Prevent DOS attacks on apache webserver for DEBIAN linux with mod_evasive

Monday, March 7, 2011 posted by Till

The following guide explains the installation of the apache module "mod_evasive". Mod_evasive tracks the number of requests of files at the apache webserver and blocks the delivery in case that a certain limit has been reached.

Installation

apt-get install libapache2-mod-evasive

Create the log directory for mod_evasive

mkdir -p /var/log/apache2/evasive
chown -R www-data:root /var/log/apache2/evasive

Now we add the configuration for the module at the end of the file /etc/apache2/mods-available/mod-evasive.load

vi /etc/apache2/mods-available/mod-evasive.load

so that it looks like this:

LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 5
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir "/var/log/apache2/evasive"

and restart apache:

/etc/init.d/apache2 restart

Be Sociable, Share!



5 Responses to “Prevent DOS attacks on apache webserver for DEBIAN linux with mod_evasive”

  1. robert says:

    You should tweak the config file settings. Your settings blocked me when I navigated ISPConfig too quickly.
    Here’s my working (Google Bot safe one):

    LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so

    DOSHashTableSize 2048
    DOSPageCount 10
    DOSSiteCount 200
    DOSPageInterval 2
    DOSSiteInterval 2
    DOSBlockingPeriod 10
    DOSCloseSocket On
    DOSLogDir “/var/log/apache2/evasive”
    DOSEmailNotify rhernandez50@gmail.com

  2. Juann says:

    Robe, I tried to use the DOSCloseSocket On and apache2 did not like it.

  3. sergi says:

    Ohh the solution the Robert, cause error in Apache2 , not start , i need delete the DOSCloseSocket , has mentioned Juann

  4. Kerstin in Stuttgart says:

    Following config seems to be optimal:

    DOSHashTableSize 3097
    DOSPageCount 5
    DOSSiteCount 120
    DOSPageInterval 1.5
    DOSSiteInterval 1.5
    DOSBlockingPeriod 10
    #DOSCloseSocket On -> Causing apache not to start

  5. Bachsau says:

    This is a bad configuration. You will block everyone that, for example, views an image gallery or just hits reload once in 5 seconds. Additionaly, you should not add configuration options to mod-evasive.load, but create a mod-evasive.conf instead.

    Here’s a setup that should protect any site without confusing users:

    DOSHashTableSize 2048
    DOSPageCount 20
    DOSSiteCount 300
    DOSPageInterval 1.0
    DOSSiteInterval 1.0
    DOSBlockingPeriod 10.0
    # DOSCloseSocket On
    DOSLogDir /var/lock/mod_evasive

Leave a Reply