Tuesday, December 27, 2011

Mod_evasive - Prevent DDOS Attack

Installing Modevasive
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.

-> Execute the following commands to install it:

#wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
#tar -xzvf mod_evasive_1.10.1.tar.gz
#cd mod_evasive
#/usr/sbin/apxs -cia mod_evasive20.c
#rm -rf /root/mod_evasive*

-> Test to make sure it was loaded:
#grep -i evasive /etc/httpd/conf/httpd.conf

Next, edit /etc/httpd/conf/httpd.conf and uncomment (remove the # in front of each line) the following:
<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

 

-> Restart Apache by executing the command

#/etc/init.d/httpd restart

Info
----

  • DOSHashTableSize: is the size of the table of URL and IP combined

  • DOSPageCount: is the number of same page requests from the same IP during an interval that will cause that IP to be added to the block list.

  • DOSSiteCount: is the number of pages requested of a site by the same IP during an interval which will cause the IP to be added to the block list.

  • DOSPageInterval: is the interval that the hash table for IPs and URLs is erased (in seconds)

  • DOSSiteInterval: is the intervale that the hash table of IPs is erased (in seconds)

  • DOSBlockingPeriod: is the time the IP is blacked (in seconds)

  • DOSEmailNotify: can be used to notify by sending an email everytime an IP is blocked

  • DOSSystemCommand: is the command used to execute a command when an IP is blocked. It can be used to add a block the user from a firewall or router.

  • DOSWhiteList: can be used to whitelist IPs such as 127.0.0.1


Although mod_dosevasive can be quite effective in some cases, in others it can cause more problems by blocking non-offending IPs. It is suggested you take a look at hardware solution if you.

 

Source : http://www.zdziarski.com/blog/?page_id=442

Source : http://sabarish4u.wordpress.com/2008/11/21/157/

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)