sure MAILER is set correctly in mod_evasive.c (or mod_evasive20.c). \\
+The default is "/bin/mail -t %s" where %s is used to denote the destination email address set in the configuration.\\
+If you are running on linux or some other operating system with a different type of mailer, you'll need to change this.//
+**DOSLogDir**
+Choose an alternative temp directory, default is /tmp. File should look like dos-<IP address>\\
+**DOSSystemCommand**
+If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted.\\
+This is designed to enable system calls to ip filter or other tools.