{"id":348575,"date":"2021-10-05T14:58:18","date_gmt":"2021-10-05T11:58:18","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-configure-mod_evasive-for-apache-ddos-protection-cloudsavvy-it\/"},"modified":"2021-10-05T14:58:18","modified_gmt":"2021-10-05T11:58:18","slug":"how-to-configure-mod_evasive-for-apache-ddos-protection-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-configure-mod_evasive-for-apache-ddos-protection-cloudsavvy-it\/","title":{"rendered":"#How to Configure mod_evasive for Apache DDoS Protection \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a36ea3c6a99f\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a36ea3c6a99f\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-configure-mod_evasive-for-apache-ddos-protection-cloudsavvy-it\/#Installing_mod_evasive\" >Installing mod_evasive<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-configure-mod_evasive-for-apache-ddos-protection-cloudsavvy-it\/#Configuring_Blocking_Settings\" >Configuring Blocking Settings<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-configure-mod_evasive-for-apache-ddos-protection-cloudsavvy-it\/#Whitelisting_Known_IPs\" >Whitelisting Known IPs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-configure-mod_evasive-for-apache-ddos-protection-cloudsavvy-it\/#How_Does_It_Work\" >How Does It Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-configure-mod_evasive-for-apache-ddos-protection-cloudsavvy-it\/#Testing_Your_Installation\" >Testing Your Installation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-configure-mod_evasive-for-apache-ddos-protection-cloudsavvy-it\/#Summary\" >Summary<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Configure mod_evasive for Apache DDoS Protection \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-14237\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/0ea95d67.jpg?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/0ea95d67.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/0ea95d67.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Graphic showing a padlock symbol with colours and technical graphics\" width=\"1200\" height=\"675\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-illustration\/cyber-security-data-protection-business-technology-1797753556\">Den Rise\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>mod_evasive is an Apache module which helps defend your server against brute force and denial of service attacks. Setting up mod_evasive gives you a safety net to catch malicious actors before they can start degrading your server\u2019s performance.<\/p>\n<p>The module comes with several configuration parameters that let you define the number of concurrent requests a client can make in a set timeframe. Further requests will be blocked for a period after the limit is exceeded.<\/p>\n<h2 id=\"installing-mod_evasive\"><span class=\"ez-toc-section\" id=\"Installing_mod_evasive\"><\/span>Installing mod_evasive<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Installation steps vary depending on your operating system distribution and Apache release. For the most popular combination of Apache 2.4 on a Debian-based system, use the following steps. Instructions for building from source are also provided <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/jzdziarski\/mod_evasive\">in the project\u2019s repository<\/a>.<\/p>\n<pre>apt update&#13;\napt install libapache2-mod-evasive<\/pre>\n<p>Installations via <code>apt<\/code> will enable the module automatically.<\/p>\n<p>You can check this using the <code>apachectl<\/code> utility:<\/p>\n<pre>apachectl -M | grep evasive<\/pre>\n<p>You should see the module\u2019s name displayed if it\u2019s active.<\/p>\n<h2 id=\"configuring-blocking-settings\"><span class=\"ez-toc-section\" id=\"Configuring_Blocking_Settings\"><\/span>Configuring Blocking Settings<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The mod_evasive configuration file can usually be found at <code>\/etc\/apache2\/mods-enabled\/evasive.conf<\/code>. It uses the same format as other Apache config files. A complete reference can be found in the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/jzdziarski\/mod_evasive\"><code>mod_evasive<\/code> docs<\/a>.<\/p>\n<p>Here\u2019s an example configuration file with several customizations:<\/p>\n<pre>&lt;IfModule mod_evasive20.c&gt;&#13;\n    DOSPageCount 5&#13;\n    DOSSiteCount 10&#13;\n&#13;\n    DOSPageInterval 1&#13;\n    DOSSiteInterval 2&#13;\n&#13;\n    DOSBlockingPeriod 300&#13;\n&#13;\n    DOSEmailNotify user@example.com&#13;\n&lt;\/IfModule&gt;<\/pre>\n<p>mod_evasive distinguishes between requests for a <em>page<\/em> and requests for a <em>site<\/em>. You can set these two blocking factors independently of each other. This example will block clients which request the same URI five times in a one second interval. A block will additionally be imposed on clients which request more than ten URIs from a single site within a two second interval.<\/p>\n<p>When either of the limits is exceeded, the client will be blocked from making further requests for a period of five minutes (300 seconds). mod_evasive will send an email to <code>user@example.com<\/code> notifying that the IP address has been blocked.<\/p>\n<p>mod_evasive also supports running an arbitrary system command when a limit is reached. This can be used to integrate the tool with your own <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication or firewall so you can record a block in your database. Set the <code>DOSSystemCommand<\/code> setting, using <code>%s<\/code> to denote the blocked IP address:<\/p>\n<pre>DOSSystemCommand \/app\/blacklisted_ip.php  --ip=%s<\/pre>\n<h2 id=\"whitelisting-known-ips\"><span class=\"ez-toc-section\" id=\"Whitelisting_Known_IPs\"><\/span>Whitelisting Known IPs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>mod_evasive supports a whitelist of known IPs to aid development and testing. Developers can sometimes create high request volumes while working on a server, whether intentionally or otherwise.<\/p>\n<p>Use the <code>DOSWhiteList<\/code> setting to specify IP address ranges to ignore. Limits will not be applied to any of these addresses.<\/p>\n<pre>DOSWhiteList 127.0.0.1&#13;\nDOSWhiteList 192.168.0.*<\/pre>\n<h2 id=\"how-does-it-work\"><span class=\"ez-toc-section\" id=\"How_Does_It_Work\"><\/span>How Does It Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>mod_evasive functions by maintaining a hash table of IP addresses and URIs in a temporary blacklist. The IP address and URI are hashed to create a key that can be used to check whether the client has requested the same page previously.<\/p>\n<p>A block occurs when a URI or site appears in the IP\u2019s hash table with greater frequency than you\u2019ve allowed. This results in a <code>403<\/code> status code being sent back to the client. The status is the only response the client will receive, minimizing the server resources needed to handle requests that are deemed to be spurious or malicious.<\/p>\n<p>Once a cap\u2019s been reached the client must wait for the specified <code>DOSBlockingPeriod<\/code> before it can make another successful request. Trying again during the waiting period results in an even longer block being imposed. Other IP addresses continue to be admitted as usual and shouldn\u2019t experience disruption from the denial of service attempt.<\/p>\n<p>The module can cause a performance penalty on very active servers. It needs to record each request and check whether the IP has been blocked, or needs to be blocked. Busy servers with sufficient memory should increase the <code>DOSHashTableSize<\/code> setting to allow for a larger in-memory hash table. This reduces the time needed to lookup an incoming IP against its other recent requests.<\/p>\n<pre>DOSHashTableSize 32768<\/pre>\n<h2 id=\"testing-your-installation\"><span class=\"ez-toc-section\" id=\"Testing_Your_Installation\"><\/span>Testing Your Installation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The best way of testing mod_evasive is to launch a brief flood of requests to check how your server responds. With mod_evasive enabled correctly, you should quickly start seeing 403s and an email alert if it\u2019s configured.<\/p>\n<p>The <code>ab<\/code> command line tool can be used to initiate connections en masse:<\/p>\n<pre>ab -n 1000 -c 50 http:\/\/...<\/pre>\n<p>You should adjust the <code>-n<\/code> and <code>-c<\/code> parameters to suit your mod_evasive configuration and anticipated server impact:<\/p>\n<ul>\n<li><code>-n<\/code> \u2013 The total number of requests to make.<\/li>\n<li><code>-c<\/code> \u2013 The number of concurrent connections to open.<\/li>\n<\/ul>\n<p>The example above will send 1,000 requests in batches of 50.<\/p>\n<p><code>ab<\/code> is a powerful tool which could initiate a genuine denial of service attack. Make doubly sure you\u2019ve specified the correct server address before you send the requests!<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>mod_evasive is a simple but effective module for preventing brute force attacks from impacting your server\u2019s operation. You can configure per-page and per-site limits that apply to each client attempting a connection. If the client ends up exceeding the limit, they\u2019ll receive a 403 and must concede to a temporary blocking period.<\/p>\n<p>As an administrator, you can opt-in to receive email alerts when a new block is imposed. This keeps you informed of potential attacks and lets you monitor for false positives. You do need a functioning email stack on the server \u2013 mod_evasive sends using the system mail transfer agent.<\/p>\n<p>Finally, it\u2019s possible to integrate mod_evasive with other parts of your application by running a system command whenever an IP is blacklisted. This capability could be used to flag a database user, create an alert in a third-party monitoring tool, or relay the block to your other servers to protect additional parts of your infrastructure.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/14236\/how-to-configure-mod_evasive-for-apache-ddos-protection\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Configure mod_evasive for Apache DDoS Protection \u2013 CloudSavvy IT&#8221; Den Rise\/Shutterstock.com mod_evasive is an Apache module which helps defend your server against brute force and denial of service attacks. Setting up mod_evasive gives you a safety net to catch malicious actors before they can start degrading your server\u2019s performance. The module comes with&#8230;<\/p>\n","protected":false},"author":1,"featured_media":348576,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/0ea95d67.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-348575","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/348575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=348575"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/348575\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/348576"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=348575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=348575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=348575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}