Author Photo

Ahmer's SysAdmin Recipes is a blog for Linux System Administrators. This blog provides recipes for Installation & Configuration of Linux, Ubuntu, Oracle Database, MySQL, Apache, Nginx, Oracle Cloud Control, FreeIPA, Kerberos & OpenLDAP, Subversion, PXE, DevOps, etc. over Red Hat Enterprise Linux (RHEL), CentOS, Ubuntu and Windows.

Please give me your feedback and help me improve this blog. Please let me know If you want me to write on a specific topic.

Tuesday, 12 April 2016

Defend DOS, DDOS & Brute Force attacks with mod_evasive

Defend DOS, DDOS & Brute Force attacks with mod_evasiveThe mod_evasive is a module for Apache HTTP server, that protects Apache HTTP server against DoS (Denial of Service), DDoS (Distributed Denial of Service), and Brute Force attacks. It can take evasive actions during attacks and report abuses via email and syslog facilities.

The module works by maintaining an internal dynamic table of IP addresses and URIs as well as denying any single IP address for any of the following conditions:

  • Requesting the same page more than n times per second
  • Making more than n concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted

If any of the above conditions are met, a 403 response is sent and the log has been generated for the IP address. Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address.

In this article, we will show you how to install and configure mod_evasive for Apache HTTP Server to defend DoS,DDoS and Brute Force attacks.

 

System Specification:

we have configured a Linux machine with following specification.

Operating System: CentOS 7.0
Web Server: Apache 2.4.6

 

Configure mod_evasive:

Check if mod_evasive is already installed.

[root@appserver ~]# httpd -M | grep evasive
Syntax OK

It shows that the mod_evasive is not installed on this machine.

mod_evasive is available on EPEL (Extra Packages for Enterprise Linux) Repository, therefore we should first add EPEL repository to yum.

[root@appserver ~]# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
--2016-04-12 19:28:57--  http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Connecting to 127.0.0.1:3128... connected.
Proxy request sent, awaiting response... 302 Found
Location: http://mirrors.nayatel.com/epel/6/x86_64/epel-release-6-8.noarch.rpm [following]
--2016-04-12 19:28:58--  http://mirrors.nayatel.com/epel/6/x86_64/epel-release-6-8.noarch.rpm
Connecting to 127.0.0.1:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 14540 (14K) [application/octet-stream]
Saving to: “epel-release-6-8.noarch.rpm”

100%[===================================================================================================================>] 14,540      --.-K/s   in 0s

2016-04-12 19:28:58 (221 MB/s) - “epel-release-6-8.noarch.rpm” saved [14540/14540]

[root@appserver ~]# rpm -ivh epel-release-6-8.noarch.rpm
warning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:epel-release           ########################################### [100%]
[root@appserver ~]#

Install mod_evasive using yum.

[root@appserver ~]# yum install mod_evasive
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos-hcm.viettelidc.com.vn
* epel: epel.mirror.net.in
* epel-testing: epel.mirror.net.in
* epel-testing-debuginfo: epel.mirror.net.in
* epel-testing-source: epel.mirror.net.in
* extras: centos.excellmedia.net
* updates: centos.excellmedia.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_evasive.x86_64 0:1.10.1-10.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package                                 Arch                               Version                                   Repository                        Size
=============================================================================================================================================================
Installing:
mod_evasive                             x86_64                             1.10.1-10.el6                             epel                              24 k

Transaction Summary
=============================================================================================================================================================
Install       1 Package(s)

Total download size: 24 k
Installed size: 52 k
Is this ok [y/N]: y
Downloading Packages:
mod_evasive-1.10.1-10.el6.x86_64.rpm                                                                                                  |  24 kB     00:00
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
Userid : EPEL (6) <epel@fedoraproject.org>
Package: epel-release-6-8.noarch (installed)
From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : mod_evasive-1.10.1-10.el6.x86_64                                                                                                          1/1
  Verifying  : mod_evasive-1.10.1-10.el6.x86_64                                                                                                          1/1

Installed:
  mod_evasive.x86_64 0:1.10.1-10.el6

Complete!
[root@appserver ~]#

Create log directory for mod_evasive

[root@appserver ~]# mkdir -p /var/log/mod_evasive
[root@appserver ~]# chown -R apache:apache /var/log/mod_evasive

mod_evasive do not required any additional configuration and it works fine with default settings. However, it is a good practice to customize the following parameters in /etc/httpd/conf.d/mod_evasive.conf according to your Server's Traffic.

DOSEmailNotify      ahmer_mansoor@hotmail.com
DOSPageInterval     1
DOSPageCount        2
DOSSiteInterval     1
DOSSiteCount        50
DOSBlockingPeriod   60
DOSLogDir           "/var/log/mod_evasive"

Restart httpd Service to apply changes.

[root@appserver mod_evasive]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@appserver mod_evasive]#

 

Test mod_evasive:

Check is mod_evasive module loaded now.

[root@appserver ~]# httpd -M | grep evasive
Syntax OK
evasive20_module (shared)
[root@appserver ~]#

A Perl script is provided with mod_evasive to generate the traffic to test the configurations.

[root@appserver html]# /usr/share/doc/mod_evasive-1.10.1/test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

From the output, it is clear that the mod_evasive is blocking connections. You may play around with mod_evasive parameters to optimize it according to your Server Traffic.

mod_evasive has been configured and it is defending against DoS, DDoS and Brute Force attacks.

Defend DOS, DDOS & Brute Force attacks with mod_evasive


YOU MIGHT ALSO LIKE:

2 comments: