Apache set anti-DDoS module mod_evasive

Mod_evasive is a DDoS-resistant module for Apache (httpd) servers. For Web servers, it is now a good extension to protect against DDoS attacks. Although it is not completely defensive against DDoS attacks, under certain conditions, it is still the pressure to slow down the Apache (httpd) server. If you work with iptables, hardware firewalls, and other firewall devices, you may have better results.

Recently prepared to configure iptables limit the number of concurrent per IP. But configuration iptables only found, because the Linux kernel version is relatively low, iptables does not support Connlimit module, so think of the Conlimit module compiled into the kernel, helpless OpenVZ VPS does not support the compilation kernel. So the Apache anti-DDoS module mod_evasive is used, and the specific installation configuration is as follows:

First, download the installation module

<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 13px ! important; line-height: 17px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="">wget Http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gztar zxvf mod_evasive_ 1.10.1.TAR.GZCD mod_evasive1, for Apache 1.x please use the following compilation method;/usr/local/apache/bin/apxs-iac mod_evasive.c2, for Apache 2.x can use the following method;/usr/local/apache/bin/apxs-i-a-c mod_evasive20.c</textarea>

123456789

wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz tar zxvf mod_evasive_1. 10.1.tar.gz CD mod_evasive 1, for Apache 1.x Please use the following compilation method; /usr/local/Apache/bin/apxs -IAC mod_evasive . c 2, for the Apache 2.x can use the following methods; /usr/local/Apache/bin/apxs -i -a -c mod_evasive20. C

Second, the configuration module added to the httpd.conf

In the Apache v1.x version, to join;

<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 13px ! important; line-height: 17px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings=""><ifmodule mod_evasive.c>doshashtablesize 3097DOSPageCount 2DOSSiteCount 50DOSPageInterval 1DOSSiteInterval 1DOSBlockingPeriod 10</ifmodule></textarea>

12345678

<ifmodule mod_evasive. C> doshashtablesize 3097 dospagecount 2 dossitecount dospageinterval 1 dossiteinterval 1 dosblockingperiod ten </ifmodule>

Added in Apache v2.x;

<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 13px ! important; line-height: 17px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings=""><ifmodule mod_evasive20.c>doshashtablesize 3097DOSPageCount 2DOSSiteCount 50DOSPageInterval 1DOSSiteInterval 1DOSBlockingPeriod 10</ifmodule></textarea>

12345678

<ifmodule mod_evasive20. C> doshashtablesize 3097 dospagecount 2 dossitecount dospageinterval 1 dossiteinterval 1 dosblockingperiod ten </ifmodule>

Related parameter Description:

Doshashtablesize3097#记录和存放黑名单表大小, this value can be increased if the server accesses a large amount. Dospagecount5#同一个页面在同一时间内可以被同一个用户访问的次数, more than that number will be listed as an attack, and the value at the same time can be set in the Dospageinterval parameter. Dossitecount -#同一个用户在同一个网站内可以同时打开的访问数, the value of the same time is set in Dossiteinterval. Dospageinterval2#设置DOSPageCount中时间长度标准, the default value is 1. Dossiteinterval2sets the time-length standard in Dossitecount, with the default value of 1. Dosblockingperiod3600#被封时间间隔秒, this middle will receive403(Forbidden) of the return. Dosemailnotify**[email protected] #设置受到攻击时接收攻击信息提示的邮箱地址. Notify the administrator when an IP is added to the blacklist. Dossystemcommand"sudo iptables-a input-s%s-j DROP": #IP加入黑名单后执行的系统命令. Doslogdir"/usr/local/webserver/apache2/logs/mod_evasive"#手动创建目录mod_evasive, the attack log holds the directory, note the permissions of this directory, is the user running the Apache program. Lock mechanism Temp directory # white list doswhitelist127.0.0.1doswhitelist192.168. A.*

The server suffers a DDoS attack, which can be said to be impossible, but as an Apache server, some modules can be installed to mitigate DDoS attacks to some extent.
For example, the 3rd-party module, Mod_evasive, is a module that prevents Apache from being subjected to DDos attacks, and can prevent a large number of requests from the same IP for the same URI, with the options set:
– Limit the number of times a page or file is requested by the same IP within a certain number of seconds.
– Limit the same IP to only 50 requests in one second.
– Set the blocked IP block time.

1. First download mod_evasive_1.10.1.tar.gz and unzip:
# tar ZXVF mod_evasive_1.10.1.tar.gz
We do not install, extract out there is a file test.pl, is written in Perl language, test server, we first test the server (in the absence of installation to mitigate DDoS)
# CD Mod_evasive
# chmod 755 test.pl
#./test.pl
http/1.1 OK
http/1.1 OK
...... can be accessed normally without any protection against DDoS attacks

2. Install (I use Apache here is 2.2.8 version)
#/usr/local/apache2/bin/apxs-i-a-c mod_evasive20.c (APXS for compiling the module tool, note your own server Apache installation directory and location, the path may not be the same as mine)
Note: If there is no APXS, please install: Httpd-devel or Apache-dev
module is automatically compiled and installed into/usr/local/apache2/modules, and automatically added LoadModule evasive20_module modules/mod_evasive20.so in httpd.conf

3. Configure
# vi/etc/httpd.conf
<ifmodule mod_evasive20.c>
doshashtablesize 3097 #记录和存放黑名单表大小, If the server accesses a large amount, you can increase the value.
Dospagecount 5 #同一个页面在同一时间内可以被同一个用户访问的次数, more than that number will be listed as an attack, the value of the same time can be set in the Dospageinterval parameter.
Dospageinterval 2 #设置DOSPageCount中时间长度标准, the default value is 1.
Dossitecount #同一个用户在同一个网站内可以同时打开的访问数, the value of the same time is set in Dossiteinterval.
Dossiteinterval 2 #设置DOSSiteCount中时间长度标准, the default value is 1. The
Dosblockingperiod 3600 #被封时间间隔 (seconds), which receives the return of 403 (Forbidden).
dosemailnotify [email  protected] #设置受到攻击时接收攻击信息提示的邮箱地址.
Doslogdir "/var/log/mod_evasive" #攻击日志存放目录, note the permissions of this directory, is the user running the Apache program. The
#进入信任ip名单的ip它们将不会受到阻止, which is primarily designed to protect software, scripts, local search, or other automated tools from making large resource requests to the server without being blocked. Please confirm and not use to add the customer or any other category of personnel, as this will hinder the normal work of this module. The Trusted IP list should add a field in the Apache configuration file (which can be an IP segment) in the following format
doswhitelist 127.0.0.1
doswhitelist 127.0.0.*
#ip地址后三段可以使用通配符, And you can reuse the
</ifmodule> in each format;

Create a new directory to store on the specified log file:
Mkdir/var/log/mod_evasive
Restart Apache2.
Test again./test.pl
http/1.1 OK
http/1.1 OK
http/1.1 OK
http/1.1 OK
http/1.1 OK
http/1.1 403 Forbidden
http/1.1 403 Forbidden
http/1.1 403 Forbidden
http/1.1 403 Forbidden
You can see that there has been some access to 403 Forbidden, stating that the configuration was successful.

Under certain circumstances to resist DDoS attacks, of course, if the server machine can not withstand, or bandwidth is not enough, DDoS is still relatively difficult to defend, but we resist part of the part of the calculation. Oh

---------------------------------------

Mod_evasive installation under Windows
There is no official version of Windows, here is a master made some changes to compile the version. It disables these features: Mail notification, logging to a standalone file.
Compilation environment: Windows XP, VC + + 8, Apache 2.2.3 (Environment setting for Windows 2003 SP1)

LoadModule Dosevasive22_module Modules/mod_dosevasive22.dll
<ifmodule dosevasive22_module>
Doshashtablesize 3097
Dospagecount 2
Dossitecount 50
Dospageinterval 1
Dossiteinterval 1
Dosblockingperiod 10
</ifmodule>

<textarea class= "Crayon-plain print-no" style= "-moz-tab-size:4"; Font-size:13px! Important Line-height:17px! Important z-index:0; opacity:0; Overflow:auto, "readonly data-settings=" ">doshashtablesize 3097# record and hold the blacklist table size, if the server access is large, you can increase the value. Dospagecount 5         #同一个页面在同一时间内可以被同一个用户访问的次数, exceeding that number will be listed as an attack, Values at the same time can be set in the Dospageinterval parameter. Dossitecount 100# the number of accesses that the same user can open simultaneously in the same site, the value of the same time is set in Dossiteinterval. Dospageinterval set the time-length standard in Dospagecount, the default value is 1. Dossiteinterval 2 Sets the time-length standard in Dossitecount and the default value is 1. Dosblockingperiod 3600# is sealed for a time interval of seconds, which will receive 403 (Forbidden) return. Dosemailnotify *. @qq. com# sets the e-mail address that is prompted to receive attack messages when attacked. Notify the administrator when an IP is added to the blacklist. Dossystemcommand "sudo iptables-a input-s%s-j DROP": #IP加入黑名单后执行的系统命令.  doslogdir "/usr/local/webserver/apache2/logs/mod_evasive" #手动创建目录mod_evasive, attack log storage directory, note the permissions of this directory, Is the user running the Apache program. Lock mechanism temp directory # Whitelist   doswhitelist 127.0.0.1  doswhitelist 192.168.12.* </textarea>

Apache set anti-DDoS module mod_evasive