How to Protect Against DDoS with Mod_evasive on Apache Server

How to Secure Apache with Mod_evasive On Ubuntu 14.04

Mod_evasive is an Apache module that provides evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. mod_evasive presently reports malicious activity via email and syslog. The mod_evasive module works by creating an internal dynamic hash table of IP addresses and URIs and denying any single IP address from any of the following conditions:

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted (on a blocking list)

In this tutorial I will discuss how to install, configure and use mod_evasive on your Apache server. This tutorial uses a Ubuntu 14.04 server.

First, make sure Apache server is installed and running.

Next, you can install mod_evasive module by running:

After installing mod_evasive, you can verify this module by running the following commands:

If mod_evasive is enabled, you will see the following output:

The mod_evasive module reads its configuration from “/etc/apache2/mods-enabled/evasive.conf.” You can easily customize the mod_evasive module through the “evasive.conf” configuration file. By default, mod_evasive configuration options are disabled, so you will need to enable them first. To do this, edit the “evasive.conf” file:

Remove # from the following lines:

Save the file and restart Apache for your changes to take effect:

You can change the above values according to the amount and type of traffic that your web server needs to handle.

DOSHashTableSize : This directive specifies how mod_evasive keeps track of who’s accessing what. Increasing this number will provide a faster lookup of the sites that the client has visited in the past.

DOSPageCount : This directive specifies how many identical requests to a specific URI a visitor can make over the DOSPageInterval interval.

DOSSiteCount : This is similar to DOSPageCount but corresponds to how many requests overall a visitor can make to your site over the DOSSiteInterval interval.

DOSBlockingPeriod : If a visitor exceeds the limits set by DOSSPageCount or DOSSiteCount, his IP will be blocked during the DOSBlockingPeriod amount of time. During this interval, he will receive a 403 (Forbidden) error.

DOSEmailNotify : An email will be sent to the email address specified whenever an IP address is blacklisted.

DOSLogDir : This directive specifies the location of the log directory.

Now it’s time to test whether the mod_evasive module is working or not. You can do this by using a perl script “test.pl” located in the “/usr/share/doc/libapache2-mod-evasive/examples/” directory.

You can execute the script by running the following command:

You should see the following output:

Apache_mod_evasive_perl_test

The script makes 100 requests to your web server. The 403 response code indicates access is denied by the web server.

mod_evasive is a very important tool to secure an Apache web server against several threats. You can experiment with mod_evasive ano different options in a testing environment. If you have any questions, you can write them in the comment box below.

One comment

  1. Thanks for the simple instruction. Others made this complicated and then it didn’t work. Perhaps because of different systems, I’m not sure.

    However when I ran the perl script to test to see if mod_evasive was working I got a different message to the one you mentioned above. I got this message:

    HTTP/1.1 302 Moved Temporarily

    Not sure what that means but I am and have been searching but having no luck so far so thought I would ask. Much appreciated and thanks again for the striaghtforward post.

Comments are closed.

Sponsored Stories