mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities. This guide assumes you already have your LAMP server configured. Guides for setting up a LMAP stack can be found under our LAMP guidessection.
Contents
- Prerequesites
- Installing mod_evasive
- mod_evasive Configuration Options
- DOSHashTableSize
- DOSPageCount
- DOSSiteCount
- DOSPageInterval
- DOSSiteInterval
- DOSBlockingPeriod
- DOSEmailNotify
- DOSSystemCommand
- DOSLogDir
- Whitelisting IP Address
- mod_evasive has just one prerequesite beyond the standard LAMP install. To install this module, just run the following command as root in SSH:
- Debian / Ubuntu:
apt-get install apache2-utils
CentOS / Fedora:
yum install httpd-devel
Installing mod_evasive
You’ll first want to get the mod_evasive package, uncompress it, and install it using apxs:
cd /usr/src wget wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz tar xzf mod_evasive_1.10.1.tar.gz cd mod_evasive apxs -cia mod_evasive20.c
You’ll then need to add the mod_evasive configuration to your Apache configuration file. First, find this section:
File:/etc/apache2/apache2.conf (Debian / Ubuntu)
# Include module configuration: Include mods-enabled/*.load Include mods-enabled/*.conf
File:/etc/httpd/conf/httpd.conf (CentOS / Fedora)
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so #
Below those sections, add the mod_evasive configuration:
File excerpt:mod_evasive configuration
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 60 DOSEmailNotify test@rmohan.com </IfModule>
You’ll then need to restart Apache for your changes to take effect:
Debian / Ubuntu:
/etc/init.d/apache2 restart
CentOS / Fedora:
/etc/init.d/httpd restart
mod_evasive Configuration Options
These configuration option descriptions were taken directly from the README file packaged with the mod_evasive tarball you downloaded during installation.
DOSHashTableSize
The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_evasive.c for a list of primes used).
DOSPageCount
This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount
This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSPageInterval
The interval for the page count threshhold; defaults to 1 second intervals.
DOSSiteInterval
The interval for the site count threshhold; defaults to 1 second intervals.
DOSBlockingPeriod
The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.
DOSEmailNotify
If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.
- NOTE: Be sure MAILER is set correctly in mod_evasive.c
- (or mod_evasive20.c). The default is “/bin/mail -t %s” where %s is used to denote the destination email address set in the configuration. If you are running on linux or some other operating system with a different type of mailer, you’ll need to change this.
DOSSystemCommand
If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using /tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.
DOSLogDir
Choose an alternative temp directory
By default “/tmp” will be used for locking mechanism, which opens some security issues if your system is open to shell users. In the event you have nonprivileged shell users, you’ll want to create a directory writable only to the user Apache is running as (usually root), then set this in your httpd.conf.
Whitelisting IP Addresses
IP addresses of trusted clients can be whitelisted to insure they are never denied. The purpose of whitelisting is to protect software, scripts, local searchbots, or other automated tools from being denied for requesting large amounts of data from the server. Whitelisting should not be used to add customer lists or anything of the sort, as this will open the server to abuse. This module is very difficult to trigger without performing some type of malicious attack, and for that reason it is more appropriate to allow the module to decide on its own whether or not an individual customer should be blocked.
To whitelist an address (or range) add an entry to the Apache configuration in the following fashion:
DOSWhitelist 127.0.0.1 DOSWhitelist 127.0.0.*
Wildcards can be used on up to the last 3 octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.
Protecting Apache against DOS attack with mod_evasive
Novell Cool Solutions: Feature
Problem:
Having users constantly making HTTP requests to slow your server down and possibly causing a DOS (Denial Of Service) attack.
Solution:
Deploy the mod_evasive module.
Environment Factors:
This article was tested on SUSE Linux Enterprise Server SP1.
Protecting Apache against DOS attack with mod_evasive
The Apache web server is the most popular web server on the Internet today holding a “52.65% market share for top servers across all domains August 1995 – July 2007” (Netcraft, 2007). The Apache module “mod_evasive” is an excellent module which helps defend against malicious users trying to perform HTTP DoS (Denial of Service) attacks and also helps protect against brute force attacks.
The “mod_evasive” module detects attacks using three different methods; 1) requesting the same page more than a few times per second, 2) making more than 50 concurrent requests on the same child per second and 3) making any requests while temporarily blacklisted.
Mod_evasive
The first step to installing mod_evasive is to download the source code from [2] website. Once you have downloaded the source file you will need to unpack the compressed archive using the “tar” utility as shown in Figure 1.
Linux-w2mu:~# tar zvxf mod_evasive_1.10.1.tar.gz
Figure 1: Unpacking mod_evasive.
Once mod_evasive has been unpacked change into the directory that contains the source code as we will need to compile the “mod_evasive20.c” file, but before you compile the source code you will need to install some dependencies that mod_evasive relies on.
mod_evasive dependencies
The dependencies that mod_evasive requires are listed in Table 1, you can install these dependencies off the SUSE Linux Enterprise Server CD/DVD.
Dependency Summary apache2-devel Header and Include Files apache2-prefork “prefork” MPM (Multi-Processing Module) Table 1: Mod_evasive dependencies.
Once you have installed all the dependencies listed in Table 1 and unpackaged the source code, you can begin to compile the “mod_evasive20.c” file with the “apxs2” command as shown in Figure 1.1.
Linux-w2mu:~# apxs2 -ci mod_evasive20.c /usr/lib/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -fPIC -Wall -fno-strict-aliasing -DLDAP_DEPRECATED -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/usr/include/apache2 -I/usr/include -I/usr/include/apr-1 -c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo ... ...
Figure 1.1: Compiling mod_evasive for Apache 2.
Enabling mod_evasive
Once you have compiled the mod_evasive module you will need the module to load when Apache is started or restarted. The file that needs to be modified is “/etc/sysconfig/apache2” and the directive that needs to be altered is “APACHE_MODULES=” as it needs to include the mod_evasive20 module, as shown in Figure 2.
... APACHE_MODULES="mod_evasive20 actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5" ...
Figure 2: Altered /etc/sysconfig/apache2 configuration file.
Once you have modified the “/etc/sysconfig/apache2” configuration file you will need to check the Apache syntax using the “service” command as shown in Figure 2.1.
Linux-w2mu:~# service apache2 configtest Syntax OK
Figure 2.1: Verifying the syntax is OK.
Mod_evasive configuration
Once you have modified the “/etc/sysconfig/apache2” configuration file you will need to create a configuration file for the mod_evasive module. In the “/etc/apache2” directory you will need to create a file called: “mod_evasive.conf” with the following or similar content shown in Figure 3.
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 </IfModule>Figure 3: mod_evasive.conf
The key pairs that are used in the “mod_evasive.conf” configuration file are listen in Table 2 along with a description.
Key Description DOSHashTableSize The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space DOSPageCount This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list. DOSSiteCount This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. DOSPageInterval The interval for the page count threshold; defaults to 1 second intervals. DOSSiteInterval The interval for the site count threshold; defaults to 1 second intervals. DOSBlockingPeriod The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). DOSEmailNotify If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent. DOSSystemCommand If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. DOSLogDir Choose an alternative temp directory, default is /tmp. Table 2: Mod_evasive key pairs.
Once you are happy with your “mod_evasive.conf” configuration file you can restart the Apache web server and test your new configuration. There are two methods of checking mod_evasive is function correctly. The first method is to run the “test.pl” file in the mod_evasive directory as shown in Figure 3.1.
Linux-w2mu:~# perl test.pl HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden ... ...
Figure 3.1: Checking mod_evasive.
The second method to check mod_evasive is functioning correctly is to connect to your web server and hit the refresh button really fast and you should be presented with a “403 Forbidden” message.
Final Thoughts
Now that you have installed and configured mod_evasive, your Apache web server should be able to defend against HTTP DOS attacks and brute force attacks. I would also recommend placing offending IP addresses into your IP tables using the “DOSSystemCommand” key. The reason you should add the offending IP address into your IP tables is so they don’t even get to see the “403 Forbidden” message thus making your website look down.
-
Securing Apache against HTTP DoS and/or Brute Force attacks
There are some native Apache directives that can be configured to help mitigate the effects of a Denial of Service (DoS) attack. The directives included Timeout, KeepAlive, and KeepAliveTimeout.
TimeOut
One way of attacking web servers is to try and exhaust the target systems resources by opening multiple connections and then never closing them. The more connections the server has open at once, the more resources are tied up holding details of those connections, which can lead to increased load and eventually to the server running out of resources.
The TimeOut directive tells the server how long to wait to receive a GET request, the amount of time between receipt of TCP packets on a POST or PUT request, or the amount of time between ACKs on transmissions of TCP packets in responses. Basically, this is the total time it takes to receive and respond to an http request.
In order to prevent a DoS attack from shutting down our web server, we need to change the default setting of 300 (which is 5 minutes) to something more reasonable such as 60 (which is 1 minute). You may even adjust this setting to be lower than 60. Think about this for a minute.
KeepAlive
How many individual graphics files do you think there are in the average web page? Last check on the Amazon.com home page showed approximately 58 graphics files (gif and jpg) being referenced. Now imagine if your web browser had to create a brand-new connection for every one of those files. The overhead associated with initializing the HTTP connection would increase the time to fully load a web page significantly. This is where the concept of KeepAlives and “pipelining” web requests came from. The idea is simple: to allow multiple requests from the same client to utilize the same established HTTP connection. This efficient use of this capability dramatically decreases the amount of time it takes to fully download and display a web page. It is for this reason that the KeepAlive directive should be turned on.KeepAliveTimeout
Much in the same way that the Timeout directive limited the amount of time that the established HTTP connection would be valid, the KeepAliveTimeout directive will expire a socket after the designated amount of time. The difference between the Timeout and the KeepAliveTimeout directives is that the timeout setting designates the amount of time that the entire connection will be open and the KeepAliveTimeout directive states how long the server will wait for a subsequent request from the client. This means that the KeepAliveTimeout setting should always be less then the timeout setting. The default setting for KeepAliveTimeout is 15 seconds, which is reasonable; however, you could lower this just a bit if desired.While these directives help with the performance of Apache and will lessen the impact of a DoS attack, there is another third-party module that is extremely effective.
mod_evasive is an evasive maneuvers module for Apache whose purpose is to react to HTTP DoS and/or Brute Force attacks. It was developed by Jonathan Zdziarski.
An additional capability of the module is that it is also able to execute system commands when DoS attacks are identified. This provides an interface to send attacking IP addresses to other security applications such as local host-based firewalls to block the offending IP address.
Installing mod_evasive on Centos 5.3:
( you can find lots of documents that explains how to install mod_evasive on other distributions )
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm#yum install mod_evasiveConfiguring mod_evasive :
/etc/httpd/conf.d/mod_evasive.conf is main configuration file for mod_evasive :
LoadModule evasive20_module modules/mod_evasive20.so <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 100 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSEmailNotify nasser@mydomain.com #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" DOSLogDir "/var/lock/mod_evasive" #DOSWhitelist 127.0.0.1 </IfModule>
We will now discuss each of the mod_evasive directives. Most of this information is taken directly from the README file of mod_evasive, so proper credit should be given to the developer of this module.
DosHashTableSize
This directive specifies the number of top-level nodes for each apache child process’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server.
DOSPageCount
This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount
This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSPageInterval
The interval for the page count threshold; defaults to 1 second intervals.
DOSSiteInterval
The interval for the site count threshold; defaults to 1 second intervals.
DOSBlockingPeriod
The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g., another 10 seconds). Because the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.
DOSEmailNotify
If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /var/lock/mod_evasive prevents continuous emails from being sent.
Note: Requires /bin/mail (provided by mailx)DOSSystemCommand
If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. Use %s to denote the IP address of the blacklisted IP.
DOSLogDir
Choose an alternative temp directory. By default, “/tmp” will be used for the locking mechanism, which opens some security issues if your system is open to shell users. refer to => http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
WhiteListing
IP addresses of trusted clients can be whitelisted to ensure they are never denied. The purpose of whitelisting is to protect software, scripts, local searchbots, or other automated tools from being denied for requesting large amounts of data from the server. Whitelisting should not be used to add customer lists or anything of the sort, as this will open the server to abuse. This module is very difficult to trigger without performing some type of malicious attack, and for that reason, it is more appropriate to allow the module to decide on its own whether or not an individual customer should be blocked.
To whitelist an address (or range), add an entry to the Apache configuration in the following fashion:
DOSWhitelist 127.0.0.1DOSWhitelist 127.0.0.*
Wildcards can be used on up to the last three octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.
Testing
mod_evasive comes with a PERL script called test.pl. Without editing the file, if you execute it, it will send a total of 100 requests for incrementing URLs (based on 0-100) to the localhost address on port 80.
#!/usr/bin/perl # test.pl: small script to test mod_evasive's effectiveness use IO::Socket; use strict; for(0..100) { my($response); my($SOCKET) = new IO::Socket::INET( Proto => "tcp", PeerAddr=> "127.0.0.1:80"); if (! defined $SOCKET) { die $!; } print $SOCKET "GET /?$_ HTTP/1.0\n\n"; $response = <$SOCKET>; print $response; close($SOCKET); }If you run the script, you should see output similar to the following:
# ./test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
–CUT–
Recent Comments