Differences

This shows you the differences between two versions of the page.

--- mod_evasive [2010/10/08 04:29]
k2patel
+++ mod_evasive [2020/08/10 02:35]
@@ Line 1: / Line 1: @@
-====== mod_evasive (module to prevent DDOS) ======
-Short Brief [[http://www.zdziarski.com/projects/mod_evasive|Source]]
-mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.\\
-It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.\\
-mod_evasive presently reports abuses via email and syslog facilities.\\
-Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
-  * Requesting the same page more than a few times per second
-  * Making more than 50 concurrent requests on the same child per second
-  * Making any requests while temporarily blacklisted (on a blocking list)
-This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, \\
-is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to \\
-receive/process/respond to invalid requests), which is why it's a good idea to integrate this with your firewalls and routers for maximum protection.\\
-This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities.\\
-Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks.\\
-Even a user repeatedly clicking on 'reload' should not be affected unless they do it maliciously. \\
-mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.
-<code bash>
-cd /usr/local/src
-</code>
-Download Source from
-<code bash>
-http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
-</code>
-OR
-<code bash>
-http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
-</code>
-Extract it
-<code bash>
-tar -zxvf mod_evasive_1.10.1.tar.gz
-cd mod_evasive
-</code>
-Install it
-Apache 2.0.x , execute the following command:
-<code bash>
-/usr/sbin/apxs -cia mod_evasive20.c
-</code bash>
-for Apache 1.3.x,
-<code bash>
-/usr/local/apache/bin/apxs -cia mod_evasive.c
-</code>
-Good Configuration (add it to the /www/apache/conf/httpd.conf)
-<code apache>
-IF Apache 2.x
-<IfModule mod_evasive20.c>
-IF Apache 1.3.x
- <IfModule mod_evasive.c>
-   DOSHashTableSize    3097
-   DOSPageCount        2
-   DOSSiteCount        50
-   DOSPageInterval     1
-   DOSSiteInterval     1
-   DOSBlockingPeriod   1600
-   DOSSystemCommand "/sbin/ipfw add 1 deny all from %s to any" (works with Apache 2.x smoothly)
-   DOSEmailNotify <email_address> (works with Apache 2.x smoothly)
-   DOSWhitelist 127.0.0.1
-</IfModule>
-</code>
-**DOSHashTableSize**
-The hash table size defines the number of top-level nodes for each child's hash table.\\
-Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record,\\
-but consume more memory for table space. You should increase this if you have a busy web server.\\
-The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_evasive.c for a list of primes used).\\
-**DOSPageCount**
-This is the threshhold for the number of requests for the same page (or URI) per page interval.\\
-Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
-**DOSSiteCount**
-This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval.\\
-Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
-**DOSPageInterval**
-The interval for the page count threshhold; defaults to 1 second intervals.\\
-**DOSSiteInterval**
-The interval for the site count threshhold; defaults to 1 second intervals.\\
-**DOSBlockingPeriod**
-The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list.\\
-During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).\\
-Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack,\\
-this timer will keep getting reset.
-**DOSEmailNotify**
-If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted.\\
-A locking mechanism using /tmp prevents continuous emails from being sent.
-NOTE: //Be sure MAILER is set correctly in mod_evasive.c (or mod_evasive20.c). \\
-The default is "/bin/mail -t %s" where %s is used to denote the destination email address set in the configuration.\\
-If you are running on linux or some other operating system with a different type of mailer, you'll need to change this.//
-**DOSLogDir**
-Choose an alternative temp directory, default is /tmp. File should look like dos-<IP address>\\
-**DOSSystemCommand**
-If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted.\\
-This is designed to enable system calls to ip filter or other tools.

Daily *Nix

User Tools

Site Tools

Differences

Page Tools