First, Mod_evasive Introduction
Mod_evasive is a DDoS-proof module for Apache (httpd) servers. For Web servers, it is a good extension module to protect against DDoS attacks. Although not completely defensive DDoS attack, but under certain conditions, still play the pressure of httpd Apache (the server). such as with iptables, hardware firewall and other firewall equipment with the use of, may have better results.
Mod_evasive's official address: http://www.zdziarski.com/
Second, mod_evasive working principle
The Apache module mod_evasive uses a hash table to store the corresponding HTTP request and uses the set rules to determine whether to reject the other's request.
Third, mod_evasive installation
Copy Code code as follows:
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
Tar zxvf mod_evasive_1.10.1.tar.gz
CD mod_evasive/
Apxs-i-a-c mod_evasive20.c
#编译, install, and load modules
#注: APXS is used to compile the module tool, and if it is a system-brought package, it is generally located in the/usr/sbin directory. If you are compiling yourself to install Apache (httpd), you should specify the path yourself;
After the compilation installation is completed, a row is automatically inserted into the Apache configuration file, and for the Apache 2.x version, there should be a line similar to the following in its configuration file;
Copy Code code as follows:
LoadModule Evasive20_module lib/httpd/modules/mod_evasive20.so
iv. configuration of Mod_evasive
Copy Code code as follows:
[Root@localhost ~]# vi/etc/httpd/conf/httpd.conf
#加入以下配置
<ifmodule mod_evasive20.c>
Doshashtablesize 3097 #表大小
Dospagecount 2 #限制单位时间内同一IP请求同一网页次数
Dossitecount #限制单位时间内同一IP请求网站次数
Dospageinterval 1 #网页存取间隔
Dossiteinterval 1 #网站存取间隔
Dosblockingperiod #限制访问时间
Dosemailnotify #疑似攻击时邮件通知
Dossystemcommand "Su-onovps-c iptables-i input-s%s--dport 80-j DROP"
#疑似攻击时用防火墙限制IP访问80端口
Doslogdir "/var/log/#日志目录
Doswhitelist 127.0.0.1 #添加白名单
</IfModule>
If you do not know where to insert these, use the following method is also possible;
Create a file in the/etc directory, such as mod_evasive.conf;
Copy Code code as follows:
[root@localhost ~] #touch/etc/mod_evasive.conf
Then add the corresponding content according to your Apache version;
Then we modify the httpd.conf and add the last line
Copy Code code as follows:
Include/etc/mod_evasive.conf
After the modification is complete, we will restart the Apache server for the configuration to take effect:
Copy Code code as follows:
/ETC/INIT.D/HTTPD restart
v. Test mod_evasive
Anti-DDoS module is done, we can verify that the Apache with its own AB tools, the system is installed by default in the/usr/sbin directory;
Copy Code code as follows:
[Root@localhost ~]/usr/sbin/ab-n 1000-c http://www.baidu.com:80/
Note: The above example means that if your server is a Web server for Baidu, we want to send a data request package, a total of 1000, 50 at a time;
Another test tool is the directory of Mod_evasive unpack, there is a test.pl, you can modify the IP address, and then use
Copy Code code as follows:
[Root@localhost ~]perl test.pl
http/1.1 OK
http/1.1 403 Forbidden
is not effective, please follow the AB tool or test script out of the results to view;
Note: Because when we compile mod_evasive, we use the default configuration, so the logs are stored in the/tmp directory. If there is a DDoS attack, the log will be generated in/tmp. The log file begins with the dos-;
vi. Detailed configuration Parameters
Doshashtablesize 3097: Defines the hash table size.
Dossitecount 50: Allows maximum concurrent connections for clients.
Dospagecount 2: Allows the client to access the same page interval.
Dospageinterval 1: Web Access counter interval.
Dossiteinterval 1: Total station access counter interval.
Dossiteinterval 60: Deny access time after adding blacklist.
Dosemailnotify xxxx@gmail.com: Have IP blacklist after notify the administrator.
Dossystemcommand "sudo iptables-a input-s%s-j DROP": System commands that are executed after IP blacklist.
Doslogdir "/tmp": Lock mechanism temp directory, log directory.
Doswhitelist 127.0.0.1: Guard against whitelist, do not block whitelist IP.
Vii. Advanced Configuration of Mod_evasive
If you want to change some of the appropriate parameters, some of the necessary parameters, not through the configuration file modification on the effect, we want to modify the source package in the MOD_EVASIVE.C (Apache 1.x) or mod_evasive20.c (Apache 2.x with);
Copy Code code as follows:
#define DEFAULT_HASH_TBL_SIZE 3097ul//DEFAULT HASH table SIZE
#define DEFAULT_PAGE_COUNT 2//DEFAULT maximum PAGE hit COUNT per interval
#define DEFAULT_SITE_COUNT//DEFAULT maximum SITE hit COUNT per interval
#define DEFAULT_PAGE_INTERVAL 1//DEFAULT 1 Second PAGE INTERVAL
#define DEFAULT_SITE_INTERVAL 1//DEFAULT 1 Second SITE INTERVAL
#define DEFAULT_BLOCKING_PERIOD//DEFAULT for detected IPs; Blocked for ten seconds
#define DEFAULT_LOG_DIR "/tmp"//DEFAULT Temp directory
For example, we change the number of these, according to English is very easy to understand. For example, modify the log storage directory, and then change/tmp to another directory. If you do not know where to put the good, or use the default bar;
If you change the parameters here, do not forget to modify the parameters on Mod_evasive in the Apache configuration file;
If you want to add some other parameters, please refer to the Readme in the source code package, which has detailed instructions, most of it is not much necessary ...
This file is very important, if you want to change some settings, you need to modify this file ...
Viii. Summary
Mod_evasive is still a bit of use, for the Apache server, is currently a better protection of the DDoS attack expansion module. Although not completely defensive DDoS attack, but under certain conditions, still play the pressure of httpd Apache (the server). If with iptables, hardware firewall and other firewall equipment with the use of, may have better results. Installation is also effortless. If you need to, you will think of this module.