In this tutorial, we can check how o install and configure mod_evasive on CentOS.
The mod_evasive module for Apache that takes evasive action to protect Apache during the time of server attacks, such as brute force or DDoS/DoS attack. The mod_evasive Apache also works as a tool for detection and network management. This module interacts with the routers, firewalls, ipchains, and more. The mod_evasive Apache reports the vulnerability or attack of the server through email and Syslog facilities. The IP gets restricted or blacklisted by mod_evasive if any of the following criteria matches:
- Requesting the same page more than the default time.
- Making any request while the IP is temporarily blacklisted.
- Making multiple concurrent requests on the same child in a second.
Please note that you need to have root access to install mod_evasive Apache on your server. You learn how to configure mod_evasive on your CentOS server in this tutorial.
Install mod_evasive on CentOS
To install mod_evasive Apache on your CentOS server, follow the below steps:
Make sure that the EPEL yum repository is available on the server. The EPEL (Extra Packages for Enterprise Linux) is a free, open-source community-based repository project. To check if the EPEL yum repository packages are available on your system, run the following command.
# rpm -qa | grep epel
If it is not available on the server, execute the following command to install and activate EPEL.
# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm # rpm -ivh epel-release-latest-8.noarch.rpm
Run the following command to install the mod_evasive Apache module on your server.
# yum install mod_evasive -y
Open the mod_evasive modules configuration file by using the following command to verify if the installation is successful.
# cat /etc/https/conf.d/mod_evasive.conf
If the configuration file opens up, then the installation of the mod_evasive Apache module is successful.
Configure mod_evasive
1) Open the modules configuration file.
# cat /etc/https/conf.d/mod_evasive.conf
2) To make sure that the module loads correctly, add the following line in the mod_evasive configuration file.
LoadModule evasive20_module modules/mod_evasive24.so
3) Then, you can see the default configuration value of mod_evasive on the file.
4) To make the changes reflect, restart the httpd service by using the following command.
# httpd -M | grep -Ei ‘(evasive)’ or # /etc/init.d/httpd restart
5) If the mod_evasive module loads correctly, you can see the following output.
evasive24_module (shared)
MOD_EVASIVE CONFIGURATION OPTIONS
The module has default configuration values set to it, and you can customize or alter these values by opening the configuration file and make the changes to the options available. There are different options in the mod_evasive configuration file that you can change to customize the configuration of your mod_evasive Apache module. Some of the mod_evasive configuration options are:
# vim /etc/httpd/conf.d/mod_evasive.conf
1) DOSHashTableSize
The hash table size is the number of top-level nodes for each child’s hash table. If you increase the value of the DOSHashTableSize, then the module decreases the number of iterations required to get into the records and that offer faster performance. But the mod_evasive consumes more memory if there is an increase in the hash table size. The default value of the hash table size is 3097, so you are recommended to increase the value only if you have a busy web server.
DOSHashTableSize 3097
2) DOSPageCount
The DOSPageCount is the threshold for the number of requests allowed to the same page or URI at a particular page interval. If any of the IP request the same page more than the threshold value, then that IP gets blacklisted or rejected in the server. The default threshold value of DOSPageCount is 2. You can uncomment or edit the following line in the configuration file to set the threshold value.
DOSPageCount 2
3) DOSSiteCount
The DOSSiteCount option in the configuration file helps to set the threshold value for the total number of requests by the same client or listener to a particular object at a certain site interval. If any of the client or listener exceeds the number of requests from the set threshold value, then their IP gets added to the block list of your server.
DOSSiteCount 50
4) DOSPageInterval
The value of the DOSPageInterval option is the interval for the page count threshold. The default value of the DOSPageInterval is one second.
DOSPageInterval 1
5) DOSSiteInterval
The value of the DOSSiteInterval option is the interval for the site count threshold. The default value of the DOSSiteInterval is one second.
DOSSiteInterval 1
6) DOSBlockingPeriod
The DOSBlockPeriod option in the mod_evasive configuration file helps you to set the amount of time (in seconds) the client’s IP gets blocked when added into the blocking list. During this period, all the subsequent actions and requests from the client throw a 403 Forbidden error, and the timer of the IP block gets rested. For example, the default value of DOSBlockPeriod is 10 seconds, so any action by the blocked IP during these 10 seconds, reset the timer to another 10 seconds. During the time of any attacks like DDoS/DoS attack, this timer keeps getting reset.
DOSBlockingPeriod 10
7) Email Alert
In the mod_evasive Apache configuration file, go to line number 48 in the configuration file and uncomment or edit the following line. In the following line, replace the <[email protected]> flag with your email id. So, in case of any DDoS/DoS attack or if any IP gets blacklisted or rejected, the system sends an alert to the mentioned email address automatically.
DOSEmailNotify <[email protected]>
After tweaking the values in the mod_evasive configuration file, restart the httpd service to reflect the changes. Restart the httpd service by running the following command.
# httpd -M | grep -Ei ‘(evasive)’ or # /etc/init.d/httpd restart
HOW TO WHITELIST A BLOCKED OR REJECTED IP
To whitelist the IP’s that are blocked by mod_evasive, do the following:
Open the mod_evasive configuration file.
Add the IP’s that need to be whitelisted in the configuration file as follows.
DOSWhitelist <IP_address>
To whitelist a list of IP’s, add the following line.
DOSWhitelist 192.53.0.*
After adding the IP in the configuration file, restart the httpd service.
# /etc/init.d/httpd restart