Protecting Apache Server From Denial-of-Service (Dos) Attack
A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed denial-of-service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.

Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks, credit card payment gateways; but motives of revenge, blackmail or activism can be behind other attacks.

The scale of DDOS attacks has continued to rise over recent years; web security company, CloudFlare, reported in 2016 they consistently mitigated attacks of 400Gbps.
What is mod_evasive?

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Installing mod_evasive
Server Distro: Debian 8 jessie
Apache Version: Apache/2.4.10

mod_evasive appears to be in the Debian official repository, we will need to install using apt
# apt-get update
# apt-get install libapache2-mod-evasive
Setting up mod_evasive

We have mod_evasive installed but not configured, mod_evasive config is located at /etc/apache2/mods-available/evasive.conf. We will be editing that which should look similar to this
<IfModule mod_evasive20.c>
  #DOSHashTableSize    3097
  #DOSPageCount        2
  #DOSSiteCount        50
  #DOSPageInterval     1
  #DOSSiteInterval     1
  #DOSBlockingPeriod   10

  #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
  #DOSLogDir           "/var/log/mod_evasive"
mod_evasive Configuration Directives

  • DOSHashTableSize
  • DOSPageCount
  • DOSSiteCount
  • DOSPageInterval
  • DOSSiteInterval
  • DOSBlockingPeriod
  • DOSEmailNotify
  • DOSSystemCommand
  • DOSLogDir

This configuration is what I’m using which is working well and I recommend it if you don’t know how to go about the configuration
<IfModule mod_evasive20.c>
 DOSHashTableSize    2048
 DOSPageCount        5
 DOSSiteCount        100
 DOSPageInterval     1
 DOSSiteInterval     2
 DOSBlockingPeriod   10

 #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
 DOSLogDir           "/var/log/mod_evasive"
As you’ll replace with your email. Since mod_evasive doesn’t create the log directory automatically, we are to create it for it:
# mkdir /var/log/mod_evasive
# chown :www-data /var/log/mod_evasive
# chmod 771 /var/log/mod_evasive
Once setup is done, make sure mod_evasive is enabled by typing:
# a2enmod evasive
Restart Apache for changes to take effect
# systemctl restart apache2
Testing mod_evasive Setup

mod_evasive set up correctly,  now we are going to test if our web server has protection again DoS attack using ab (Apache Benchmark). Install ab if you don’t have it by typing:
# apt-get install apache2-utils
Current stat of our /var/log/mod_evasive
root@hackthesec:/var/log/mod_evasive# ls -l
 total 0
We will now send bulk requests to the server, causing a DoS attack  by typing:
# ab -n 100 -c 10 http://serverip/
Sending 100 request on 10 concurrent requests per request, the current stat of my /var/log/mod_evasive directory is now
root@hackthesec:/var/log/mod_evasive# ls -l
 total 4
 -rw-r--r-- 1 www-data www-data 18 May 16 22:10 dos-
Checking Apache access logs at /var/log/apache2/access.log we can see all connections from ApacheBench/2.3 were dropped to 403:

About Author:

I am a Linux Administrator and Security Expert with this site i can help lot's of people about linux knowladge and as per security expert i also intersted about hacking related news.TwitterFacebook

Newer Post
Older Post


Post a Comment