Prevent DOS attacks on apache webserver for DEBIAN linux with mod_evasive

by

The following guide explains the installation of the apache module "mod_evasive". Mod_evasive tracks the number of requests of files at the apache webserver and blocks the delivery in case that a certain limit has been reached.

Installation

apt-get install libapache2-mod-evasive

Create the log directory for mod_evasive

mkdir -p /var/log/apache2/evasive
chown -R www-data:root /var/log/apache2/evasive

Now we add the configuration for the module at the end of the file /etc/apache2/mods-available/mod-evasive.load

vi /etc/apache2/mods-available/mod-evasive.load

so that it looks like this:

LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 5
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir "/var/log/apache2/evasive"
</IfModule>

and restart apache:

/etc/init.d/apache2 restart

7 thoughts on “Prevent DOS attacks on apache webserver for DEBIAN linux with mod_evasive”

  1. Avatar

    You should tweak the config file settings. Your settings blocked me when I navigated ISPConfig too quickly.
    Here’s my working (Google Bot safe one):

    LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so

    DOSHashTableSize 2048
    DOSPageCount 10
    DOSSiteCount 200
    DOSPageInterval 2
    DOSSiteInterval 2
    DOSBlockingPeriod 10
    DOSCloseSocket On
    DOSLogDir “/var/log/apache2/evasive”
    DOSEmailNotify [email protected]

    Reply

  2. Robe, I tried to use the DOSCloseSocket On and apache2 did not like it.

    Reply
  3. Avatar

    Ohh the solution the Robert, cause error in Apache2 , not start , i need delete the DOSCloseSocket , has mentioned Juann

    Reply
  4. Avatar

    Following config seems to be optimal:

    DOSHashTableSize 3097
    DOSPageCount 5
    DOSSiteCount 120
    DOSPageInterval 1.5
    DOSSiteInterval 1.5
    DOSBlockingPeriod 10
    #DOSCloseSocket On -> Causing apache not to start

    Reply

  5. This is a bad configuration. You will block everyone that, for example, views an image gallery or just hits reload once in 5 seconds. Additionaly, you should not add configuration options to mod-evasive.load, but create a mod-evasive.conf instead.

    Here’s a setup that should protect any site without confusing users:

    DOSHashTableSize 2048
    DOSPageCount 20
    DOSSiteCount 300
    DOSPageInterval 1.0
    DOSSiteInterval 1.0
    DOSBlockingPeriod 10.0
    # DOSCloseSocket On
    DOSLogDir /var/lock/mod_evasive

    Reply
  6. Avatar

    Hi – for Debian 8.1, the configuration file was named evasive.load – creating the mod-evasive.load file would have no effect on the config.

    Thanks for the tutorial.

    Reply
  7. Avatar

    is this works on Debian 8 apache 2

    Reply

Leave a Comment

CAPTCHA

*