What is ‘mod_evasive’ and how can it help protect from DDoS Attack.
No matter how the web security industry evolves, hackers will always find vulnerabilities that will put websites at risk. According to Symantec, roughly 75% of all discoverable websites have security vulnerabilities that web administrators need to address. In most cases, you need multiple layers of security that include a robust network infrastructure, a reliable hosting service, and various tools that actively detect and eliminate existing threats.
A proactive approach to network security is also needed to prevent threats such as DDoS attacks, data loss, SQL injections, and other hacks before they do any damage. One particular method of protection is to implement the mod_evasive module for Apache servers.
What Is mod_evasive?
Mod_evasive adds a protective layer to your website that averts HTTP DoS, DDoS, and other forms of brute force attacks. It is formerly known as mod_dosevasive that basically “evades” the Apache web server from traffic-based attacks. Once a threat is successfully evaded, it typically saves syslog reports or sends notifications via email.
The mod_evasive module serves as a detection and network management platform that inspects incoming traffic using a dynamic hash table. With the right configuration, it can effectively monitor firewalls, routers, and ipchains—protecting against IP addresses involved with suspicious activities.
For example, an IP address will be blocked if it requests the same page multiple times in a second. An IP address will also be blocked if it is sending over 50 concurrent requests on the same child. Keep in mind that, under normal circumstances, it is highly unlikely for a human user to send that many requests per second. That is why legitimate users will not be blocked even if the user is coming from a proxy server or NAT address.
Mod_evasive is considered as a DIY security solution, given the level of involvement it requires of web administrators. Using mod_evasive to protect against DDoS and other forms of brute force attacks is a good first step in mitigating traffic-based attacks, although it should not be used as a substitute for dedicated DDoS protection solutions. It is mostly only useful for low-traffic sites. Even then, it’s only as useful as the bandwidth and processing capacity of your server in responding to the invalid requests.
Consider that most DDoS attackers will utilize distributed infrastructure in carrying out their attacks, as well as low-and-slow type attacks, which are harder to detect. This means the mod_evasive module can only do so much.
Still, you can incorporate it along with other DDoS mitigation techniques, to ensure a good amount of redundancy. Here is an installation and configuration guide:
What Are the Requirements Before Installing mod_evasive?
Before you can install mod_evasive, you must first have the following requirements:
A static IP address
CentOS 6/7 server with Apache
Non-root user account with sudo privileges
Once you have these prerequisites, you can proceed with the installation of mod_evasive.
To install mod_evasive, you must first install the necessary packages on your server. First, you need to EPEL (Extra Packages for Enterprise Linux) yum repository. It creates and manages a set of open source software for Enterprise Linux. To install EPEL, you need to run the following command line on your server:
sudo rpm –ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
If you are running CentOS 6, then you need to run the following command instead:
sudo rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
To check whether EPEL is installed correctly, run the following command:
sudo yum repolist
Optional: It is also a good idea to install the protectbase plugin to protect your secure yum repositories from being overridden. To do this step, you need to run the following command:
sudo yum install yum-plugin-protectbase.noarch –y
Once EPEL and protectbase are successfully installed and activated, you can now install mod_evasive using the command line below:
sudo yum install mod_evasive –y
You can verify if mod_evasive is installed correctly by checking the configuration file. It should be displayed during the installation process as /etc/httpd/conf.d/mod_evasive.conf. Use the command line below to check the existence of this file:
sudo ls –al /etc/httpd/conf.d/mod_evasive.conf
To tell the Apache web server to use the mod_evasive module, check if the LoadModule line is on top of the configuration file. It should be there automatically upon installing mod_evasive. However, if not, then go ahead and add the following line:
For CentOS 7:
LoadModule evasive20_module modules/mod_evasive24.so
For CentOS 6:
LoadModule evasive20_module modules/mod_evasive20.so
Finally, check whether mod_evasive is properly implemented by inputting the command line:
sudo httpd –M | grep evasive
Specifying Request Limits
Once mod_evasive is properly installed, it’s time to customize the configuration file. Take note that all configurations will occur in the mod_evasive.conf file. One of the things you need to configure is the maximum number of requests for the same page per second. By default, this value is set to 2.
You can, however, increase this threshold to any number you specify by editing the mod_evasive.conf file. Simply look for the line DOSPageCount and change the value beside it. For example, if you want to change the limit to 50 requests, the final output should look like:
Take note that the command above limits the number of requests per page. But if you want to change the maximum number of requests per site, then you need to edit the DOSSiteCount parameter instead.
Specifying the Block Period
When an IP address is blocked by mod_evasive, further requests will result in a 403 error (Forbidden). By default, mod_evasive blocks website for only 10 seconds. To increase this number, look for the parameter DOSBlockingPeriod and adjust the value to its right. For example, if you want to block IP addresses for 500 seconds, the line should look like:
Enabling Email Notifications
For monitoring purposes, it is a good idea to enable mod_evasive to send an email notification whenever an IP address is blocked. In the configuration file, look for the DOSEmailNotify and remove the hash symbol (#) at the beginning of the command line. Don’t forget to specify the email address you want to use. The final output should look like:
Whitelisting IP Addresses
Although there is an extremely low chance of blocking a legitimate IP address, you may choose to whitelist certain IPs to make sure they are never denied access. Whitelisting IP addresses may also protect local search crawlers, scripts and automated software that may request a large amount of data from your Apache web server.
You can add the following command line in the mod_evasive.conf file to whitelist a specific IP address:
Be careful when whitelisting IPs, and triple-check your sources for the correct addresses. To whitelist multiple IP addresses, simply include multiple entries of the DOSWhitelist command line.
To apply all the configurations you have made, you need to reinitialize mod_evasive using a simple command.
sudo systemctl restart httpd.service
sudo service httpd restart
A proactive approach to website security is the best way to protect your infrastructure, data and digital assets from attacks. The mod_evasive module is a good start in preventing basic DDoS attacks, but it is not considered an adequate solution for commercial websites. If your business highly depends on the uptime of your website, applications, and data, then you will need to incorporate measures that are more capable, and which allow easier management and deployment, for better peace of mind.