{"id":880,"date":"2012-08-02T15:17:21","date_gmt":"2012-08-02T07:17:21","guid":{"rendered":"http:\/\/rmohan.com\/?p=880"},"modified":"2012-08-02T15:23:21","modified_gmt":"2012-08-02T07:23:21","slug":"mod_evasive-on-apache","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=880","title":{"rendered":"mod_evasive on Apache"},"content":{"rendered":"<p>mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities. This guide assumes you already have your LAMP server configured. Guides for setting up a LMAP stack can be found under our <a href=\"http:\/\/library.linode.com\/lamp-guides\">LAMP guides<\/a>section.<\/p>\n<p>Contents<\/p>\n<ul>\n<li><a id=\"sph_id1\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_prerequesites\">Prerequesites<\/a><\/li>\n<li><a id=\"sph_id2\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_installing-mod-evasive\">Installing mod_evasive<\/a><\/li>\n<li><a id=\"sph_id3\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_mod-evasive-configuration-options\">mod_evasive Configuration Options<\/a>\n<ul>\n<li><a id=\"sph_id4\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_doshashtablesize\">DOSHashTableSize<\/a><\/li>\n<li><a id=\"sph_id5\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_dospagecount\">DOSPageCount<\/a><\/li>\n<li><a id=\"sph_id6\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_dossitecount\">DOSSiteCount<\/a><\/li>\n<li><a id=\"sph_id7\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_dospageinterval\">DOSPageInterval<\/a><\/li>\n<li><a id=\"sph_id8\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_dossiteinterval\">DOSSiteInterval<\/a><\/li>\n<li><a id=\"sph_id9\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_dosblockingperiod\">DOSBlockingPeriod<\/a><\/li>\n<li><a id=\"sph_id10\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_dosemailnotify\">DOSEmailNotify<\/a><\/li>\n<li><a id=\"sph_id11\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_dossystemcommand\">DOSSystemCommand<\/a><\/li>\n<li><a id=\"sph_id12\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_doslogdir\">DOSLogDir<\/a><\/li>\n<li><a id=\"sph_id13\" href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_whitelisting-ip-addresses\">Whitelisting IP Address<br \/>\n<\/a><\/li>\n<li><\/li>\n<li>mod_evasive has just one prerequesite beyond the standard LAMP install. To install this module, just run the following command as root in SSH:<\/li>\n<li>Debian \/ Ubuntu:\n<pre>apt-get install apache2-utils<\/pre>\n<p>CentOS \/ Fedora:<\/p>\n<pre>yum install httpd-devel<\/pre>\n<div id=\"sph_installing-mod-evasive\">\n<h1><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id2\">Installing mod_evasive<\/a><\/h1>\n<p>You&#8217;ll first want to get the mod_evasive package, uncompress it, and install it using apxs:<\/p>\n<pre>cd \/usr\/src\r\nwget wget http:\/\/www.zdziarski.com\/blog\/wp-content\/uploads\/2010\/02\/mod_evasive_1.10.1.tar.gz\r\ntar xzf mod_evasive_1.10.1.tar.gz\r\ncd mod_evasive\r\napxs -cia mod_evasive20.c<\/pre>\n<p>You&#8217;ll then need to add the mod_evasive configuration to your Apache configuration file. First, find this section:<\/p>\n<p><strong>File:<\/strong><em>\/etc\/apache2\/apache2.conf (Debian \/ Ubuntu)<\/em><\/p>\n<div>\n<pre># Include module configuration:\r\nInclude mods-enabled\/*.load\r\nInclude mods-enabled\/*.conf<\/pre>\n<\/div>\n<p><strong>File:<\/strong><em>\/etc\/httpd\/conf\/httpd.conf (CentOS \/ Fedora)<\/em><\/p>\n<div>\n<pre>LoadModule evasive20_module   \/usr\/lib\/httpd\/modules\/mod_evasive20.so\r\n#<\/pre>\n<\/div>\n<p>Below those sections, add the mod_evasive configuration:<\/p>\n<p><strong>File excerpt:<\/strong><em>mod_evasive configuration<\/em><\/p>\n<div>\n<pre>&lt;IfModule mod_evasive20.c&gt;\r\nDOSHashTableSize    3097\r\nDOSPageCount        2\r\nDOSSiteCount        50\r\nDOSPageInterval     1\r\nDOSSiteInterval     1\r\nDOSBlockingPeriod   60\r\nDOSEmailNotify test@rmohan.com\r\n&lt;\/IfModule&gt;<\/pre>\n<\/div>\n<p>You&#8217;ll then need to restart Apache for your changes to take effect:<\/p>\n<p>Debian \/ Ubuntu:<\/p>\n<pre>\/etc\/init.d\/apache2 restart<\/pre>\n<p>CentOS \/ Fedora:<\/p>\n<pre>\/etc\/init.d\/httpd restart<\/pre>\n<\/div>\n<div id=\"sph_mod-evasive-configuration-options\">\n<h1><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id3\">mod_evasive Configuration Options<\/a><\/h1>\n<p>These configuration option descriptions were taken directly from the README file packaged with the mod_evasive tarball you downloaded during installation.<\/p>\n<div id=\"sph_doshashtablesize\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id4\">DOSHashTableSize<\/a><\/h2>\n<p>The hash table size defines the number of top-level nodes for each child&#8217;s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_evasive.c for a list of primes used).<\/p>\n<\/div>\n<div id=\"sph_dospagecount\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id5\">DOSPageCount<\/a><\/h2>\n<p>This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.<\/p>\n<\/div>\n<div id=\"sph_dossitecount\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id6\">DOSSiteCount<\/a><\/h2>\n<p>This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.<\/p>\n<\/div>\n<div id=\"sph_dospageinterval\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id7\">DOSPageInterval<\/a><\/h2>\n<p>The interval for the page count threshhold; defaults to 1 second intervals.<\/p>\n<\/div>\n<div id=\"sph_dossiteinterval\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id8\">DOSSiteInterval<\/a><\/h2>\n<p>The interval for the site count threshhold; defaults to 1 second intervals.<\/p>\n<\/div>\n<div id=\"sph_dosblockingperiod\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id9\">DOSBlockingPeriod<\/a><\/h2>\n<p>The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.<\/p>\n<\/div>\n<div id=\"sph_dosemailnotify\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id10\">DOSEmailNotify<\/a><\/h2>\n<p>If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using \/tmp prevents continuous emails from being sent.<\/p>\n<dl>\n<dt>NOTE: Be sure MAILER is set correctly in mod_evasive.c<\/dt>\n<dd>(or mod_evasive20.c). The default is &#8220;\/bin\/mail -t %s&#8221; where %s is used to denote the destination email address set in the configuration. If you are running on linux or some other operating system with a different type of mailer, you&#8217;ll need to change this.<\/dd>\n<\/dl>\n<\/div>\n<div id=\"sph_dossystemcommand\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id11\">DOSSystemCommand<\/a><\/h2>\n<p>If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using \/tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.<\/p>\n<\/div>\n<div id=\"sph_doslogdir\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id12\">DOSLogDir<\/a><\/h2>\n<p>Choose an alternative temp directory<\/p>\n<p>By default &#8220;\/tmp&#8221; will be used for locking mechanism, which opens some security issues if your system is open to shell users. In the event you have nonprivileged shell users, you&#8217;ll want to create a directory writable only to the user Apache is running as (usually root), then set this in your httpd.conf.<\/p>\n<\/div>\n<div id=\"sph_whitelisting-ip-addresses\">\n<h2><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_id13\">Whitelisting IP Addresses<\/a><\/h2>\n<p>IP addresses of trusted clients can be whitelisted to insure they are never denied. The purpose of whitelisting is to protect software, scripts, local searchbots, or other automated tools from being denied for requesting large amounts of data from the server. Whitelisting should <em>not<\/em> be used to add customer lists or anything of the sort, as this will open the server to abuse. This module is very difficult to trigger without performing some type of malicious attack, and for that reason it is more appropriate to allow the module to decide on its own whether or not an individual customer should be blocked.<\/p>\n<p>To whitelist an address (or range) add an entry to the Apache configuration in the following fashion:<\/p>\n<p>DOSWhitelist 127.0.0.1 DOSWhitelist 127.0.0.*<\/p>\n<p>Wildcards can be used on up to the last 3 octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.<\/p>\n<\/div>\n<\/div>\n<p><a href=\"http:\/\/library.linode.com\/web-servers\/apache\/mod-evasive#sph_whitelisting-ip-addresses\"><br \/>\n<\/a><\/p>\n<h1>Protecting Apache against DOS attack with mod_evasive<\/h1>\n<p>&nbsp;<\/p>\n<h2>Novell Cool Solutions: Feature<\/h2>\n<p><strong>Problem:<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>Having users constantly making HTTP requests to slow your server down and possibly causing a DOS (Denial Of Service) attack.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Solution:<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>Deploy the mod_evasive module.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Environment Factors:<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>This article was tested on SUSE Linux Enterprise Server SP1.<\/p>\n<p>&nbsp;<\/p>\n<h3>Protecting Apache against DOS attack with mod_evasive<\/h3>\n<p>&nbsp;<\/p>\n<p>The Apache web server is the most popular web server on the Internet today holding a &#8220;52.65% market share for top servers across all domains August 1995 &#8211; July 2007&#8221; (Netcraft, 2007). The Apache module &#8220;mod_evasive&#8221; is an excellent module which helps defend against malicious users trying to perform HTTP DoS (Denial of Service) attacks and also helps protect against brute force attacks.<\/p>\n<p>&nbsp;<\/p>\n<p>The &#8220;mod_evasive&#8221; module detects attacks using three different methods; 1) requesting the same page more than a few times per second, 2) making more than 50 concurrent requests on the same child per second and 3) making any requests while temporarily blacklisted.<\/p>\n<p>&nbsp;<\/p>\n<h3>Mod_evasive<\/h3>\n<p>&nbsp;<\/p>\n<p>The first step to installing mod_evasive is to download the source code from [2] website. Once you have downloaded the source file you will need to unpack the compressed archive using the &#8220;tar&#8221; utility as shown in Figure 1.<\/p>\n<p>&nbsp;<\/p>\n<pre>Linux-w2mu:~# <strong>tar zvxf mod_evasive_1.10.1.tar.gz<\/strong><\/pre>\n<p>&nbsp;<\/p>\n<p><em>Figure 1: Unpacking mod_evasive.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Once mod_evasive has been unpacked change into the directory that contains the source code as we will need to compile the &#8220;mod_evasive20.c&#8221; file, but before you compile the source code you will need to install some dependencies that mod_evasive relies on.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>mod_evasive dependencies<\/em><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>The dependencies that mod_evasive requires are listed in Table 1, you can install these dependencies off the SUSE Linux Enterprise Server CD\/DVD.<\/p>\n<p>&nbsp;<\/p>\n<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"2\">\n<tbody>\n<tr>\n<td><strong>Dependency<\/strong><\/td>\n<td><strong>Summary<\/strong><\/td>\n<\/tr>\n<tr>\n<td>apache2-devel<\/td>\n<td>Header and Include Files<\/td>\n<\/tr>\n<tr>\n<td>apache2-prefork<\/td>\n<td>&#8220;prefork&#8221; MPM (Multi-Processing Module)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><em>Table 1: Mod_evasive dependencies.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Once you have installed all the dependencies listed in Table 1 and unpackaged the source code, you can begin to compile the &#8220;<em>mod_evasive20.c<\/em>&#8221; file with the &#8220;<strong>apxs2<\/strong>&#8221; command as shown in Figure 1.1.<\/p>\n<p>&nbsp;<\/p>\n<pre>Linux-w2mu:~# <strong>apxs2 -ci mod_evasive20.c<\/strong>\r\n\/usr\/lib\/apr-1\/build\/libtool --silent --mode=compile gcc -prefer-pic -O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -fPIC -Wall -fno-strict-aliasing -DLDAP_DEPRECATED -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I\/usr\/include\/apache2  -I\/usr\/include   -I\/usr\/include\/apr-1   -c -o mod_evasive20.lo mod_evasive20.c &amp;&amp; touch mod_evasive20.slo \r\n...\r\n...<\/pre>\n<p>&nbsp;<\/p>\n<p><em>Figure 1.1: Compiling mod_evasive for Apache 2.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h3>Enabling mod_evasive<\/h3>\n<p>&nbsp;<\/p>\n<p>Once you have compiled the mod_evasive module you will need the module to load when Apache is started or restarted. The file that needs to be modified is &#8220;<em>\/etc\/sysconfig\/apache2<\/em>&#8221; and the directive that needs to be altered is &#8220;APACHE_MODULES=&#8221; as it needs to include the mod_evasive20 module, as shown in Figure 2.<\/p>\n<p>&nbsp;<\/p>\n<pre>...\r\nAPACHE_MODULES=\"<strong>mod_evasive20<\/strong> actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5\"\r\n...<\/pre>\n<p>&nbsp;<\/p>\n<p><em>Figure 2: Altered \/etc\/sysconfig\/apache2 configuration file.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Once you have modified the &#8220;\/etc\/sysconfig\/apache2&#8221; configuration file you will need to check the Apache syntax using the &#8220;service&#8221; command as shown in Figure 2.1.<\/p>\n<p>&nbsp;<\/p>\n<pre>Linux-w2mu:~# <strong>service apache2 configtest<\/strong>\r\nSyntax OK<\/pre>\n<p>&nbsp;<\/p>\n<p><em>Figure 2.1: Verifying the syntax is OK.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h3>Mod_evasive configuration<\/h3>\n<p>&nbsp;<\/p>\n<p>Once you have modified the &#8220;<em>\/etc\/sysconfig\/apache2<\/em>&#8221; configuration file you will need to create a configuration file for the mod_evasive module. In the &#8220;\/etc\/apache2&#8221; directory you will need to create a file called: &#8220;<em>mod_evasive.conf<\/em>&#8221; with the following or similar content shown in Figure 3.<\/p>\n<p>&nbsp;<\/p>\n<pre>&lt;IfModule mod_evasive20.c&gt; \r\n    DOSHashTableSize    3097 \r\n    DOSPageCount        2 \r\n    DOSSiteCount        50 \r\n    DOSPageInterval     1 \r\n    DOSSiteInterval     1 \r\n    DOSBlockingPeriod   10 \r\n&lt;\/IfModule&gt;<\/pre>\n<p>&nbsp;<\/p>\n<p><em>Figure 3: mod_evasive.conf<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>The key pairs that are used in the &#8220;mod_evasive.conf&#8221; configuration file are listen in Table 2 along with a description.<\/p>\n<p>&nbsp;<\/p>\n<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"2\">\n<tbody>\n<tr>\n<td><strong>Key<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr valign=\"top\">\n<td>DOSHashTableSize<\/td>\n<td>The hash table size defines the number of top-level nodes for each child&#8217;s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space<\/td>\n<\/tr>\n<tr valign=\"top\">\n<td>DOSPageCount<\/td>\n<td>This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.<\/td>\n<\/tr>\n<tr valign=\"top\">\n<td>DOSSiteCount<\/td>\n<td>This is the threshold for the total number of requests for any object by the same client on the same listener per site interval.<\/td>\n<\/tr>\n<tr valign=\"top\">\n<td>DOSPageInterval<\/td>\n<td>The interval for the page count threshold; defaults to 1 second intervals.<\/td>\n<\/tr>\n<tr valign=\"top\">\n<td>DOSSiteInterval<\/td>\n<td>The interval for the site count threshold; defaults to 1 second intervals.<\/td>\n<\/tr>\n<tr valign=\"top\">\n<td>DOSBlockingPeriod<\/td>\n<td>The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).<\/td>\n<\/tr>\n<tr valign=\"top\">\n<td>DOSEmailNotify<\/td>\n<td>If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using \/tmp prevents continuous emails from being sent.<\/td>\n<\/tr>\n<tr valign=\"top\">\n<td>DOSSystemCommand<\/td>\n<td>If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools.<\/td>\n<\/tr>\n<tr valign=\"top\">\n<td>DOSLogDir<\/td>\n<td>Choose an alternative temp directory, default is \/tmp.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><em>Table 2: Mod_evasive key pairs.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Once you are happy with your &#8220;<em>mod_evasive.conf<\/em>&#8221; configuration file you can restart the Apache web server and test your new configuration. There are two methods of checking mod_evasive is function correctly. The first method is to run the &#8220;<em>test.pl<\/em>&#8221; file in the mod_evasive directory as shown in Figure 3.1.<\/p>\n<p>&nbsp;<\/p>\n<pre>Linux-w2mu:~# <strong>perl test.pl<\/strong>\r\nHTTP\/1.1 200 OK \r\nHTTP\/1.1 200 OK \r\nHTTP\/1.1 200 OK \r\nHTTP\/1.1 200 OK \r\nHTTP\/1.1 403 Forbidden \r\nHTTP\/1.1 403 Forbidden \r\n...\r\n...<\/pre>\n<p>&nbsp;<\/p>\n<p><em>Figure 3.1: Checking mod_evasive.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>The second method to check mod_evasive is functioning correctly is to connect to your web server and hit the refresh button really fast and you should be presented with a &#8220;403 Forbidden&#8221; message.<\/p>\n<p>&nbsp;<\/p>\n<h3>Final Thoughts<\/h3>\n<p>&nbsp;<\/p>\n<p>Now that you have installed and configured mod_evasive, your Apache web server should be able to defend against HTTP DOS attacks and brute force attacks. I would also recommend placing offending IP addresses into your IP tables using the &#8220;DOSSystemCommand&#8221; key. The reason you should add the offending IP address into your IP tables is so they don&#8217;t even get to see the &#8220;403 Forbidden&#8221; message thus making your website look down.<\/li>\n<li>\n<h3>Securing Apache against HTTP DoS and\/or Brute Force\u00a0attacks<\/h3>\n<p>There are some native Apache directives that can be configured to help mitigate the effects of a Denial of Service (DoS) attack. The directives included <strong>Timeout<\/strong>, <strong>KeepAlive<\/strong>, and <strong>KeepAliveTimeout<\/strong>.<\/p>\n<h4>TimeOut<\/h4>\n<p>One way of<a name=\"iddle1586\"><\/a><a name=\"iddle1587\"><\/a><a name=\"iddle1588\"><\/a><a name=\"iddle1589\"><\/a><a name=\"iddle1590\"><\/a><a name=\"iddle1591\"><\/a> attacking web servers is to try and exhaust the target systems resources by opening multiple connections and then never closing them. The more connections the server has open at once, the more resources are tied up holding details of those connections, which can lead to increased load and eventually to the server running out of resources.<\/p>\n<p>The <em>TimeOut<\/em> directive tells the server how long to wait to receive a GET request, the amount of time between receipt of TCP packets on a POST or PUT request, or the amount of time between ACKs on transmissions of TCP packets in responses. Basically, this is the total time it takes to receive and respond to an http request.<\/p>\n<p>In order to prevent a DoS attack from shutting down our web server, we need to change the default setting of 300 (which is 5 minutes) to something more reasonable such as 60 (which is 1 minute). You may even adjust this setting to be lower than 60. Think about this for a minute.<\/p>\n<p><strong>KeepAlive<\/strong><br \/>\nHow many individual graphics files do you think there are in the average web page? Last check on the Amazon.com home page showed approximately 58 graphics files (gif and jpg) being referenced. Now imagine if your web browser had to create a brand-new connection for every one of those files. The overhead associated with initializing the HTTP connection would increase the time to fully load a web page significantly. This is where the concept of <em>KeepAlives <\/em>and \u201c<em>pipelining<\/em>\u201d web requests came from. The idea is simple: to allow multiple requests from the same client to utilize the same established HTTP connection. This efficient use of this capability dramatically decreases the amount of time it takes to fully download and display a web page. It is for this reason that the <em>KeepAlive <\/em>directive should be turned on.<\/p>\n<p><strong>KeepAliveTimeout<\/strong><br \/>\nMuch in the same way that the <em>Timeout <\/em>directive limited the amount of time that the established HTTP connection would be valid, the <em>KeepAliveTimeout <\/em>directive will expire a socket after the designated amount of time. The difference between the <em>Timeout <\/em>and the <em>KeepAliveTimeout <\/em>directives is that the timeout setting designates the amount of time that the entire connection will be open and the <em>KeepAliveTimeout <\/em>directive states how long the server will wait for a subsequent request from the client. This means that the <em>KeepAliveTimeout <\/em>setting should always be less then the <em>timeout <\/em>setting. The default setting for <em>KeepAliveTimeout <\/em>is 15 seconds, which is reasonable; however, you could lower this just a bit if desired.<\/p>\n<p><strong>W<\/strong>hile these directives help with the performance of Apache and will lessen the impact of a DoS attack, there is another third-party module that is extremely effective.<\/p>\n<p><strong>mod_evasive<\/strong> is an evasive maneuvers module for Apache whose purpose is to react to HTTP DoS and\/or Brute Force attacks. It was developed by Jonathan Zdziarski.<\/p>\n<p>An additional capability of the module is that it is also able to execute system commands when DoS attacks are identified. This provides an interface to send attacking IP addresses to other security applications such as local host-based firewalls to block the offending IP address.<\/p>\n<p><strong>Installing mod_evasive on Centos 5.3:<\/strong><\/p>\n<h5>( you can find lots of documents that explains how to install mod_evasive on other distributions )<strong><br \/>\n<\/strong><\/h5>\n<pre><code># rpm -Uvh http:\/\/download.fedora.redhat.com\/pub\/epel\/5\/i386\/epel-release-5-3.noarch.rpm<\/code>\r\n# <code>yum install mod_evasive<\/code><\/pre>\n<p><strong>Configuring\u00a0 mod_evasive :<\/strong><\/p>\n<p>\/etc\/httpd\/conf.d\/mod_evasive.conf is main configuration file for mod_evasive :<\/p>\n<pre><strong>LoadModule evasive20_module modules\/mod_evasive20.so &lt;IfModule mod_evasive20.c&gt; DOSHashTableSize\u00a0\u00a0\u00a0 3097 DOSPageCount\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5 DOSSiteCount\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 100 DOSPageInterval\u00a0\u00a0\u00a0\u00a0 1 DOSSiteInterval\u00a0\u00a0\u00a0\u00a0 1 DOSBlockingPeriod\u00a0\u00a0 10 DOSEmailNotify\u00a0\u00a0\u00a0\u00a0\u00a0 nasser@mydomain.com #DOSSystemCommand\u00a0\u00a0\u00a0 \"su - someuser -c '\/sbin\/... %s ...'\" DOSLogDir\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"\/var\/lock\/mod_evasive\" #DOSWhitelist\u00a0\u00a0 127.0.0.1 &lt;\/IfModule&gt; <\/strong><\/pre>\n<p>We will now discuss each of the mod_evasive directives. Most of this information is taken directly from the README file of mod_evasive, so proper credit should be given to the developer of this module.<br \/>\n<strong> <\/strong><\/p>\n<p><strong>DosHashTableSize<\/strong><\/p>\n<p>This directive specifies the number of top-level nodes for each apache child process\u2019s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server.<br \/>\n<strong> <\/strong><\/p>\n<p><strong>DOSPageCount<\/strong><\/p>\n<p>This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.<br \/>\n<strong><\/strong><\/p>\n<p><strong>DOSSiteCount<\/strong><\/p>\n<p>This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.<br \/>\n<strong><\/strong><\/p>\n<p><strong>DOSPageInterval<\/strong><\/p>\n<p>The interval for the page count threshold; defaults to 1 second intervals.<br \/>\n<strong><\/strong><\/p>\n<p><strong>DOSSiteInterval<\/strong><\/p>\n<p>The interval for the site count threshold; defaults to 1 second intervals.<br \/>\n<strong><\/strong><\/p>\n<p><strong>DOSBlockingPeriod<\/strong><\/p>\n<p>The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g., another 10 seconds). Because the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.<br \/>\n<strong><\/strong><\/p>\n<p><strong>DOSEmailNotify<\/strong><\/p>\n<p>If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using \/var\/lock\/mod_evasive prevents continuous emails from being sent.<br \/>\nNote: Requires \/bin\/mail (provided by mailx)<\/p>\n<p><strong>DOSSystemCommand<\/strong><\/p>\n<p>If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. Use %s to denote the IP address of the blacklisted IP.<br \/>\n<strong><\/strong><\/p>\n<p><strong>DOSLogDir<\/strong><\/p>\n<p>Choose an alternative temp directory. By default, \u201c\/tmp\u201d will be used for the locking mechanism, which opens some security issues if your system is open to shell users. refer to =&gt; http:\/\/security.lss.hr\/index.php?page=details&amp;ID=LSS-2005-01-01<br \/>\n<strong><\/strong><\/p>\n<p><strong>WhiteListing<\/strong><\/p>\n<p>IP addresses of trusted clients can be whitelisted to ensure they are never denied. The purpose of whitelisting is to protect software, scripts, local searchbots, or other automated tools from being denied for requesting large amounts of data from the server. Whitelisting should not be used to add customer lists or anything of the sort, as this will open the server to abuse. This module is very difficult to trigger without performing some type of malicious attack, and for that reason, it is more appropriate to allow the module to decide on its own whether or not an individual customer should be blocked.<br \/>\nTo whitelist an address (or range), add an entry to the Apache configuration in the following fashion:<br \/>\nDOSWhitelist\u00a0\u00a0\u00a0 127.0.0.1<\/p>\n<p>DOSWhitelist\u00a0\u00a0\u00a0 127.0.0.*<br \/>\nWildcards can be used on up to the last three octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.<br \/>\n<strong><\/strong><\/p>\n<p><strong>Testing<\/strong><\/p>\n<p>mod_evasive comes with a PERL script called test.pl. Without editing the file, if you execute it, it will send a total of 100 requests for incrementing URLs (based on 0-100) to the localhost address on port 80.<\/p>\n<pre>#!\/usr\/bin\/perl\r\n# test.pl: small script to test mod_evasive's effectiveness\r\nuse IO::Socket;\r\nuse strict;\r\n\r\nfor(0..100) {\r\n my($response);\r\n my($SOCKET) = new IO::Socket::INET( Proto\u00a0\u00a0 =&gt; \"tcp\",\r\n PeerAddr=&gt; \"127.0.0.1:80\");\r\n\r\n if (! defined $SOCKET) { die $!; }\r\n print $SOCKET \"GET \/?$_ HTTP\/1.0\\n\\n\";\r\n $response = &lt;$SOCKET&gt;;\r\n print $response;\r\n close($SOCKET);\r\n}<\/pre>\n<p>If you run the script, you should see output similar to the following:<\/p>\n<pre># .\/test.pl<\/pre>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 200 OK<\/p>\n<p>HTTP\/1.1 403 Forbidden<\/p>\n<p>HTTP\/1.1 403 Forbidden<\/p>\n<p>HTTP\/1.1 403 Forbidden<\/p>\n<p>HTTP\/1.1 403 Forbidden<\/p>\n<p>HTTP\/1.1 403 Forbidden<\/p>\n<p>\u2013CUT\u2013<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/880"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=880"}],"version-history":[{"count":9,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/880\/revisions"}],"predecessor-version":[{"id":890,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/880\/revisions\/890"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}