Getting DDoS attack is a very annoying things. Beside make your server slower and worse make your server down. DDoS (Distributed Denial of Service) is an attempt to attack the server target with flood of request from many sources, to make the target server busy and then down. DDoS attack have many various technique but it is basically flood the target server with high and cpu consuming request and later make the server malfunction or down.
You can prevent DDoS attack by using mod_evasive in Apache 2. Mod_evasive is an Apache module that provides evasive maneuvers action in the event of an HTTP DoS or DDoS (Denial of Service) attack or brute force attack to the web server. When possible attacks are detected, mod_evasive will block the traffic from the source for a specific duration of time, and reports abuses via email and syslog facilities. And mod_evasive can be configured to talk to iptables, ipchains, firewalls, routers, and etc. to build a comprehensive DDOS prevention system for the high traffic busy web server.
To install mode_evasive
- Open your terminal or remotely login to your server via ssh
- Download the mod_evasive module:
cd /opt/ wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
- Extract it:
tar -zxvf mod_evasive_1.10.1.tar.gz cd mod_evasive
- Install mod_evasive:
/usr/local/apache/bin/apxs -cia mod_evasive.c
- Open httpd.conf:
vim /usr/local/apache/conf/httpd.conf #Add this lines DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 100 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 600 DOSLogDir "/var/log/httpd/" DOSEmailNotify [email protected]
- Save and exit the httpd.conf Apache configuration file.
- Restart Apache:
/etc/init.d/htpd restart
There are a lot of ways to configure mod_evasive. See below manual configuration for mod_evasive:
DOSHashTableSize
Size of the hash table. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.
DOSPageCount
Number of requests for the same page within the ‘DOSPageInterval’ interval that will get an IP address added to the blocking list.
DOSSiteCount
Same as ‘DOSPageCount’, but corresponds to the number of requests for a given site, and uses the ‘DOSSiteInterval’ interval.
DOSPageInterval
Interval for the ‘DOSPageCount’ threshold in second intervals.
DOSSiteInterval
Interval for the ‘DOSSiteCount’ threshold in second intervals.
DOSBlockingPeriod
Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.
Reply With Quote
DOSEmailNotify
If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.
PS: The mod_evasive is not the only way to prevent DDoS attack, and not guarantee would be a perfect way to stop the attacker from attacking you.
this box don't show the cursor.. difficult to write. please fix it.
are you cheap to higher? i like to get a server and give it to you to secure it for me before i install my site.
Hi Ali,
i'm currently on vacation right now, and i don't have fast enough internet connection to do that. Please contact me from about page, so we can solve it later. You can install your website now, the server can be configured later.
I'm getting a bunch of errors when I run apxs2. What am I missing ?
/opt/mod_evasive$ sudo /usr/bin/apxs2 -cia mod_evasive.c
/usr/share/apr-1.0/build/libtool –silent –mode=compile –tag=disable-static i486-linux-gnu-gcc -prefer-pic -DLINUX=2 -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -D_REENTRANT -I/usr/include/apr-1.0 -I/usr/include/openssl -I/usr/include/xmltok -pthread -I/usr/include/apache2 -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -c -o mod_evasive.lo mod_evasive.c && touch mod_evasive.slo
mod_evasive.c:43: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘evasive_module’
mod_evasive.c:116: error: expected declaration specifiers or ‘…’ before ‘pool’
mod_evasive.c: In function ‘check_access’:
mod_evasive.c:128: error: request for member ‘sin_addr’ in something not a structure or union
mod_evasive.c:129: error: request for member ‘sin_addr’ in something not a structure or union
mod_evasive.c:146: error: ‘FORBIDDEN’ undeclared (first use in this function)
mod_evasive.c:146: error: (Each undeclared identifier is reported only once
mod_evasive.c:146: error: for each function it appears in.)
mod_evasive.c:209: warning: format ‘%ld’ expects type ‘long int’, but argument 3 has type ‘int’
mod_evasive.c:245: warning: passing argument 4 of ‘ap_log_rerror’ makes integer from pointer without a cast
/usr/include/apache2/http_log.h:219: note: expected ‘apr_status_t’ but argument is of type ‘struct request_rec *’
mod_evasive.c:245: warning: passing argument 5 of ‘ap_log_rerror’ from incompatible pointer type
/usr/include/apache2/http_log.h:219: note: expected ‘const struct request_rec *’ but argument is of type ‘char *’
mod_evasive.c:245: warning: format not a string literal and no format arguments
mod_evasive.c: At top level:
mod_evasive.c:251: error: expected declaration specifiers or ‘…’ before ‘pool’
mod_evasive.c:655: warning: initialization from incompatible pointer type
mod_evasive.c:658: warning: initialization from incompatible pointer type
mod_evasive.c:661: warning: initialization from incompatible pointer type
mod_evasive.c:664: warning: initialization from incompatible pointer type
mod_evasive.c:667: warning: initialization from incompatible pointer type
mod_evasive.c:670: warning: initialization from incompatible pointer type
mod_evasive.c:673: warning: initialization from incompatible pointer type
mod_evasive.c:676: warning: initialization from incompatible pointer type
mod_evasive.c:679: warning: initialization from incompatible pointer type
mod_evasive.c:682: warning: initialization from incompatible pointer type
mod_evasive.c:688: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘evasive_module’
apxs:Error: Command failed with rc=65536
.
d'oh… you can delete this post. /usr/bin/apxs2 -c -i -a mod_evasive20.c works better 🙂
Hi, Thank You for the simple guide. I have tried to install according your guide, but it returned same error like to Dirt Man.
Instead:
/usr/local/apache/bin/apxs -cia mod_evasive.c
I tried:
/usr/local/apache/bin/apxs -i -a -c mod_evasive20.c
And it went OK. Just a note. THX
thanks for clarify it. probably it because i'm using apache 2.2.