Protecting Apache against DOS attack with mod_evasive
Novell Cool Solutions: Feature
By Damian Myerscough
Digg This -
Posted: 19 Nov 2007
Having users constantly making HTTP requests to slow your server down and possibly causing a DOS (Denial Of Service) attack.
Deploy the mod_evasive module.
This article was tested on SUSE Linux Enterprise Server SP1.
Protecting Apache against DOS attack with mod_evasive
The Apache web server is the most popular web server on the Internet today holding a "52.65% market share for top servers across all domains August 1995 - July 2007" (Netcraft, 2007). The Apache module "mod_evasive" is an excellent module which helps defend against malicious users trying to perform HTTP DoS (Denial of Service) attacks and also helps protect against brute force attacks.
The "mod_evasive" module detects attacks using three different methods; 1) requesting the same page more than a few times per second, 2) making more than 50 concurrent requests on the same child per second and 3) making any requests while temporarily blacklisted.
The first step to installing mod_evasive is to download the source code from  website. Once you have downloaded the source file you will need to unpack the compressed archive using the "tar" utility as shown in Figure 1.
Linux-w2mu:~# tar zvxf mod_evasive_1.10.1.tar.gz
Figure 1: Unpacking mod_evasive.
Once mod_evasive has been unpacked change into the directory that contains the source code as we will need to compile the "mod_evasive20.c" file, but before you compile the source code you will need to install some dependencies that mod_evasive relies on.
The dependencies that mod_evasive requires are listed in Table 1, you can install these dependencies off the SUSE Linux Enterprise Server CD/DVD.
|apache2-devel||Header and Include Files|
|apache2-prefork||"prefork" MPM (Multi-Processing Module)|
Table 1: Mod_evasive dependencies.
Once you have installed all the dependencies listed in Table 1 and unpackaged the source code, you can begin to compile the "mod_evasive20.c" file with the "apxs2" command as shown in Figure 1.1.
Linux-w2mu:~# apxs2 -ci mod_evasive20.c /usr/lib/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -fPIC -Wall -fno-strict-aliasing -DLDAP_DEPRECATED -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/usr/include/apache2 -I/usr/include -I/usr/include/apr-1 -c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo ... ...
Figure 1.1: Compiling mod_evasive for Apache 2.
Once you have compiled the mod_evasive module you will need the module to load when Apache is started or restarted. The file that needs to be modified is "/etc/sysconfig/apache2" and the directive that needs to be altered is "APACHE_MODULES=" as it needs to include the mod_evasive20 module, as shown in Figure 2.
... APACHE_MODULES="mod_evasive20 actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5" ...
Figure 2: Altered /etc/sysconfig/apache2 configuration file.
Once you have modified the "/etc/sysconfig/apache2" configuration file you will need to check the Apache syntax using the "service" command as shown in Figure 2.1.
Linux-w2mu:~# service apache2 configtest Syntax OK
Figure 2.1: Verifying the syntax is OK.
Once you have modified the "/etc/sysconfig/apache2" configuration file you will need to create a configuration file for the mod_evasive module. In the "/etc/apache2" directory you will need to create a file called: "mod_evasive.conf" with the following or similar content shown in Figure 3.
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 </IfModule>
Figure 3: mod_evasive.conf
The key pairs that are used in the "mod_evasive.conf" configuration file are listen in Table 2 along with a description.
|DOSHashTableSize||The hash table size defines the number of top-level nodes for each child's hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space|
|DOSPageCount||This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.|
|DOSSiteCount||This is the threshold for the total number of requests for any object by the same client on the same listener per site interval.|
|DOSPageInterval||The interval for the page count threshold; defaults to 1 second intervals.|
|DOSSiteInterval||The interval for the site count threshold; defaults to 1 second intervals.|
|DOSBlockingPeriod||The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).|
|DOSEmailNotify||If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.|
|DOSSystemCommand||If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools.|
|DOSLogDir||Choose an alternative temp directory, default is /tmp.|
Table 2: Mod_evasive key pairs.
Once you are happy with your "mod_evasive.conf" configuration file you can restart the Apache web server and test your new configuration. There are two methods of checking mod_evasive is function correctly. The first method is to run the "test.pl" file in the mod_evasive directory as shown in Figure 3.1.
Linux-w2mu:~# perl test.pl HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden ... ...
Figure 3.1: Checking mod_evasive.
The second method to check mod_evasive is functioning correctly is to connect to your web server and hit the refresh button really fast and you should be presented with a "403 Forbidden" message.
Now that you have installed and configured mod_evasive, your Apache web server should be able to defend against HTTP DOS attacks and brute force attacks. I would also recommend placing offending IP addresses into your IP tables using the "DOSSystemCommand" key. The reason you should add the offending IP address into your IP tables is so they don't even get to see the "403 Forbidden" message thus making your website look down.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com