Page tree
Skip to end of metadata
Go to start of metadata

Overview

This module provides DoS, DDoS, and brute force attack protection. 

The mod_evasive Apache module creates an internal, dynamic hash table of IP addresses and URIs, and it denies any single IP address that performs the following actions:

  • Requests the same page more than a few times per second.
  • Makes more than 100 concurrent requests on the same child process per second.
  • Makes any request while temporarily blacklisted. 

The module creates an instance for each listener, which ensures a built-in cleanup mechanism and good scaling. Because of this, the module rarely stops a legitimate request, even if a user repeatedly clicks on reload. 

Note:

If you find that the module blocks access to webmail through a proxy subdomain, you may need to adjust the configuration settings.

Usage

Use the mod_evasive Apache module to help to protect your server against DoS, DDoS, and brute force attacks. We strongly recommend that you integrate this module with your firewall and router for the best protection. For more information, read the Configuration section. 

How the module works

When your server receives a request, the module performs the following steps:

  • The system checks the temporary blacklist for the requestor's IP address.
  • The system adds the requestor's IP address and the URI to a hash key and looks up the key on the listener's hash table. It then checks if the requestor requested the same page more than once in the last second. 
  • The system adds the requestor's IP address to a hash key and looks up the key on the listener's hash table. It then checks if the requestor requested more than 50 objects in the last second.

If the module finds that any of the above are true, the system sends a 403 response. When a 403 response occurs, the mod_evasive Apache module blocks the IP address for 10 seconds. If the requestor sends additional requests during this time, the system extends the block. 

You can also configure the module to trigger a system command or email notification to block the originating addresses. 

Requirements

This module has no requirements. However, your server must possess bandwidth and processing power sufficient to defend against a DoS attack. 

Compatibility

This module has no known compatibility issues.

How to install or uninstall mod_evasive

In the interface

Use WHM's EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4) to install the mod_evasive Apache module. 

On the command line

To install the mod_evasive Apache module, run the following command on the command line:

yum install ea-apache24-mod_evasive

To uninstall the mod_evasive Apache module, run the following command on the command line: 

yum remove ea-apache24-mod_evasive

Configuration

You can edit the mod_evasive Apache module's .conf file at the following location:

/etc/apache2/conf.d/300-mod_evasive.conf

Configuration directives

You can set several directives in the mod_evasive configuration file. We recommend the following directives: 

DOSWhiteList

You can whitelist clients to ensure that the module does not block them. We strongly recommend that you only whitelist automated tools that may request large amounts of data.

To whitelist a client, set the IP address or range of IP addresses in the directive. 

Your whitelist entry might resemble the following example:

DOSWhitelist    127.0.0.1
DOSWhitelist	127.0.0.*

The system does not set this directive by default.


DOSHashTableSize

This directive defines the number of top-level nodes that each child's hash table contains. You can increase this number to increase performance, but the system will consume more memory. The module will round this value up to the next prime number in its primes list. This directive defaults to 3097.

DOSPageCount

This directive sets the maximum number of requests per interval for a single page that the module allows before it blocks the IP address. This directive defaults to 4

DOSSiteCount

This directive sets the maximum number of requests per interval for any object by the same client that the module allows before it blocks the IP address. This directive defaults to 100

DOSPageInterval

This directive sets the time interval, in seconds, for the number of page allowed requests as specified in the DOSPageCount directive. This directive defaults to 2.

DOSSiteInterval

This directive sets the time interval, in seconds, for the number of allowed requests for an object as specified in the DOSSiteCount directive. This directive defaults to 2.

DOSBlockingPeriod

This directive sets the time, in seconds, to block a site's IP address if the module adds the site to the block list. This directive defaults to 10.

Note:

Any subsequent client requests during the blocked period will reset the the block timer and return a 403 error. 

DOSEmailNotify

This directive sets the email address to notify when the module adds an IP address to a blacklist. 

The system does not set this directive by default.

DOSSystemCommand

This directive sets the system command to execute when it adds an IP address to a blacklist. Use this directive to call your IP filter or another tool to integrate the module with your firewall or router.

The system does not set this directive by default.

DOSLogDir

This directive sets the location of the log file. 

EasyApache 4 sets the DOSLogDir directive to the /var/log/apache2/mod_evasive/ directory. We strongly recommend that you do not change this location. If you do, the new directory must possess the same permissions. 

Apache configuration

We strongly recommend that you set the MaxConnectionsPerChild directive in your apache.conf file to a value of at least 10000. Do not set this value to 0.

This ensures that the mod_evasive Apache module can clean up its internal hashes but does not allow unlimited requests. Set this directive in the Global Configuration section of WHM's Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration). 

Test your configuration

You can test your configuration with the test.pl script. We strongly recommend that you run the script several times to ensure that you receive 403 Forbidden responses. The speed at which your server blacklists an address depends on your server's configuration.

Important:

Do not perform DoS attacks on a server without the owner's permission.

Vendor documentation

For more configuration information, read the mod_evasive documentation. 

Additional documentation