mod_evasive is an Apache module for protection against DoS, DDoS and brute force. Basically this module discards all requests that do not meet the requirements set in Setup avoiding overloads due to the attacks.
Tipologie di attacchi comuni
mod_evasive
The module works through the list system, then we will have:
White List
where you can specify IP addresses to which it is allowed to exceed the configuration that prevents attacks module. In theory this should be added only to secure IP, from which we do not expect an attack.
Black List
This list is populated automatically by the module in the event that an IP address does not comply with the configuration that prevents attacks.
Installazione
To install the module, you must issue the command:
Debian / Ubuntu:
apt-get install apache2-utils
CentOS / Fedora:
yum install httpd-devel
But of course you can also install it manually by downloading the tar.gz
Next you need to enable the module:
/etc/apache2/apache2.conf (Debian / Ubuntu)
# Include module configuration:
Include mods-enabled/*.load
Include mods-enabled/*.conf
/etc/httpd/conf/httpd.conf (CentOS / Fedora)
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
Then you must configure the module directly below the qualification:
<IfModule mod_evasive20.c>
#optional directive (default value equals to 1024)
DOSHashTableSize 1024
#obligatory directives
DOSPageCount 10
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify <someone@somewhere.com>
</IfModule>
Restart Apache to apply the configuration changes.
Configuration
We analyze in detail the various items:
DOSHashTableSize
Default to 1024, to be increased in the case where this server was very busy. It defines the number of nodes for each hash table daughter.
DOSPageCount
Number of requests to the same page for the DOSPageInterval.
DOSSiteCount
Number of global requirements for DOSPageInterval.
DOSPageInterval
Time interval in seconds. (Defaults to 1)
DOSBlockingPeriod
Interval in seconds in which the requests coming from IP in blackliste will be ignored. (With a 403). This interval is reset to every request, even in the 403 response.
DOSEmailNotify
Email notification of the ban.
DOSLogDir
Default "/ temp".
DOSWhitelist
Defines WhiteList, ip who compose never enter in Blacklist. This is defined directly nell'apache.conf
I hope I have been exhaustive, comment!