Apache anti DDOS module mod_evasive installation and configuration method
- 2020-05-09 19:44:55
- OfStack
1. mod_evasive is introduced
mod_evasive is a module of DDOS for Apache (httpd) server. For the WEB server, it is currently a good extended module to protect against the DDOS attack. Although it is not fully protected against DDOS attacks, it still relieves the pressure on the Apache (httpd) server under 1 fixed condition. Such as iptables, hardware firewall and other firewall equipment with the use, may have a better effect.
mod_evasive official address: http: / / www zdziarski. com /
2. How mod_evasive works
The Apache module mod_evasive USES the Hash table to store the corresponding HTTP requests, and the Apache module mod_evasive USES the Hash table to determine whether the request is rejected or not.
3. mod_evasive installation
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar zxvf mod_evasive_1.10.1.tar.gz
cd mod_evasive/
apxs -i -a -c mod_evasive20.c
# Compile, install, and load the module
# Note: apxs For compiling module tools; If you're using a software package that comes with the system, 1 As in the /usr/sbin Directory. If you are compiling the installation yourself Apache(httpd) You should specify the path yourself;
When the build and installation is complete, 1 line is automatically inserted into the Apache configuration file. For the Apache 2.x version, there should be a line similar to the following in the Apache configuration file.
LoadModule evasive20_module lib/httpd/modules/mod_evasive20.so4. Configuration mod_evasive
[root@localhost ~]# vi /etc/httpd/conf/httpd.conf
# Add the following configuration
<IfModule mod_evasive20.c>
DOSHashTableSize 3097 # Table size
DOSPageCount 2 # Limit unit time same 1IP Request with 1 Page number
DOSSiteCount 10 # Limit unit time same 1IP Frequency of website requests
DOSPageInterval 1 # Page access interval
DOSSiteInterval 1 # Site access interval
DOSBlockingPeriod 10 # Limit access time
DOSEmailNotify # Email notification when suspected attack
DOSSystemCommand "su - onovps -c iptables -I INPUT -s %s --dport 80 -j DROP"
# Use a firewall to limit suspected attacks IP access 80 port
DOSLogDir "/var/log/ # Log directory
DOSWhiteList 127.0.0.1 # Add whitelist
</IfModule>If you don't know where to insert these, do the following;
Create a file in the /etc directory, such as mod_evasive.conf;
[root@localhost ~]#touch /etc/mod_evasive.confThen add the content according to your own version of Apache.
Then we change httpd.conf and add it at the last line
Include /etc/mod_evasive.conf
After the changes are complete, we will restart the Apache server to enable the configuration:
/etc/init.d/httpd restart5. Test mod_evasive
After the anti-DDOS module is finished, we can verify it by using the ab tool that comes with Apache. The system is installed in /usr/sbin directory by default. For example;
[root@localhost ~]/usr/sbin/ab -n 1000 -c 50 http://www.baidu.com:80/Note: the above example means that if your server is baidu's WEB server, we will send data request packets, 1000 in total, 50 at a time.
The other test tool is the directory of mod_evasive's unzip package. There is test.pl. You can modify the IP address and use it
[root@localhost ~]perl test.pl
HTTP/1.1 200 OK
HTTP/1.1 403 ForbiddenIf there is any effect, please check it according to the ab tool or test script.
Note: since we compiled mod_evasive with the default configuration, the logs are stored in the /tmp directory. If there is an DDOS attack, logs are generated at /tmp. The log file begins with dos-;
6. Details of configuration parameters
DOSHashTableSize 3097: define hash table size.
DOSSiteCount 50: maximum concurrent connections allowed for clients.
DOSPageCount 2: allows clients to access an interval of the same page.
DOSPageInterval 1: page access counter interval.
DOSSiteInterval 1: total station access counter interval.
DOSSiteInterval 60: access time denied after adding to the blacklist.
DOSEmailNotify xxxx@gmail.com: notify the administrator when IP is added to the blacklist.
DOSSystemCommand "sudo iptables-A INPUT-s % s-j DROP" : system command executed after IP is blacklisted.
DOSLogDir "/tmp" : lock mechanism temporary directory, log directory.
DOSWhiteList 127.0.0.1: guard against whitelist, do not block whitelist IP.
7. Advanced configuration of mod_evasive
If you want to change 1 to fit your own parameters, some of the necessary parameters are not affected by configuration file modification on 1, we need to modify the source package mod_evasive.c (Apache 1.x) or mod_evasive20.c (Apache 2.x);
#define DEFAULT_HASH_TBL_SIZE 3097ul // Default hash table size
#define DEFAULT_PAGE_COUNT 2 // Default maximum page hit count per interval
#define DEFAULT_SITE_COUNT 50 // Default maximum site hit count per interval
#define DEFAULT_PAGE_INTERVAL 1 // Default 1 Second page interval
#define DEFAULT_SITE_INTERVAL 1 // Default 1 Second site interval
#define DEFAULT_BLOCKING_PERIOD 10 // Default for Detected IPs; blocked for 10 seconds
#define DEFAULT_LOG_DIR "/tmp" // Default temp directoryFor example, let's change the Numbers, which are easy to understand in English. For example, if you change the log directory, change /tmp to another directory. If you don't know where to put it, use the default.
If you change the parameters here, don't forget to modify the mod_evasive parameters in the Apache configuration file;
If you want to add 1 more parameter, please refer to README in the source package, which has detailed instructions, most of which are not necessary...
This file is so important that if you want to change certain Settings, you need to modify this file...
8. To summarize
mod_evasive is still useful, for the apache server, is a relatively good protection against DDOS attack of the extended module. Although it is not completely protected against DDOS attacks, it still relieves the pressure on the Apache (httpd) server under 1 fixed condition. If cooperate with iptables, hardware firewall and other firewall equipment, may have better effect. Installation is also effortless. You will think of this module if you need it.