How To Protect Your Apache Against DDoS With mod_evasive
In 2019 we have seen a surge in number of Distributed Denial of Service (DDoS) attacks, according to the Kaspersky researchers number of DDoS attacks have gone up by 84% this year and the prediction is these types of attacks will get more sophisticated and more common. As a web admin you should explore different options to harden your server and increase your resilience against DoS, DDoS or Brute-Force attacks. You can take some basic steps to protect your website, for instance if you are using Apache HTTP server you can enable mod_evasive module to have a layer protection against DDoS and Brute-Force attacks. In an event of HTTP DDoS attack mod_evasive provides evasive action, It works by recording the incoming traffic (IP and URLs) to Apache and it blocks the IP if it exceed the threshold like:
- Multiple request per seconds
- Makes multiple concurrent connection
Mod_evasive emails the abuse reports to web admin and it can be configured to talk to your firewall.
Following are the step by step instruction on how to install mod_evasive:
- If you have cPanel/WHM you
can install mod_evasive from the interface via (WHM -> Home -> Software -> EasyApache
4) and run the following command : yum install ea-apache24-mod_evasive
- and to configure mod_evasive you should edit the .conf file /etc/apache2/conf.d/300-mod_evasive.conf
- For instruction on how to install mod_evasive on CentOS please refer to our KB here
- For instruction on how to install mod_evasive on Ubuntu please refer to our KB here
- mod_evasive configuration parameters are
DOSHashTableSize 3097 //number of top-level nodes that each child’s hash table contains.
DOSPageCount 2 //maximum number of requests per interval for a single page before it blocks the IP address
DOSSiteCount 50 //maximum number of requests for any object per IP on the same listener per site before it blocks the IP address
DOSPageInterval 1 //time interval per sec. for the page count
DOSSiteInterval 1 //time interval per sec. for the site count
DOSBlockingPeriod 60 //time interval per sec. to block a site’s IP address
DOSEmailNotify <YOU@YOURMAIL.COM> //to set the admin email to receive the IP blacklist report