Apache Module: Evasive
Last modified: July 11, 2022
This module provides DoS, DDoS, and brute force attack protection.
mod_evasive Apache module creates an internal, dynamic hash table of IP addresses and URIs, and it denies any single IP address that performs the following actions:
- Requests the same page more than a few times per second.
- Makes more than 100 concurrent requests on the same child process per second.
- Makes any request while temporarily blacklisted.
The module creates an instance for each listener, which ensures a built-in cleanup mechanism and good scaling. Because of this, the module rarely stops a legitimate request, even if a user repeatedly clicks on reload.
If you find that the module blocks access to webmail through a proxy subdomain, you may need to adjust the configuration settings.
Use the mod_evasive Apache module to help to protect your server against DoS, DDoS, and brute force attacks. We strongly recommend that you integrate this module with your firewall and router for the best protection. For more information, read the Configuration section.
How the module works
When your server receives a request, the module performs the following steps:
The system checks the temporary blacklist for the requestor’s IP address. The system adds the requestor’s IP address and the URI to a hash key and looks up the key on the listener’s hash table. It then checks if the requestor requested the same page more than once in the last second.
The system adds the requestor’s IP address to a hash key and looks up the key on the listener’s hash table. It then checks if the requestor requested more than 50 objects in the last second. If the module finds that any of the above are true, the system sends a 403 response. When a 403 response occurs, the mod_evasive Apache module blocks the IP address for 10 seconds. If the requestor sends additional requests during this time, the system extends the block.
You can also configure the module to trigger a system command or email notification to block the originating addresses.
This module has no requirements. However, your server must possess bandwidth and processing power sufficient to defend against a DoS attack.
This module has no known compatibility issues.
How to install or uninstall the module
In the interface
Use WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4) to install the
mod_evasive Apache module.
On the command line
To install the
mod_evasive Apache module, run the following command on the command line:
yum install ea-apache24-mod_evasive
To uninstall the mod_evasive Apache module, run the following command on the command line:
yum remove ea-apache24-mod_evasive
You can edit the mod_evasive Apache module’s
.conf file at the following location:
You can set several directives in the mod_evasive configuration file. We recommend the following directives:
You can whitelist clients to ensure that the module does not block them. We strongly recommend that you only whitelist automated tools that may request large amounts of data.
To whitelist a client, set the IP address or range of IP addresses in the directive.
Your whitelist entry might resemble the following example:
The system does not set this directive by default.
This directive defines the number of top-level nodes that each child’s hash table contains. You can increase this number to increase performance, but the system will consume more memory. The module will round this value up to the next prime number in its primes list. This directive defaults to
This directive sets the maximum number of requests per interval for a single page that the module allows before it blocks the IP address. This directive defaults to
This directive sets the maximum number of requests per interval for any object by the same client that the module allows before it blocks the IP address. This directive defaults to
This directive sets the time interval, in seconds, for the number of page allowed requests as specified in the DOSPageCount directive. This directive defaults to
This directive sets the time interval, in seconds, for the number of allowed requests for an object as specified in the DOSSiteCount directive. This directive defaults to
This directive sets the time, in seconds, to block a site’s IP address if the module adds the site to the block list. This directive defaults to
Any subsequent client requests during the blocked period will reset the the block timer and return a 403 error.
This directive sets the email address to notify when the module adds an IP address to a blacklist. The system does not set this directive by default.
This directive sets the system command to execute when it adds an IP address to a blacklist. Use this directive to call your IP filter or another tool to integrate the module with your firewall or router.
The system does not set this directive by default.
This directive sets the location of the log file.
EasyApache 4 sets the DOSLogDir directive to the
/var/log/apache2/mod_evasive/ directory. We strongly recommend that you do not change this location. If you do, the new directory must possess the same permissions.
We strongly recommend that you set the
MaxConnectionsPerChild directive in your
apache.conf file to a value of at least
10000. Do not set this value to
This ensures that the mod_evasive Apache module can clean up its internal hashes but does not allow unlimited requests. Set this directive in the Global Configuration section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration).
Test your configuration
You can test your configuration with the
test.pl script. We strongly recommend that you run the script several times to ensure that you receive 403 Forbidden responses. The speed at which your server blacklists an address depends on your server’s configuration.
Do not perform DoS attacks on a server without the owner’s permission.
For more configuration information, read the mod_evasive documentation.