Tutorial Install mod_evasive In Centos

mod_evasive is a rate limiting solution that blocks traffic from IPs that exceed a predetermined threshold for the number of requests to a specific URI or domain. It can also be configured to talk to ipchains, firewalls and routers for additional protection against DDoS attacks.
With Apache web server, a great majority of experts -if not all- agree that mod_security and mod_evasive are two very important modules that can protect an Apache web server against common threats.

1. Installation mod_evasive

Assuming that Apache HTTP web server is already up and running, if not, you can install it before using this tutorial Basic Tutorial VPS Non Panel or Tutorial Install Apache/httpd 2.4 di Centos 6
First, the EPEL yum repository needs to be installed on the server by running the following command:
[root@www ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Then install mod_evasive by running the following command:
[root@www ~]# yum install mod_evasive
After installation, the module can be verified by running this command:
[root@www ~]# httpd -M | grep evasive
evasive20_module (shared)
Syntax OK
[root@www ~]#

2.Configuration mod_evasive

The next step is configuration mod_evasive, please edit file /etc/httpd/conf.d/mod_evasive.conf
[root@www ~]# nano /etc/httpd/conf.d/mod_evasive.conf
These settings are fully customizable and should be configured based on your server’s capabilities and expected traffic flows.

DOSHashTableSize: Specifies the number of top-level nodes for each child’s hash table. Increasing the number improves performance, but also consumes more memory.
DOSPageCount: Specifies the number of requests for the same page per page interval before an IP address is blocked.
DOSSiteCount: Specifies the number of requests for any object by the same client per site interval before the IP address is blocked.
DOSPageInterval: The interval used in the page count threshold (measured in seconds).
DOSSiteInterval: The interval used in the site count threshold (measured in seconds).
DOSBlockingPeriod: Specifies the period of time (in seconds) that an IP is blocked. During this time, all requests originating from the affected IP are given a 403 redirect.
DOSEmailNotify: Sends an email to the address specified whenever an IP address becomes blacklisted.

Example Config :
[root@www ~]# nano /etc/httpd/conf.d/mod_evasive.conf
# mod_evasive configuration
LoadModule evasive20_module modules/mod_evasive20.so

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 10
DOSSiteCount 200
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300
DOSEmailNotify youremail@yourdomain.com
DOSLogDir "/var/log/mod_evasive"
#DOSWhitelist 192.168.0.*

3. Simulating DoS Attacks

To Simulating DoS Attacks, we can use Apache server benchmarking tool :
[root@www ~]# ab -n1000 -c1000 http://domain-target.com/index.php
-n: Number of requests to perform for the benchmarking session.
-c: Number of multiple requests to perform at a time.

Example Logs :
[root@www mod_evasive]# tail -f /var/log/messages
Sep 3 15:51:48 www kernel: possible SYN flooding on port 80. Sending cookies.
Sep 3 15:51:49 www mod_evasive[16522]: Blacklisting address 111.222.333.444: possible DoS attack.

Check IP Block
[root@www ~]# ls /var/log/mod_evasive/
[root@www ~]#
To unblock please delete the file dos-111.222.333.444

Similar Preventive :

Install Linux Malware Detect (LMD) with ClamAV Centos 6.7
Install Advanced Policy Firewall In Linux Tutorial Install Lynis in Linux Tutorial How to Install RkHunter In Linux

Preventing Better Than Fixing


Copyright Albenet Hosting Friday 21-Feb-2020 All rights reserved.