Wednesday, September 19, 2012


mod_evasive is a plugin for Apache Web Server to prevent DOS attack.

After a few weeks of trial and error, research. mod_evasive is able to work with iptables.

Here is the installation steps:

1) yum install mod_evasive
2) vi /etc/httpd/conf.d/mod_evasive.conf

<------------------------------ mod_evasive.conf content ----------------------------------->
LoadModule evasive20_module modules/

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
    DOSEmailNotify      sat.server@my.offgamers.lan
    DOSSystemCommand    "bash /var/lock/mod_evasive/ %s"
    DOSLogDir           "/var/lock/mod_evasive"
    #DOSWhitelist       192.168.0.*
<------------------------------ mod_evasive.conf content ----------------------------------->

3) mkdir /var/lock/mod_evasive
4) chown apache:apache /var/lock/mod_evasive
* mod_evasive need to record the DOS IP address to this directory
5) vi /var/lock/mod_evasive/
<------------------------------ content ----------------------------------->
sudo /sbin/iptables -I INPUT -s $1 -j DROP
sleep 600
sudo /sbin/iptables -D INPUT -s $1 -j DROP
sudo /bin/rm -f /var/lock/mod_evasive/dos-$1
<------------------------------ content ----------------------------------->
How work?
mod_evasive detected DOS, it will execute the and create a file like dos- under /var/lock/mod_evasive.
the dos-* files are used to keep track the blocked IP address.
Execute will do the following things:
Issue iptables too drop the IP address, sleep for ten minutes, and then remove the blocked IP address, after that delete the dos-* file
under /var/lock/mod_evasive, otherwise it wouldn't re-block again.

6) visudo
Defaults requiretty -> #Defaults requiretty

Cmnd_Alias EVASIVE = /sbin/iptables, /bin/rm

7) finally restart httpd service, use watch -n 1 -d iptables -nvL and watch -n 1 -d ls -lsa /var/lock/mod_evasive to monitor how the process working

Information thanks to my Senior Voo

1 comment: