Secure Apache against basic Denial of Service
attacks with mod_evasive on Debian
One good module that helps in
mitigating, very basic Denial of
Service attacks against Apache 1.3.x 2.0.x and 2.2.x webserver is
mod_evasive
I've noticed however many Apache administrators out there does
forget to install it on new Apache installations or even some of
them haven't heard about of it.
Therefore I wrote this small article to create some more awareness
of the existence of the anti DoS module and hopefully thorugh it
help some of my readers to strengthen their server security.
Here is a description on what exactly mod-evasive module
does:
debian:~# apt-cache show libapache2-mod-evasive | grep -i
description -A 7
Description: evasive module to minimize HTTP DoS or brute force
attacks
mod_evasive is an evasive maneuvers module for Apache to provide
some
protection in the event of an HTTP DoS or DDoS attack or brute
force attack.
.
It is also designed to be a detection tool, and can be easily
configured to
talk to ipchains, firewalls, routers, and etcetera.
.
This module only works on Apache 2.x servers
How does
mod-evasive anti DoS module works?
Detection is performed by creating an internal dynamic hash table
of IP Addresses and URIs, and denying any single IP address which
matches the criterias:
- Requesting the same page more than number of times per
second
- Making more than N (number) of concurrent requests on the same
child per second
- Making requests to Apache during the IP is temporarily
blacklisted (in a blocking list - IP blacklist is removed after a
time period))
-
These anti DDoS and DoS attack
protection decreases the possibility that Apache gets DoSed by ana
amateur DoS attack, however it still opens doors for attacks who
has a large bot-nets of zoombie hosts (let's say 10000) which will
simultaneously request a page from the Apache server. The result in
a scenario with a infected botnet running a DoS tool in most of the
cases will be a quick exhaustion of system resources available
(bandwidth, server memory and processor consumption).
Thus mod-evasive just grants a DoS and DDoS security only on a
basic, level where someone tries to DoS a webserver with only
possessing access to few hosts.
mod-evasive however in many cases mesaure to protect against
DoS and does a great job if combined with
Apache mod-security
module discussed in one of my previous blog posts -
Tightening PHP Security on Debian with Apache 2.2 with
ModSecurity2
1. Install mod-evasive
Installing mod-evasive on Debian Lenny, Squeeze and even
Wheezy is done in identical way straight using
apt-get:
deiban:~# apt-get install libapache2-mod-evasive
...
2. Enable mod-evasive in Apache
debian:~# ln -sf /etc/apache2/mods-available/mod-evasive.load
/etc/apache2/mods-enabled/mod-evasive.load
3. Configure the way mod-evasive deals with potential DoS
attacks Open /etc/apache2/apache2.conf, go down to the
end of the file and paste inside, below three mod-evasive
configuration directives:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097 DOSPageCount 30
DOSSiteCount 40
DOSPageInterval 2
DOSSiteInterval 1
DOSBlockingPeriod 120
#DOSEmailNotify hipo@mymailserver.com
</IfModule>
In case of the above configuration criterias are matched,
mod-evasive instructs Apache to return a 403 (Forbidden by
default) error page which will conserve bandwidth and system
resources in case of DoS attack attempt, especially if the DoS
attack targets multiple requests to let's say a large
downloadable file or a PHP,Perl,Python script which does a
lot of computation and thus consumes large portion of server CPU
time.
The meaning of the above three mod-evasive config vars are as
follows:
DOSHashTableSize 3097 - Increasing the DoSHashTableSize will
increase performance of mod-evasive but will consume more server
memory, on a busy webserver this value however should be
increased
DOSPageCount 30 - Add IP in evasive temporary blacklist if a
request for any IP that hits the same page 30 consequential
times.
DOSSiteCount 40 - Add IP to be be blacklisted if 40 requests
are made to a one and the same URL location in 1 second time
DOSBlockingPeriod 120 - Instructs the time in seconds for
which an IP will get blacklisted (e.g. will get returned the 403
foribden page), this settings instructs mod-evasive to block every
intruder which matches DOSPageCount 30 or DOSSiteCount
40 for 2 minutes time.
DOSPageInterval 2 - Interval of 2 seconds for which
DOSPageCount can be reached.
DOSSiteInterval 1 - Interval of 1 second in which if
DOSSiteCount of 40 is matched the matched IP will be blacklisted
for configured period of time.
mod-evasive also supports IP whitelisting with its option
DOSWhitelist , handy in cases if for example, you should
allow access to a single webpage from office env consisting of
hundred computers behind a NAT.
Another handy configuration option is the module capability to
notify, if a DoS is originating from a number of IP addresses using
the option DOSEmailNotify
Using the DOSSystemCommand in relation with iptables, could
be configured to filter out any IP addresses which are found to be
matching the configured mod-evasive rules.
The module also supports custom logging, if you want to keep track
on IPs which are found to be trying a DoS attack against the server
place in above shown configuration DOSLogDir
"/var/log/apache2/evasive" and create the
/var/log/apache2/evasive directory, with:
debian:~# mkdir /var/log/apache2/evasive
I decided not to log mod-evasive DoS IP matches as this will just
add some extra load on the server, however in debugging some
mistakenly blacklisted IPs logging is sure a must.
4. Restart Apache to load up mod-evasive debian:~#
/etc/init.d/apache2 restart
...
Finally a very good reading which sheds more light on how exactly
mod-evasive works and some extra module configuration options are
located in the documentation bundled with the deb package to read
it, issue:
debian:~# zless
/usr/share/doc/libapache2-mod-evasive/README.gz