Introduction: Mod_evasive

Mod_evasive helps protect against attacks like DoS, DDoS (Distributed Denial of Service) and brute force attacks on Apache web server. As the name suggests mod_evasive provide evasive action in the event of attacks and reports malicious activities via email and syslog.

Moreover, it also monitors the incoming traffic to the Apache web server using the internal dynamic hash table of IP addresses and URLs, then individual IP address blocks in they exceed a predetermined threshold.

In this tutorial, we will discuss the installation process, configure and how you can use mod_evasive on your server.

System Requirements

  • Newly deployed Ubuntu 16.04 server.
  • Apache2 web server setup and configured.
  • A non-root user with sudo privileges.

Update the System

First, run an update on the server to ensure that all your packages are up to date. Use the following command:

 sudo apt-get update -y 
 sudo apt-get upgrade -y

Once the server is up-to-date, you can now install mod_evasive.

Installing mod_evasive

We can simply install mod_evasive using the following command:

 sudo apt-get install libapache2-mod-evasive -y

Verifying the Installation

The following command can be used to verify the installation of mod_evasive:

 apachectl -M | grep evasive

If everything is ok, you should see the following output:

 evasive20_module (shared)

We can also verify the mod_evasive configuration file to be sure if it is added. To verify run this command:

sudo ls -al /etc/apache2/mods-enabled/evasive.conf

The result should look similar to:

-rw-r--r-- 1 root root 3473 Jul 11 01:41 /etc/apache2/mods-enabled/evasive.conf

Configuring mod_evasive

Now that we have installed mod_evasive, let’s see how we customize mod_evasive through the evasive.conf configuration file. By default, mod_evasive configuration options are disabled. To enable it we need to edit evasive.conf file and then customize it to our preferred requirements.

Opening the configuration file with the nano text editor using the following command:

 sudo nano /etc/apache2/mods-enabled/evasive.conf

Change the file as shown below:

<IfModule mod_evasive20.c> 
     DOSHashTableSize 3097 
     DOSPageCount 2 
     DOSSiteCount 50 
     DOSPageInterval 1 
     DOSSiteInterval 1 
     DOSBlockingPeriod 10 
     DOSEmailNotify email@yourdomain.com 
     DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" 
     DOSLogDir "/var/log/mod_evasive" 
 </IfModule>

Save and close the file, then make a log directory for mod_evasive.

 mkdir /var/log/mod_evasive 
 chown -R www-data:www-data /var/log/mod_evasive

Now, restart Apache service:

 systemctl restart apache2

The above settings are fully customizable and should be configured based on your server’s capabilities and expected traffic flows as follows:

Explanation of each parameter is as follows:

  • DOSHashTableSize: Specifies how mod_evasive keeps track of who’s accessing what. The larger the number the better the performance, but also consumes more memory.
  • DOSPageCount: Specifies threshold for the number of requests for the same page per page interval.
  • DOSSiteCount: Specifies threshold for the total number of requests for any object by the same user on the same listener by an IP address per site interval.
  • DOSPageInterval: The interval used in the page count threshold.
  • DOSSiteInterval: The interval used in the site count threshold.
  • DOSBlockingPeriod: Specifies how long an IP address should be blocked (in seconds).
  • DOSEmailNotify: Specifies the email address to notify whenever an IP address is blacklisted.
  • DOSLogDir: Specifies the log directory.

Test mod_evasive

Once everything is configured properly, lets test to see whether the module is working correctly.

Here, we will use test.pl script that was written by mod_evasive developers to test mod_evasive.
This is a Perl script located at /usr/share/doc/libapache2-mod-evasive/examples/test.pl.

Run the script with the following command:

 perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

If everything is fine, you should see the following output:

 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden
...

You can also check the mail log by running the following command:

 tail -f /var/mail/www-data

You should see that 127.0.0.1 is blacklist by mod_evasive:

 Message-Id: <E1cwkeH-0000WE-EQ@master> 
 From: www-data <www-data@node1>
 
 To: you@yourdomain.com 
 Subject: HTTP BLACKLIST 127.0.0.1
 
 mod_evasive HTTP Blacklisted 127.0.0.1
 
 --1491635945-eximdsn-1804289383--

Other relevant tutorials

How To Set Up mod_rewrite for Apache on Ubuntu

Conclusion

However, you can read more about mod_security on their GitHub repository.

People reacted to this story.
Show comments Hide comments
Comments to: Mod_evasive Configuration with Apache on Ubuntu Server 16.04
  • May 8, 2019

    Hmm it looks like your website ate my first comment (it was super long) so
    I guess I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog.
    I as well am an aspiring blog writer but I’m still new to
    the whole thing. Do you have any points for beginner blog
    writers? I’d genuinely appreciate it.

    Reply
  • I’m very happy to find this website. I wanted to thank you for
    ones time due to this fantastic read!! I definitely loved every little bit of it and I
    have you saved to fav to see new stuff on your web site.

    Reply
Write a response

Your email address will not be published. Required fields are marked *

Attach images - Only PNG, JPG, JPEG and GIF are supported.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Login

Welcome to Typer

Brief and amiable onboarding is the first thing a new user sees in the theme.
Join Typer
Registration is closed.
%d bloggers like this: