Home

Mod_evasive

Posted April 2nd, 2005 by eth00

One way to stop one of the more basic attacks on a server is mod_evasive.This how-to will walk though the process of installing and configuring mod_evasive. This apache module will help protect against people sending too many requests to the webserver in an attempt to flood it. If it detects too many connections the offending ip will be blocked from the accessing apache for This is especially useful when the server is continuously getting attacked. With this default configuration it will block the offending ip for 10 minutes. If it continues to try and flood mod_evasive will automatically add more time to this.

*Update* Feb 1 2005 - Now links to the latest version of mod_evasive from the old name of mod_dosevasive.



**NOTE** This module has been known to cause problems with frontpage server extensions. If you them you should not install this module or just be aware of the fact it might break them.

Follow this section for Apache 1.3.x.

-----command-----
cd /usr/local/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/local/apache/bin/apxs -cia mod_evasive.c
-----command-----

 

Follow this section for Apache 2.0.x.
-----command-----
up2date -i httpd-devel
cd /usr/local/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c
-----command-----

If you are adding the is module to apache 1.3.x the following lines need to be added to the httpd.conf below the AddModule section.

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

 

If you are using apache 2.0.x you need to scroll to below the LoadModule section in the httpd.conf and add the following:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
</IfModule>

Exit and save out of the httpd.conf

Now it should be ready to go. Exit out of pico and restart apache.
-----command-----
service httpd restart
-----command-----

For now I have removed the mailing feature from my configuration. If you would like it you need to add "DOSEmailNotify root" in the IfModule section of your httpd.conf. If you are having trouble with mod_evasive emailing you then you probably need to make sure that the mail configuration is correct. By default the it is set to /bin/mail which you may have to sym-link to the correct mail binary. You can also edit the line containing the following: "#define MAILER "/bin/mail -t %s" in the source code to change which it is pointing to.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Problem...

On April 14th, 2005 x-man says:

When I want install Mod_dosevasive I have this:
/etc/httpd/bin/apxs -cia mod_dosevasive.c

gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm -DMOD_SSL=208122 -DUSE_HSREGEX -DEAPI -fpic -DSHARED_MODULE -I/usr/local/apache/include -c mod_dosevasive.c
apxs:Break: Command failed with rc=16777215

What now?

Sorry

On April 14th, 2005 x-man says:

Sorry, my fault...disabled compiler :(

Changed download link

On September 16th, 2005 cmpanel says:

Thanks for the great material.

Please note changed download link
-----command-----
wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.tar...
tar -zxf mod_dosevasive_1.10.tar.gz
cd mod_dosevasive
-----command-----

thanks

On September 16th, 2005 eth00 says:

thanks, I have updated it

New Mod_evasive version

On October 10th, 2005 sh4ka says:

Another new version (changed link too):
http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.t...

You could add this to your guide if you think its right:
DOSWhitelist [OUR LOCAL IP ALLOWED]

# Trying to send mail withouth the default option (i will test it, but It may work):
DOSSystemCommand %s | mail your@email.com -s "New IP Blacklisted with Mod_dosevasive"

Best regards.

To aggressive ?

On November 22nd, 2006 1ONE says:

Hello,

I had problem with rules you posted, they were too aggressive for normal hosting environment, so I'm using this rule :

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

And I don't have problems any more :)

Easyapache3

On February 5th, 2008 benito says:

Hello !

This instrictions also applies to servers with cpanel and easyapache3?

Regards
Cristian

EA3

On February 7th, 2008 eth00 says:

Yes this will still work with easyapache 3 as well as apache 1.3, 2.0, and 2.2.

apache 2.2.X

On February 9th, 2008 catalaur says:

Hello! I'm currently running gentoo OS on my server with apache 2.2.X. Will work mod evasive on this version ?

Not a big gentoo guy, I

On March 18th, 2008 eth00 says:

Not a big gentoo guy, I don't see any reason why it would not work though.

After removal...

On June 7th, 2008 benito says:

Hello!

If i need to remove mod_security, what happend with the already blocked ips, they flush?

Thanks
Cristian

Powered by Drupal - Theme created by Danger4k