How to set up MOD_EVASIVE

Back

 Log in to your server

Log in to mCloud portal, open the main page of your server and then follow these steps:

  1. Click Console.
  2. Enter your username: "root".
  3. Enter your password (to see your password, click Show under Root password).

Install EPEL

While MOD_EVASIVE is not available in the official CentOS package repository, it is packaged for the EPEL project. EPEL, standing for Extra Packages for Enterprise Linux, can be installed with a release package that is available from CentOS:

sudo yum install epel-release

Install MOD_EVASIVE

After installing EPEL, issue the following command to install MOD_EVASIVE:

#yum install mod_evasive -y

 Make sure the installatino was successful by opening the configuration file:

cat /etc/httpd/conf.d/mod_evasive.conf

Check if the following line is displayed in the beginning of the file (and add it if it's not):

LoadModule evasive20_module modules/mod_evasive24.so

Restart Apache:

systemctl restart httpd

Finally, to check if MOD_EVASIVE is loaded, enter the following command:

httpd -M | grep -Ei '(evasive)'

If everything is all right, you will see the following:

evasive20_module (shared) 

Basic configuration

The configuration file for MOD_EVASIVE (mod_evasive.conf) resides in /etc/httpd/conf.d/. Open this file using a text editor of your preference, e.g. nano:

nano /etc/httpd/conf.d/mod_evasive.conf 

Here are some of the main paramaters you can set up:

  • DOSPageCount: This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

  • Whitelist IP Addresses : This option is to whitelist certain IP addresses from blocking. You can also use wildcards up to the last 3 octets if necessary.

  • DOSLogDir: Choose an alternative temp directory, By default “/tmp” will be used for locking mechanism, which opens some security issues if your system is open to shell users. In the event you have nonprivileged shell users, you’ll want to create a directory writable only to the user Apache is running as (usually root), then set this in your httpd.conf.

  • DOSSystemCommand: If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using /tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.

  • DOSBlockingPeriod: The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.DOSSiteInterval: The interval for the site count threshold; defaults to 1 second intervals.

  • DOSPageInterval: The interval for the site count threshold; defaults to 1 second intervals.

  • DOSSiteCount: This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.