This shows you the differences between two versions of the page.
mod_evasive [2010/10/08 04:29] k2patel |
mod_evasive [2020/08/10 02:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== mod_evasive (module to prevent DDOS) ====== | ||
- | Short Brief [[http://www.zdziarski.com/projects/mod_evasive|Source]] | ||
- | mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.\\ | ||
- | It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.\\ | ||
- | mod_evasive presently reports abuses via email and syslog facilities.\\ | ||
- | Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following: | ||
- | |||
- | * Requesting the same page more than a few times per second | ||
- | * Making more than 50 concurrent requests on the same child per second | ||
- | * Making any requests while temporarily blacklisted (on a blocking list) | ||
- | |||
- | This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, \\ | ||
- | is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to \\ | ||
- | receive/process/respond to invalid requests), which is why it's a good idea to integrate this with your firewalls and routers for maximum protection.\\ | ||
- | This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities.\\ | ||
- | Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks.\\ | ||
- | Even a user repeatedly clicking on 'reload' should not be affected unless they do it maliciously. \\ | ||
- | mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use. | ||
- | |||
- | <code bash> | ||
- | cd /usr/local/src | ||
- | </code> | ||
- | |||
- | Download Source from | ||
- | <code bash> | ||
- | http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz | ||
- | </code> | ||
- | OR | ||
- | <code bash> | ||
- | http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz | ||
- | </code> | ||
- | |||
- | Extract it | ||
- | <code bash> | ||
- | tar -zxvf mod_evasive_1.10.1.tar.gz | ||
- | cd mod_evasive | ||
- | </code> | ||
- | |||
- | Install it | ||
- | |||
- | Apache 2.0.x , execute the following command: | ||
- | <code bash> | ||
- | /usr/sbin/apxs -cia mod_evasive20.c | ||
- | </code bash> | ||
- | |||
- | for Apache 1.3.x, | ||
- | <code bash> | ||
- | /usr/local/apache/bin/apxs -cia mod_evasive.c | ||
- | </code> | ||
- | |||
- | Good Configuration (add it to the /www/apache/conf/httpd.conf) | ||
- | |||
- | <code apache> | ||
- | IF Apache 2.x | ||
- | <IfModule mod_evasive20.c> | ||
- | IF Apache 1.3.x | ||
- | <IfModule mod_evasive.c> | ||
- | DOSHashTableSize 3097 | ||
- | DOSPageCount 2 | ||
- | DOSSiteCount 50 | ||
- | DOSPageInterval 1 | ||
- | DOSSiteInterval 1 | ||
- | DOSBlockingPeriod 1600 | ||
- | DOSSystemCommand "/sbin/ipfw add 1 deny all from %s to any" (works with Apache 2.x smoothly) | ||
- | DOSEmailNotify <email_address> (works with Apache 2.x smoothly) | ||
- | DOSWhitelist 127.0.0.1 | ||
- | </IfModule> | ||
- | </code> | ||
- | |||
- | **DOSHashTableSize** | ||
- | |||
- | The hash table size defines the number of top-level nodes for each child's hash table.\\ | ||
- | Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record,\\ | ||
- | but consume more memory for table space. You should increase this if you have a busy web server.\\ | ||
- | The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_evasive.c for a list of primes used).\\ | ||
- | |||
- | **DOSPageCount** | ||
- | This is the threshhold for the number of requests for the same page (or URI) per page interval.\\ | ||
- | Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list. | ||
- | |||
- | **DOSSiteCount** | ||
- | This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval.\\ | ||
- | Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list. | ||
- | |||
- | **DOSPageInterval** | ||
- | The interval for the page count threshhold; defaults to 1 second intervals.\\ | ||
- | |||
- | **DOSSiteInterval** | ||
- | The interval for the site count threshhold; defaults to 1 second intervals.\\ | ||
- | |||
- | **DOSBlockingPeriod** | ||
- | The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list.\\ | ||
- | During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).\\ | ||
- | Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack,\\ | ||
- | this timer will keep getting reset. | ||
- | |||
- | **DOSEmailNotify** | ||
- | If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted.\\ | ||
- | A locking mechanism using /tmp prevents continuous emails from being sent. | ||
- | |||
- | NOTE: //Be sure MAILER is set correctly in mod_evasive.c (or mod_evasive20.c). \\ | ||
- | The default is "/bin/mail -t %s" where %s is used to denote the destination email address set in the configuration.\\ | ||
- | If you are running on linux or some other operating system with a different type of mailer, you'll need to change this.// | ||
- | |||
- | **DOSLogDir** | ||
- | Choose an alternative temp directory, default is /tmp. File should look like dos-<IP address>\\ | ||
- | |||
- | **DOSSystemCommand** | ||
- | If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted.\\ | ||
- | This is designed to enable system calls to ip filter or other tools. |