Mod_evasive is an evasive maneuvers module for Apache to provide evasive action in
the event of an HTTP DoS or DDoS attack or brute force attack. It is
also designed to be a detection tool, and can be easily configured to
talk to ipchains, firewalls, routers.
[root@tester] updatedb; locate apxs | grep bin
/usr/local/apache/bin/apxs
cd /usr/local/src
wget http://www.sfr-fresh.com/unix/privat/mod_evasive_1.10.1.tar.gz
tar -zxvf mod_evasive_1.10.1.tar.gz
cd mod_evasive
[root@tester mod_evasive]# httpd -v
Server version: Apache/2.2.22 (Unix)
Server built: Mar 22 2012 11:58:57
or apache 2.0.x :
/usr/sbin/apxs -cia mod_evasive20.c //integrating with apache.
Then add these in httpd.conf :
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
For apache 1.3.x :
/usr/local/apache/bin/apxs -cia mod_evasive.c //integrating with apache.
Then add this too httpd.conf
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
[root@tester mod_evasive]# /usr/sbin/apxs -cia mod_evasive20.c
[root@tester mod_evasive]# chmod 755 /usr/lib/apache/mod_evasive20.so
[root@tester mod_evasive]# grep -i evasive /etc/httpd/conf/httpd.conf
LoadModule evasive20_module /usr/lib/apache/mod_evasive20.so
[root@tester mod_evasive]# php -r 'phpinfo();' | grep -i evasive
PWD => /usr/local/src/mod_evasive
_SERVER["PWD"] => /usr/local/src/mod_evasive
_ENV["PWD"] => /usr/local/src/mod_evasive
vi /etc/httpd/conf/httpd.conf
<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 1
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify root
# DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’”
# DOSLogDir “/var/tmp/doslog”
#Leave this commented while testing, then un comment once you are sure the module works
# DOSWhitelist 127.0.0.1
</IfModule>
Restart apache
/etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Fields details are below:
DOSHashTableSize:
The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space
DOSPageCount:
This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount:
This is the threshold for the total number of requests for any object by the same client on the same listener per site interval.
DOSPageInterval
The interval for the page count threshold; defaults to 1 second intervals.
DOSSiteInterval
The interval for the site count threshold; defaults to 1 second intervals.
DOSBlockingPeriod
The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).
DOSEmailNotify
If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.
DOSSystemCommand
If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools.
DOSLogDir
Choose an alternative temp directory, default is /tmp.
[root@tester] updatedb; locate apxs | grep bin
/usr/local/apache/bin/apxs
cd /usr/local/src
wget http://www.sfr-fresh.com/unix/privat/mod_evasive_1.10.1.tar.gz
tar -zxvf mod_evasive_1.10.1.tar.gz
cd mod_evasive
[root@tester mod_evasive]# httpd -v
Server version: Apache/2.2.22 (Unix)
Server built: Mar 22 2012 11:58:57
or apache 2.0.x :
/usr/sbin/apxs -cia mod_evasive20.c //integrating with apache.
Then add these in httpd.conf :
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
For apache 1.3.x :
/usr/local/apache/bin/apxs -cia mod_evasive.c //integrating with apache.
Then add this too httpd.conf
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
[root@tester mod_evasive]# /usr/sbin/apxs -cia mod_evasive20.c
[root@tester mod_evasive]# chmod 755 /usr/lib/apache/mod_evasive20.so
[root@tester mod_evasive]# grep -i evasive /etc/httpd/conf/httpd.conf
LoadModule evasive20_module /usr/lib/apache/mod_evasive20.so
[root@tester mod_evasive]# php -r 'phpinfo();' | grep -i evasive
PWD => /usr/local/src/mod_evasive
_SERVER["PWD"] => /usr/local/src/mod_evasive
_ENV["PWD"] => /usr/local/src/mod_evasive
vi /etc/httpd/conf/httpd.conf
<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 1
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify root
# DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’”
# DOSLogDir “/var/tmp/doslog”
#Leave this commented while testing, then un comment once you are sure the module works
# DOSWhitelist 127.0.0.1
</IfModule>
Restart apache
/etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Fields details are below:
DOSHashTableSize:
The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space
DOSPageCount:
This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount:
This is the threshold for the total number of requests for any object by the same client on the same listener per site interval.
DOSPageInterval
The interval for the page count threshold; defaults to 1 second intervals.
DOSSiteInterval
The interval for the site count threshold; defaults to 1 second intervals.
DOSBlockingPeriod
The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).
DOSEmailNotify
If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.
DOSSystemCommand
If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools.
DOSLogDir
Choose an alternative temp directory, default is /tmp.
No comments:
Post a Comment