The Apache module mod_evasive is a tool designed to protect web servers from Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. This module detects and blocks excessive requests to the server from one or more IP addresses, thus preventing server overload.
How mod_evasive Works
The mod_evasive module monitors the number of requests to the server from individual IP addresses within a given time interval. If the predefined number of requests is exceeded in a short time, mod_evasive temporarily blocks the offending IP address. This prevents the server from being overwhelmed and reduces the risk of a successful DDoS attack.
Installing mod_evasive on Apache Server
Preparing the Server
First, ensure that your Apache server is updated and ready for module installation. Run the following commands:
sudo apt update
sudo apt install apache2
Installing mod_evasive
You can easily install the module using the libapache2-mod-evasive package. The installation is as follows:
sudo apt install libapache2-mod-evasive
Enabling the Module
After installation, you need to enable the module using the command:
sudo a2enmod evasive
Then, restart the Apache server:
sudo systemctl restart apache2
Configuring mod_evasive
Once the module is installed and activated, it needs to be configured. The configuration file is usually located at /etc/apache2/mods-available/evasive.conf
.
Here is a basic configuration example:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify Tato e-mailová adresa je chráněna před spamboty. Pro její zobrazení musíte mít povolen Javascript.
DOSSystemCommand "/usr/local/bin/ban.sh %s"
</IfModule>
Explanation of Key Parameters:
- DOSHashTableSize – Size of the hash table used to track individual IP addresses. The larger the value, the more precise the detection.
- DOSPageCount – Maximum number of requests to a single page within the specified interval.
- DOSSiteCount – Maximum number of requests to the entire site within the specified interval.
- DOSPageInterval and DOSSiteInterval – Time intervals during which requests are monitored (in seconds).
- DOSBlockingPeriod – Duration for which the IP address is blocked (in seconds).
- DOSEmailNotify – The administrator's email address where notifications about blocked IP addresses will be sent.
- DOSSystemCommand – Command that will be executed upon detecting an attack (e.g., a script to block the IP address in the firewall).
Advantages of mod_evasive
- Simplicity of Implementation – The module is easy to install and configure without requiring complex setup.
- Effective Protection – mod_evasive offers quick and efficient protection against small to medium-scale DDoS attacks.
- Flexibility – With the ability to adjust individual settings, you can configure the module according to your server's specific needs.
Disadvantages of mod_evasive
- Limited Protection – The module is not designed to protect against large-scale DDoS attacks, which require more advanced solutions such as network-level protection services.
- Possibility of False Positives – If misconfigured, the module may block legitimate users who make multiple requests in a short period of time.
The mod_evasive module is a valuable tool for protecting Apache servers from DoS and DDoS attacks. Its simple installation and configuration allow for the quick implementation of basic protection. While it is not intended to defend against massive DDoS attacks, it offers an effective solution for small to medium-sized websites to prevent server overload.