Apache Module — Evasive

Last modified: October 11, 2024


This module provides DoS, DDoS, and brute force attack protection.

The mod_evasive Apache module creates an internal, dynamic hash table of IP addresses and URIs, and it denies any single IP address that performs the following actions:

  • Requests the same page more than a few times per second.
  • Makes more than 100 concurrent requests on the same child process per second.
  • Makes any request while temporarily blacklisted.

The module creates an instance for each listener, which ensures a built-in cleanup mechanism and good scaling. Because of this, the module rarely stops a legitimate request, even if a user repeatedly clicks on reload.

Note:
  • If you find that the module blocks access to webmail through a proxy subdomain, you may need to adjust the configuration settings.
  • We strongly recommend that you integrate this module with your firewall and router for the best protection. For more information, read the DOSSystemCommand section.

How the module works

When your server receives a request, the module performs the following steps:

The system checks the temporary blacklist for the requestor’s IP address. The system adds the requestor’s IP address and the URI to a hash key and looks up the key on the listener’s hash table. It then checks if the requestor requested the same page more than once in the last second.

The system adds the requestor’s IP address to a hash key and looks up the key on the listener’s hash table. It then checks if the requestor requested more than 50 objects in the last second. If the module finds that any of the above are true, the system sends a 403 response. When a 403 response occurs, the mod_evasive Apache module blocks the IP address for 10 seconds. If the requestor sends additional requests during this time, the system extends the block.

You can also configure the module to trigger a system command or email notification to block the originating addresses.


Requirements

This module has no requirements. However, your server must possess bandwidth and processing power sufficient to defend against a DoS attack.

Compatibility

If your server uses mod_ruid2, Apache will not write to the /var/log/apache2/mod_evasive log files. If you require Apache logs for mod_evasive, use the mod_suexec module instead of mod_ruid2.


How to install or uninstall the module

You can install or uninstall the mod_evasive Apache module in WHM’s EasyApache 4 interface (WHM » Home » Software » EasyApache 4).

Configuration directives

You can set several directives in the mod_evasive configuration file. We recommend the following directives:

Directive Description
DOSWhiteList You can whitelist clients to ensure that the module does not block them. We strongly recommend that you only whitelist automated tools that may request large amounts of data.
To whitelist a client, set the IP address or range of IP addresses in the directive.
Your whitelist entry might resemble the following example:
1
2
DOSWhitelist    127.0.0.1
DOSWhitelist    127.0.0.*

The system does not set this directive by default.
DOSHashTableSize This directive defines the number of top-level nodes that each child’s hash table contains. You can increase this number to increase performance, but the system will consume more memory. The module will round this value up to the next prime number in its primes list. This directive defaults to 3097.
DOSPageCount This directive sets the maximum number of requests per interval for a single page that the module allows before it blocks the IP address. This directive defaults to 4.
DOSSiteCount This directive sets the maximum number of requests per interval for any object by the same client that the module allows before it blocks the IP address. This directive defaults to 100.
DOSPageInterval This directive sets the time interval, in seconds, for the number of page allowed requests as specified in the DOSPageCount directive. This directive defaults to 2.
DOSSiteInterval This directive sets the time interval, in seconds, for the number of allowed requests for an object as specified in the DOSSiteCount directive. This directive defaults to 2.
DOSBlockingPeriod This directive sets the time, in seconds, to block a site’s IP address if the module adds the site to the block list. This directive defaults to 10.
Note:
Any subsequent client requests during the blocked period will reset the the block timer and return a 403 error.
DOSEmailNotify This directive sets the email address to notify when the module adds an IP address to a blacklist. The system does not set this directive by default.
DOSSystemCommand This directive sets the system command to execute when it adds an IP address to a blacklist. Use this directive to call your IP filter or another tool to integrate the module with your firewall or router.
The system does not set this directive by default.
DOSLogDir This directive sets the location of the log file.
EasyApache 4 sets the DOSLogDir directive to the /var/log/apache2/mod_evasive/ directory. We strongly recommend that you do not change this location. If you do, the new directory must possess the same permissions.

Apache configuration

We strongly recommend that you set the MaxConnectionsPerChild directive in your apache.conf file to a value of at least 10000. Do not set this value to 0.

This ensures that the mod_evasive Apache module can clean up its internal hashes but does not allow unlimited requests. Set this directive in the Global Configuration section of WHM’s Apache Configuration interface (WHM » Home » Service Configuration » Apache Configuration).

Test your configuration

You can test your configuration with the test.pl script. We strongly recommend that you run the script several times to ensure that you receive 403 Forbidden responses. The speed at which your server blacklists an address depends on your server’s configuration.

Important:

Do not perform DoS attacks on a server without the owner’s permission.

Vendor documentation

For more configuration information, read the mod_evasive documentation.