WHAT IS MOD_EVASIVE / Mod Evasive / ModEvasive ?


mod_evasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack. It
is also designed to be a detection tool, and can be easily configured to talk
to ipchains, firewalls, routers, and etcetera.


Detection is performed by creating an internal dynamic hash table of IP
Addresses and URIs, and denying any single IP address from any of the following:


- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted (on a blocking list)



How to install mod_evasive anti denial of service Apache module on WHM server?


THis is the steps i used to isntall the mod_evasive apache module on my WHM server.


1 - download:

Code:
cd /tmp;wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
or here is the backup:
mod_evasive_1.10.1.tar.gz

2 - extract, delete, go to directory

Code:
tar xzf mod_evasive_1.10.1.tar.gz;rm -rf mod_evasive_1.10.1.tar.gz;cd *evas*;ls
3 - load Apache 2.0 version of the module into apache

Code:
/usr/local/apache/bin/apxs -i -a -c mod_evasive20.c
4 - build apache to make change persistent

Code:
/usr/local/cpanel/bin/apache_conf_distiller --update
5 - edit apache configuration file and add module properties

Code:
vi /usr/local/apache/conf/httpd.conf
Add directive:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
DOSEmailNotify [email protected]
# DOSSystemCommand "sudo /sbin/iptables -A INPUT -s %s -j DROP"
DOSLogDir "/var/log/httpd/evasive"
</IfModule>
i found above code was lost after a while, will be better adding this into WHM / Service Configuration / Apache Configuration / Include Editor / Pre Virtual Host Include / All versions


# DOSSystemCommand (when uncommented) makes permanent IP ban in iptables untill server restart which might be an issue (too many banned IPs?)

DOSLogDir - make sure log dir you set (/var/log/httpd/evasive) exist... if u have other apache directory there in /var/log, use the existing one

Legend to above directive:
DOSHashTableSize
----------------


The hash table size defines the number of top-level nodes for each child's
hash table. Increasing this number will provide faster performance by
decreasing the number of iterations required to get to the record, but
consume more memory for table space. You should increase this if you have
a busy web server. The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_evasive.c for a list
of primes used).


DOSPageCount
------------


This is the threshhold for the number of requests for the same page (or URI)
per page interval. Once the threshhold for that interval has been exceeded,
the IP address of the client will be added to the blocking list.


DOSSiteCount
------------


This is the threshhold for the total number of requests for any object by
the same client on the same listener per site interval. Once the threshhold
for that interval has been exceeded, the IP address of the client will be added
to the blocking list.


DOSPageInterval
---------------


The interval for the page count threshhold; defaults to 1 second intervals.


DOSSiteInterval
---------------


The interval for the site count threshhold; defaults to 1 second intervals.


DOSBlockingPeriod
-----------------


The blocking period is the amount of time (in seconds) that a client will be
blocked for if they are added to the blocking list. During this time, all
subsequent requests from the client will result in a 403 (Forbidden) and
the timer being reset (e.g. another 10 seconds). Since the timer is reset
for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.


DOSEmailNotify
--------------


If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.


NOTE: Be sure MAILER is set correctly in mod_evasive.c
(or mod_evasive20.c). The default is "/bin/mail -t %s" where %s is
used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.


DOSSystemCommand
----------------


If this value is set, the system command specified will be executed
whenever an IP address becomes blacklisted. This is designed to enable
system calls to ip filter or other tools. A locking mechanism using /tmp
prevents continuous system calls. Use %s to denote the IP address of the
blacklisted IP.
not sure if its needed, but i did: service httpd restart