Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security and Mod_evasive Modules

Step 4: Configuring Mod_Evasive

mod_evasive is configured using directives in /etc/httpd/conf.d/mod_evasive.conf. Since there are no rules to update during a package upgrade, we don’t need a separate file to add customized directives, as opposed to mod_security.

The default mod_evasive.conf file has the following directives enabled (note that this file is heavily commented, so we have stripped out the comments to highlight the configuration directives below):

<IfModule mod_evasive24.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

Explanation of the directives:

  1. DOSHashTableSize: This directive specifies the size of the hash table that is used to keep track of activity on a per-IP address basis. Increasing this number will provide a faster look up of the sites that the client has visited in the past, but may impact overall performance if it is set too high.
  2. DOSPageCount: Legitimate number of identical requests to a specific URI (for example, any file that is being served by Apache) that can be made by a visitor over the DOSPageInterval interval.
  3. DOSSiteCount: Similar to DOSPageCount, but refers to how many overall requests can be made to the entire site over the DOSSiteInterval interval.
  4. DOSBlockingPeriod: If a visitor exceeds the limits set by DOSSPageCount or DOSSiteCount, his source IP address will be blacklisted during the DOSBlockingPeriod amount of time. During DOSBlockingPeriod, any requests coming from that IP address will encounter a 403 Forbidden error.

Feel free to experiment with these values so that your web server will be able to handle the required amount and type of traffic.

Only a small caveat: if these values are not set properly, you run the risk of ending up blocking legitimate visitors.

You may also want to consider other useful directives:

DOSEmailNotify

If you have a mail server up and running, you can send out warning messages via Apache. Note that you will need to grant the apache user SELinux permission to send emails if SELinux is set to enforcing. You can do so by running

# setsebool -P httpd_can_sendmail 1

Next, add this directive in the mod_evasive.conf file with the rest of the other directives:

DOSEmailNotify [email protected]

If this value is set and your mail server is working properly, an email will be sent to the address specified whenever an IP address becomes blacklisted.

DOSSystemCommand

This needs a valid system command as argument,

DOSSystemCommand </command>

This directive specifies a command to be executed whenever an IP address becomes blacklisted. It is often used in conjunction with a shell script that adds a firewall rule to block further connections coming from that IP address.

Write a shell script that handles IP blacklisting at the firewall level

When an IP address becomes blacklisted, we need to block future connections coming from it. We will use the following shell script that performs this job. Create a directory named scripts-tecmint (or whatever name of your choice) in /usr/local/bin and a file called ban_ip.sh in that directory.

#!/bin/sh
# IP that will be blocked, as detected by mod_evasive
IP=$1
# Full path to iptables
IPTABLES="/sbin/iptables"
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/log/mod_evasive
# Add the following firewall rule (block all traffic coming from $IP)
$IPTABLES -I INPUT -s $IP -j DROP
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"

Our DOSSystemCommand directive should read as follows:

DOSSystemCommand "sudo /usr/local/bin/scripts-tecmint/ban_ip.sh %s"

In the line above, %s represents the offending IP as detected by mod_evasive.

Add the apache user to the sudoers file

Note that all of this just won’t work unless you to give permissions to user apache to run our script (and that script only!) without a terminal and password. As usual, you can just type visudo as root to access the /etc/sudoers file and then add the following 2 lines as shown in the image below:

apache ALL=NOPASSWD: /usr/local/bin/scripts-tecmint/ban_ip.sh
Defaults:apache !requiretty
Add Apache User to Sudoers

Add Apache User to Sudoers

IMPORTANT: As a default security policy, you can only run sudo in a terminal. Since in this case we need to use sudo without a tty, we have to comment out the line that is highlighted in the following image:

#Defaults requiretty
Disable tty for Sudo

Disable tty for Sudo

Finally, restart the web server:

# service httpd restart 		[On RHEL/CentOS 6 and Fedora 20-18]
# systemctl restart httpd 		[On RHEL/CentOS 7 and Fedora 21]

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

133 Responses

  1. Malcolm Turnbull says:

    Gabriel,
    Thanks the mod_evasive stuff is really interesting – I might have a play with it…

    A true DDOS is pretty hard to handle but every little helps.

    We’ve noticed a big rise in brute force login attacks recently and made a blog about using ModSecurity to stop them: loadbalancer.org/blog/brute-force-login-modsecurity-waf

  2. helwi ahmad says:

    this tutorial for old version and you will found error if you use this version of tutorial.

  3. Sam says:

    Thank you for a perfect article.

    I did all the steps in tutorial but when I restart apache got the below error,

    AH00526: Syntax error on line 25 of /etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf:
    Error creating rule: Unknown variable: pk_ref)/

    so, what can i do!

  4. John says:

    Hi,

    I have a CentOS 7 / Plesk Onyx server with multiple PHP versions. How can I install these extensions on each PHP version (5.4, 5.6, 7.0, 7.1)?

    Thanks.

  5. Nguyen Hung says:

    I can’t do that. I can’t run below command, may be owsap update or upgrade. So can you fix some thing. Please!

    # wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
    
  6. EVGA says:

    I think it doesn’t work well with CloudFlare. Have you try install vDDoS Protection Reverse Proxy from https://sourceforge.net/p/vddos-protection Layer 7 Filter Mitigate DOS, DDOS, SYN Floods, or HTTP Floods attack?

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.