How To Protect Your Apache Against DDoS With mod_evasive

In 2019 we have seen a surge in number of Distributed Denial of Service (DDoS) attacks, according to the Kaspersky researchers number of DDoS attacks have gone up by 84% this year and the prediction is these types of attacks will get more sophisticated and more common. As a web admin you should explore different options to harden your server and increase your resilience against DoS, DDoS or Brute-Force attacks. You can take some basic steps to protect your website, for instance if you are using Apache HTTP server you can enable mod_evasive module to have a layer protection against DDoS and Brute-Force attacks. In an event of HTTP DDoS attack mod_evasive provides evasive action, It works by recording the incoming traffic (IP and URLs) to Apache and it blocks the IP if it exceed the threshold like:

  • Multiple request per seconds
  • Makes multiple concurrent connection

Mod_evasive emails the abuse reports to web admin and it can be configured to talk to your firewall.

Following are the step by step instruction on how to install mod_evasive:

  • If you have cPanel/WHM you can install mod_evasive from the interface via (WHM -> Home -> Software -> EasyApache 4) and run the following command : yum install ea-apache24-mod_evasive 
    • and to configure mod_evasive you should edit the .conf file  /etc/apache2/conf.d/300-mod_evasive.conf
  • For instruction on how to install mod_evasive on CentOS please refer to our KB here
  • For instruction on how to install mod_evasive on Ubuntu please refer to our KB here
  • mod_evasive configuration parameters are

DOSHashTableSize 3097  //number of top-level nodes that each child’s hash table contains.

DOSPageCount 2  //maximum number of requests per interval for a single page before it blocks the IP address

DOSSiteCount 50  //maximum number of requests for any object per IP on the same listener per site before it blocks the IP address

DOSPageInterval 1  //time interval per sec. for the page count

DOSSiteInterval 1  //time interval per sec. for the site count

DOSBlockingPeriod 60  //time interval per sec. to block a site’s IP address

DOSEmailNotify <YOU@YOURMAIL.COM>   //to set the admin email to receive the IP blacklist report