Sandeep B. Posted June 1, 2023 Share Posted June 1, 2023 install mod_evasive module in CWP apache 2.4 to prevent from DDOS attacks. DDoS stands for Distributed Denial of Service. It is a malicious attack where multiple compromised computers are used to flood a target system or network with an overwhelming amount of traffic, causing it to become unavailable to legitimate users. mod_evasive is an Apache module designed to provide protection against Distributed Denial of Service (DDoS) attacks. It detects and blocks suspicious or malicious requests from reaching the web server, thereby mitigating the impact of such attacks. TO install mod_evasive module with apache 2.4.x follow this simple steps : Step 1 : yum install libtool git -y cd /usr/local/src rm -rf master* mod_evasive* wget https://github.com/shivaas/mod_evasive/archive/refs/heads/master.zip unzip master.zip cd mod_evasive-master /usr/local/apache/bin/apxs -a -i -c mod_evasive24.c at this point it will get installed, now go with configuration part : Step 2 : To configure mod_evasive create a configuration file named mod_evaisve.conf in apache conf.d dir : nano /usr/local/apache/conf.d/mod_evaisve.conf then paste this below config : <IfModule !evasive20_module> LoadModule evasive20_module modules/mod_evasive24.so </IfModule> <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSEmailNotify you@yourdomain.com </IfModule> save it and restart apache service systemctl restart httpd Parameters and Settings There are many mod_evasive parameters you can configure: DOSHashTableSize: Increase this for busier web servers. This configuration allocates space for running the lookup operations. Increasing the size improves the speed at the cost of memory. DOSPageCount: The number of requests for an individual page that triggers blacklisting. This is set to 2, which is low (and aggressive) – increase this value to reduce false-positives. DOSSiteCount: The total number of requests for the same site by the same IP address. By default, this is set to 50. You can increase to 100 to reduce false-positives. DOSPageInterval: Number of seconds for DOSPageCount. By default, this is set to 1 second. That means that if you don’t change it, requesting 2 pages in 1 second will temporarily blacklist an IP address. DOSSiteInterval: Similar to DOSPageInterval, this option specifies the number of seconds that DOSSiteCount monitors. By default, this is set to 1 second. That means that if a single IP address requests 50 resources on the same website in a single second, it will be temporarily blacklisted. DOSBlockingPeriod: The amount of time an IP address stays on the blacklist. Set to 10 seconds by default, you can change this to any value you like. Increase this value to keep blocked IP addresses in time-out for a more extended period. DOSLogDir: These logs can be reviewed later to evaluate client behavior. All logs can be found here for mod_evasive at : /usr/local/apache/logs/access_log mod_evaisve will block ddos connections with 400 error code and can be found in the access_log for apache Test if it works or not : cd /usr/local/src/mod_evasive-master perl test.pl if you’re behind nginx proxy edit the test.pl and change the port 80 to 8181 and then run the perl test.pl if the mod_evaisve is installed correctly the test.pl will output : HTTP/1.1 400 Bad Request HTTP/1.1 400 Bad Request HTTP/1.1 400 Bad Request ... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now