Apache Module: Evasive
Last modified: March 12, 2024
Overview
This module provides DoS, DDoS, and brute force attack protection.
The mod_evasive
Apache module creates an internal, dynamic hash table of IP addresses and URIs, and it denies any single IP address that performs the following actions:
- Requests the same page more than a few times per second.
- Makes more than 100 concurrent requests on the same child process per second.
- Makes any request while temporarily blacklisted.
The module creates an instance for each listener, which ensures a built-in cleanup mechanism and good scaling. Because of this, the module rarely stops a legitimate request, even if a user repeatedly clicks on reload.
If you find that the module blocks access to webmail through a proxy subdomain, you may need to adjust the configuration settings.
Usage
Use the mod_evasive Apache module to help to protect your server against DoS, DDoS, and brute force attacks. We strongly recommend that you integrate this module with your firewall and router for the best protection. For more information, read the Configuration section.
How the module works
When your server receives a request, the module performs the following steps:
The system checks the temporary blacklist for the requestor’s IP address. The system adds the requestor’s IP address and the URI to a hash key and looks up the key on the listener’s hash table. It then checks if the requestor requested the same page more than once in the last second.
The system adds the requestor’s IP address to a hash key and looks up the key on the listener’s hash table. It then checks if the requestor requested more than 50 objects in the last second. If the module finds that any of the above are true, the system sends a 403 response. When a 403 response occurs, the mod_evasive Apache module blocks the IP address for 10 seconds. If the requestor sends additional requests during this time, the system extends the block.
You can also configure the module to trigger a system command or email notification to block the originating addresses.
Requirements
This module has no requirements. However, your server must possess bandwidth and processing power sufficient to defend against a DoS attack.
Compatibility
This module has no known compatibility issues.
How to install or uninstall the module
In the interface
Use WHM’s EasyApache 4 interface (WHM » Home » Software » EasyApache 4) to install the mod_evasive
Apache module.
On the command line
To install the mod_evasive
Apache module, run the following command on the command line:
Operating System | Command |
---|---|
CentOS 7 | yum install ea-apache24-mod_evasive |
AlmaLinux OS and Rocky Linux™ | dnf install ea-apache24-mod_evasive |
Ubuntu® | apt install --purge ea-apache24-mod-evasive |
To uninstall the mod_evasive Apache module, run the following command on the command line:
Operating System | Command |
---|---|
CentOS 7 | yum uninstall ea-apache24-mod_evasive |
AlmaLinux OS and Rocky Linux™ | dnf uninstall ea-apache24-mod_evasive |
Ubuntu® | apt purge ea-apache24-mod-evasive |
Configuration
You can edit the mod_evasive Apache module’s .conf
file at the following location:
/etc/apache2/conf.d/300-mod_evasive.conf
Configuration directives
You can set several directives in the mod_evasive configuration file. We recommend the following directives:
DOSWhiteList
You can whitelist clients to ensure that the module does not block them. We strongly recommend that you only whitelist automated tools that may request large amounts of data.
To whitelist a client, set the IP address or range of IP addresses in the directive.
Your whitelist entry might resemble the following example:
|
|
The system does not set this directive by default.
DOSHashTableSize
This directive defines the number of top-level nodes that each child’s hash table contains. You can increase this number to increase performance, but the system will consume more memory. The module will round this value up to the next prime number in its primes list. This directive defaults to 3097
.
DOSPageCount
This directive sets the maximum number of requests per interval for a single page that the module allows before it blocks the IP address. This directive defaults to 4
.
DOSSiteCount
This directive sets the maximum number of requests per interval for any object by the same client that the module allows before it blocks the IP address. This directive defaults to 100
.
DOSPageInterval
This directive sets the time interval, in seconds, for the number of page allowed requests as specified in the DOSPageCount directive. This directive defaults to 2
.
DOSSiteInterval
This directive sets the time interval, in seconds, for the number of allowed requests for an object as specified in the DOSSiteCount directive. This directive defaults to 2
.
DOSBlockingPeriod
This directive sets the time, in seconds, to block a site’s IP address if the module adds the site to the block list. This directive defaults to 10
.
Any subsequent client requests during the blocked period will reset the the block timer and return a 403 error.
DOSEmailNotify
This directive sets the email address to notify when the module adds an IP address to a blacklist. The system does not set this directive by default.
DOSSystemCommand
This directive sets the system command to execute when it adds an IP address to a blacklist. Use this directive to call your IP filter or another tool to integrate the module with your firewall or router.
The system does not set this directive by default.
DOSLogDir
This directive sets the location of the log file.
EasyApache 4 sets the DOSLogDir directive to the /var/log/apache2/mod_evasive/
directory. We strongly recommend that you do not change this location. If you do, the new directory must possess the same permissions.
Apache configuration
We strongly recommend that you set the MaxConnectionsPerChild
directive in your apache.conf
file to a value of at least 10000
. Do not set this value to 0
.
This ensures that the mod_evasive Apache module can clean up its internal hashes but does not allow unlimited requests. Set this directive in the Global Configuration section of WHM’s Apache Configuration interface (WHM » Home » Service Configuration » Apache Configuration).
Test your configuration
You can test your configuration with the test.pl
script. We strongly recommend that you run the script several times to ensure that you receive 403 Forbidden responses. The speed at which your server blacklists an address depends on your server’s configuration.
Do not perform DoS attacks on a server without the owner’s permission.
Vendor documentation
For more configuration information, read the mod_evasive documentation.