mod_evasive is an Apache module to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to communicate with ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuse via email and syslog facilities.
We can use the following steps to install mod_evasive for apache on your server:
1. Go to a temporary directory to save the installer say /usr/local/src .
# cd /usr/local/src/
2. Download the latest source file from http://www.zdziarski.com .
# wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
3. Extract the package and go to the folder containing the installer .
# tar -xvzf mod_evasive_1.10.1.tar.gz
# cd mod_evasive/
4. Now, we need to build the module from it's source and thus the following command needs to be executed .
# /usr/local/apache/bin/apxs -cia mod_evasive20.c
5. We also need to tell Apache where to look for mod_evasive's configuration. Open the Apache's configuration file in your favourite editor and look for the 'LoadModule evasive*' section. Once you find it, the following needs to be added right below it :
Include "/usr/local/apache/conf/includes/mod_evasive.conf"
6. Any custom changes made to the apache configuration file is removed if apache/php is recompiled using the easyapache utility and thus to ensure that the above change is not lost, we need to distill the configuration file using the following command:
# /usr/local/cpanel/bin/apache_conf_distiller –update
7. Now that we know it won't be removed from the main configuration, we can add our mod_evasive.conf. Once created, open the file using your preferred editor .
# touch /usr/local/apache/conf/includes/mod_evasive.conf
# vi mod_evasive.conf
Once opened, the following lines need to be added in the new file:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 3600
DOSLogDir "/var/log/mod_evasive"
DOSWhitelist 127.0.0.1
</IfModule>8. As mentioned in the configuration settings, the module will log actions/error at /var/log/mod_evasive and thus, we need to create this file.
# touch /var/log/mod_evasive
9. Once that is done, we need to verify that there are no errors in the apache configuration which can be done as follows:
# /etc/init.d/httpd configtest
Syntax OK
10. Restart apache .
# /etc/init.d/httpd restart
11. We can verify whether the evasive module is running as expected by the following command
# httpd - M|grep -i evasive
12. To ensure EasyApache rebuilds mod_evasive with upgrades of Apache, rebuilds, etc. perform the following:
#echo "/usr/local/apache/bin/apxs -i -a -c /usr/local/src/mod_evasive/mod_evasive24.c" >> /scripts/after_apache_make_install
#chmod +x /scripts/after_apache_make_install
That should take care of everything.
