The mod_evasive Apache module takes evasive action at the time of a DDoS attack or a BruteForce attack and protect Apache from these types of attacks. It gives reports by email or logging facility. This module restrict the concurrent connections from an IP and blacklist if necessary. To configure mod_evasive on centos 7 server, Please follow the below steps.

1. Install EPEL yum repository packages. EPEL (Extra Packages for Enterprise Linux) is an open source and free community based repository project from Fedora team which provides 100% high quality add-on software packages for Linux distribution including RHEL (Red Hat Enterprise Linux), CentOS and Scientific Linux. To activate EPEL on server, execute the below commands in the terminal.

#wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -ivh epel-release-latest-7.noarch.rpm

2. Install mod_evasive module using below command

#yum install mod_evasive -y

3. Verify the installation is completed by opening the configuration file of the module

# cat /etc/httpd/conf.d/mod_evasive.conf

4. Next step is to ensure the module is properly loaded. Open the config files and ensure the below line appear on the top of the config file.

LoadModule evasive20_module modules/mod_evasive24.so

Then restart the httpd service and enter the below command.

# httpd -M | grep -Ei '(evasive)'  

If the module is loaded, you will see the below output.

evasive20_module (shared)

Mod_evasive config options

The module will be already configured with default values and if you want to alter the mod_evasive configuration open the configuration file mentioned below using any editor and make sure httpd service is restarted if the config file is altered

# vim  /etc/httpd/conf.d/mod_evasive.conf

Mod_evasive config options

Email alert: To enable email alert system , go to line number 48 and uncomment the below line and enter your email id in the required field. SO, The events will be automatically alerted via emails.

#DOSEmailNotify  [email protected]

DOSHashTableSize: The next option we are interested is the hash table size. The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations
required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server.

DOSPageCount: This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

 #DOSPageCount  2

DOSSiteCount: This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

#DOSSiteCount  50

DOSPageInterval: The interval for the site count threshold; defaults to 1 second intervals.

#DOSPageInterval  1

DOSSiteInterval: The interval for the site count threshold; defaults to 1 second intervals.

#DOSSiteInterval  1

DOSBlockingPeriod: The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.

#DOSBlockingPeriod  10

DOSSystemCommand: If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using /tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.

 #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"

DOSLogDir: Choose an alternative temp directory, By default “/tmp” will be used for locking mechanism, which opens some security issues if your system is open to shell users. In the event you have nonprivileged shell users, you’ll want to create a directory writable only to the user Apache is running as (usually root), then set this in your httpd.conf.

 #DOSLogDir "/var/lock/mod_evasive"

Whitelist IP Addresses : This option is to whitelist certain IP addresses from blocking. You can also use wildcards up to the last 3 octets if necessary.

 #DOSWhitelist   127.0.0.1
 #DOSWhitelist   192.168.0.*

NB: The httpd service must be restarted after tweaking the configurations

Install mod_evasive in centos 7 with cpanel

The latest cpanel version(v68.0.29) yum repository already have the packages for mod_evasive. The only difference when installing the mod_evasive in a cpanel server is in the yum install command. The easyapache package for mod_evasive should be installed in the server. Please use the below command for installing mod_evasive in latest cpanel server. All other steps remain the same.

 yum install ea-apache24-mod_evasive.x86_64

That’s it. Secure servers are not a myth, it’s how a seasoned team configure it!

Thanks for dropping by. Ready for the next blog?

How to Install and configure FreeNAS

The post How to configure mod_evasive on CentOS 7 appeared first on Sysally.