Apache Module — Evasive
Last modified: October 11, 2024
This module provides DoS, DDoS, and brute force attack protection.
The mod_evasive Apache module creates an internal, dynamic hash table of IP addresses and URIs, and it denies any single IP address that performs the following actions:
- Requests the same page more than a few times per second.
- Makes more than 100 concurrent requests on the same child process per second.
- Makes any request while temporarily blacklisted.
The module creates an instance for each listener, which ensures a built-in cleanup mechanism and good scaling. Because of this, the module rarely stops a legitimate request, even if a user repeatedly clicks on reload.
- If you find that the module blocks access to webmail through a proxy subdomain, you may need to adjust the configuration settings.
- We strongly recommend that you integrate this module with your firewall and router for the best protection. For more information, read the DOSSystemCommand section.
How the module works
When your server receives a request, the module performs the following steps:
The system checks the temporary blacklist for the requestor’s IP address. The system adds the requestor’s IP address and the URI to a hash key and looks up the key on the listener’s hash table. It then checks if the requestor requested the same page more than once in the last second.
The system adds the requestor’s IP address to a hash key and looks up the key on the listener’s hash table. It then checks if the requestor requested more than 50 objects in the last second.
If the module finds that any of the above are true, the system sends a 403 response. When a 403 response occurs, the mod_evasive Apache module blocks the IP address for 10 seconds. If the requestor sends additional requests during this time, the system extends the block.
You can also configure the module to trigger a system command or email notification to block the originating addresses.
Requirements
This module has no requirements. However, your server must possess bandwidth and processing power sufficient to defend against a DoS attack.
Compatibility
If your server uses mod_ruid2, Apache will not write to the /var/log/apache2/mod_evasive log files. If you require Apache logs for mod_evasive, use the mod_suexec module instead of mod_ruid2.
How to install or uninstall the module
You can install or uninstall the mod_evasive Apache module in WHM’s EasyApache 4 interface (WHM » Home » Software » EasyApache 4).
Configuration directives
You can set several directives in the mod_evasive configuration file. We recommend the following directives:
| Directive | Description | ||
|---|---|---|---|
DOSWhiteList |
You can whitelist clients to ensure that the module does not block them. We strongly recommend that you only whitelist automated tools that may request large amounts of data. To whitelist a client, set the IP address or range of IP addresses in the directive. Your whitelist entry might resemble the following example:
|
||
DOSHashTableSize |
This directive defines the number of top-level nodes that each child’s hash table contains. You can increase this number to increase performance, but the system will consume more memory. The module will round this value up to the next prime number in its primes list. This directive defaults to 3097. |
||
DOSPageCount |
This directive sets the maximum number of requests per interval for a single page that the module allows before it blocks the IP address. This directive defaults to 4. |
||
DOSSiteCount |
This directive sets the maximum number of requests per interval for any object by the same client that the module allows before it blocks the IP address. This directive defaults to 100. |
||
DOSPageInterval |
This directive sets the time interval, in seconds, for the number of page allowed requests as specified in the DOSPageCount directive. This directive defaults to 2. |
||
DOSSiteInterval |
This directive sets the time interval, in seconds, for the number of allowed requests for an object as specified in the DOSSiteCount directive. This directive defaults to 2. |
||
DOSBlockingPeriod |
This directive sets the time, in seconds, to block a site’s IP address if the module adds the site to the block list. This directive defaults to 10.
Note:
Any subsequent client requests during the blocked period will reset the the block timer and return a 403 error.
|
||
DOSEmailNotify |
This directive sets the email address to notify when the module adds an IP address to a blacklist. The system does not set this directive by default. | ||
DOSSystemCommand |
This directive sets the system command to execute when it adds an IP address to a blacklist. Use this directive to call your IP filter or another tool to integrate the module with your firewall or router. The system does not set this directive by default. | ||
DOSLogDir |
This directive sets the location of the log file. EasyApache 4 sets the DOSLogDir directive to the /var/log/apache2/mod_evasive/ directory. We strongly recommend that you do not change this location. If you do, the new directory must possess the same permissions. |
Apache configuration
We strongly recommend that you set the MaxConnectionsPerChild directive in your apache.conf file to a value of at least 10000. Do not set this value to 0.
This ensures that the mod_evasive Apache module can clean up its internal hashes but does not allow unlimited requests. Set this directive in the Global Configuration section of WHM’s Apache Configuration interface (WHM » Home » Service Configuration » Apache Configuration).
Test your configuration
You can test your configuration with the test.pl script. We strongly recommend that you run the script several times to ensure that you receive 403 Forbidden responses. The speed at which your server blacklists an address depends on your server’s configuration.
Do not perform DoS attacks on a server without the owner’s permission.
Vendor documentation
For more configuration information, read the mod_evasive documentation.