Wednesday, September 19, 2012

mod_evasive


mod_evasive is a plugin for Apache Web Server to prevent DOS attack.

After a few weeks of trial and error, research. mod_evasive is able to work with iptables.

Here is the installation steps:

1) yum install mod_evasive
2) vi /etc/httpd/conf.d/mod_evasive.conf

<------------------------------ mod_evasive.conf content ----------------------------------->
LoadModule evasive20_module modules/mod_evasive20.so

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
    DOSEmailNotify      sat.server@my.offgamers.lan
    DOSSystemCommand    "bash /var/lock/mod_evasive/evasive.sh %s"
    DOSLogDir           "/var/lock/mod_evasive"
    #DOSWhitelist       127.0.0.1
    #DOSWhitelist       192.168.0.*
</IfModule>
<------------------------------ mod_evasive.conf content ----------------------------------->

3) mkdir /var/lock/mod_evasive
4) chown apache:apache /var/lock/mod_evasive
* mod_evasive need to record the DOS IP address to this directory
5) vi /var/lock/mod_evasive/evasive.sh
<------------------------------ evasive.sh content ----------------------------------->
sudo /sbin/iptables -I INPUT -s $1 -j DROP
sleep 600
sudo /sbin/iptables -D INPUT -s $1 -j DROP
sudo /bin/rm -f /var/lock/mod_evasive/dos-$1
<------------------------------ evasive.sh content ----------------------------------->
How evasive.sh work?
mod_evasive detected DOS, it will execute the evasive.sh and create a file like dos-172.30.10.223 under /var/lock/mod_evasive.
the dos-* files are used to keep track the blocked IP address.
Execute evasive.sh will do the following things:
Issue iptables too drop the IP address, sleep for ten minutes, and then remove the blocked IP address, after that delete the dos-* file
under /var/lock/mod_evasive, otherwise it wouldn't re-block again.

6) visudo
Change:
Defaults requiretty -> #Defaults requiretty

Add:
Cmnd_Alias EVASIVE = /sbin/iptables, /bin/rm
apache   ALL=(ALL)   NOPASSWD: EVASIVE

7) finally restart httpd service, use watch -n 1 -d iptables -nvL and watch -n 1 -d ls -lsa /var/lock/mod_evasive to monitor how the process working


Information thanks to my Senior Voo

1 comment: