How to Use mod_evasive of the anti-DDOS module of Apache (httpd) Server

 
Tests show that:
When mod_evasive successfully blocks an ip address, apache logs still have access records;
 
 
Official Address of mod_evasive: http://www.zdziarski.com/
Projects
Mod_evasive
 
Wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
Tar zxvf mod_evasive_1.10.1.tar.gz
Cd mod_evasive
/Usr/local/webserver/apache2/bin/apxs-I-a-c mod_evasive1_c
 
Finally:
Libraries have been installed in:
/Usr/local/webserver/apache2 // modules
If you ever happen to want to link against installed libraries
In a given directory, LIBDIR, you must either use libtool, and
Specify the full pathname of the library, or use the '-llibdir'
Flag during linking and do at least one of the following:
-Add LIBDIR to the 'LD _ LIBRARY_PATH 'environment variable
During execution
-Add LIBDIR to the 'LD _ RUN_PATH 'environment variable
During linking
-Use the '-Wl,-rpath-Wl, libdir' linker flag
-Have your system administrator add LIBDIR to '/etc/ld. so. conf'
See any operating system documentation about shared libraries
More information, such as the ld (1) and ld. so (8) manual pages.
----------------------------------------------------------------------
Chmod 755/usr/local/webserver/apache2 // modules/mod_evasiveappsso
[Activating module 'evasive20' in/usr/local/webserver/apache2 // conf/httpd. conf]
 
 
View httpd. conf
Vim/usr/local/webserver/apache2/conf/httpd. conf
Automatically added
LoadModule evasive20_module modules/mod_evasive+so
Then, modify the Apache configuration file named httpd. conf;
 
 
Modify httpd. conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
LoadModule evasive20_module modules/mod_evasive+so
 
 
....
<IfModule mod_rpaf-2.0.c>
RPAFenable On
RPAFproxy_ips 127.0.0.1 192.168.12.201 192.168.12.202 192.168.12.203
RPAFsethostname On
RPAFheader X-Forwarded-
</IfModule>
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 10
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 360
DOSEmailNotify *** @ qq.com
DOSLogDir "/usr/local/webserver/apache2/logs/mod_evasive"
DOSWhiteList 192.168.12 .*
</IfModule>
 
 
 
 
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
# Record and store the size of the blacklist table. If the server access volume is large, you can increase the value.
DOSPageCount 5
# The number of times that the same page can be accessed by the same user within the same time period. If this number is exceeded, the page is listed as an attack. The value at the same time can be set in the DosPageInterval parameter.
DOSSiteCount 100
# The number of regions that a user can open on the same website at the same time. The value of the same time is set in DOSSiteInterval.
DOSPageInterval 2
# Set the time length standard in DOSPageCount. The default value is 1.
DOSSiteInterval 2
Set the time length standard in DOSSiteCount. The default value is 1.
DOSBlockingPeriod 3600
# The interval of the blocked time is seconds. In the middle, 403 (Forbidden) is returned.
DOSEmailNotify **. @ qq.com
# Set the email address for Receiving Attack Information prompts when the attacker is attacked. Notify the Administrator after an IP address is added to the blacklist.
DOSSystemCommand "sudo iptables-a input-s % s-j DROP ":
# System commands executed after the IP address is added to the blacklist.
DOSLogDir "/usr/local/webserver/apache2/logs/mod_evasive" # manually create the directory mod_evasive, which stores attack logs. Note that the permission for this directory is the user who runs the apache program. Temporary directory of Lock Mechanism
# Whitelist
DOSWhiteList 127.0.0.1
DOSWhiteList 192.168.12 .*
</IfModule>
 
 
 
If you do not know where to insert these data, you can use the following method;
Create a file in the/etc directory, such as mod_evasive.conf;
 
 
# Touch/etc/mod_evasive.conf
Add the corresponding content according to your Apache version;
Next, modify httpd. conf and add it to the last line.
 
 
Include/etc/mod_evasive.conf
After modification, restart the Apache server;
Service apachectl restart
-------------------------------- Test and verify mod_evasive;
1. After the anti-DDOS module is ready, we can verify it. We can use the AB tool that comes with Apache. The system is installed in the/usr/sbin directory by default. For example;
 
 
/Usr/local/webserver/apache2/bin/AB-n 1000-c 50 http ://****
Note: In the above example, if your server is a google WEB server, we want to send a data request packet, a total of 1000, each concurrency of 50;
 
 
 
 
2. Another test tool is test. pl in the directory of the decompressed package of mod_evasive. Modify the IP address of test. pl.
 
Chmod 755 test. pl
./Test. pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
 
 
Test Results
At this time, you can find a log file under your/usr/local/webserver/apache2/logs/mod_evasive directory.
Similar files: dos-192.168.12.201 and 192.168.12.201 indicate that the attacked ip address is recorded.
 
 
 
 
Email content:
To: *** @ qq.com
Subject: http blacklist 192.168.12.202
Mod_evasive HTTP Blacklisted 192.168.12.202
 
 
====================== Install the rpaf module for apache. This module is used to obtain the visitor's real IP address when apache is working on the backend.
 
Wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
 
 
 
Install the rpaf module for apache. This module is used to obtain the visitor's real IP address when apache is working on the backend.
1. Use apxs to install the module. here you need to use the apxs after apache compilation and installation.
Cd/tmp
Tar-zxf mod_rpaf-0.6.tar.gz
Cd mod_rpaf-0.6
/Usr/local/webserver/apache2/bin/apxs-I-c-n mod_rpaf-2.0.so mod_rpaf-2.0.c
 
 
2. Edit/usr/local/apache/conf/httpd. conf, add module parameters, find LoadModule php5_module modules/libphp5.so, and add below:
LoadModule rpaf_module modules/mod_rpaf-2.0.so
 
 
<IfModule mod_rpaf-2.0.c>
RPAFenable On
RPAFproxy_ips 127.0.0.1 192.168.12.201 192.168.12.202 192.168.12.203
RPAFsethostname On
RPAFheader X-Forwarded-
</IfModule>
 
 
This block should be on <IfModule mod_evasive1_c>
Modify the ip address of the web service you are listening.
# Enter the Intranet IP address of Nginx.
Multiple IP addresses are opened with spaces.
 
 
========================================================== ========================================================== =====
 
 
The predecessor of mod_evasive is mod_dosevasive.
 
Download mod_evasive
Http://www.nuclearelephant.com/projects/mod_evasive
 
# Tar zxvf mod_evasive_1.10.1.tar.gz
# Cd mod_evasive_1.10.1
 
#/Usr/local/apache/bin/apxs-I-a-c mod_evasive20.c
 
Open the httpd. conf file
Check whether
LoadModule evasive20_module modules/mod_evasive+so
If not, add it.
 
And join
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
 
 
 
Bytes ------------------------------------------------------------------------------------------------
Add mod_evasive apache to ispcp to defend against DDOS attacks
 
Mod_evasive is a DDOS protection module for Apache (httpd) servers. For WEB servers, It is a better extension module to defend against DDOS attacks. Although it cannot completely defend against DDOS attacks, under certain conditions, it still slows down the load on Apache (httpd) servers. If you use it with iptables, hardware firewalls, and other firewall devices, it may be better. Unfortunately, LinuxSir. Org does not have a hardware firewall, so I cannot verify whether such a combination works better.
 
Mod_evasive address: http://www.zdziarski.com/projects/mod_evasive
 
 
2. installation and configuration of mod_evasive;
 
 
 
2.1 mod_evasive;
 
 
Mod_evasive_1.10.1.tar.gz
 
 
2.2 installation of mod_evasive;
 
 
Before installing mod_evasive, you must install the Apache (httpd) server package and httpd-devel or apache-dev. In Slackware 12.0, install the httpd software;
 
Use the following compilation method for Apache 1.x;
 
#/Usr/sbin/apxs-iac mod_evasive.c
The following method can be used for Apache 2.x;
 
# Tar zxvf mod_evasive_1.10.1.tar.gz
# Cd mod_evasive
#/Usr/sbin/apxs-I-a-c mod_evasive1_c
Note: apxs is used to compile the module tool. If it is a software package that comes with the system, it is generally located in the/usr/sbin directory. If you compile and install Apache (httpd) by yourself, you should specify the path by yourself;
 
Then modify/etc/ld. so. conf file to specify the location of the compiled dynamic module in ld. so. conf. For example, if Aapche 2.x is used, after compilation, the module mod_evasive20.so is installed in the/usr/lib/httpd/modules directory. We need to write this directory to the ld. so. conf.
 
# Echo "/usr/lib/httpd/modules">/etc/ld. so. conf
# Ldconfig
Note: The specifics should be subject to your system environment. Do not copy them. If you are not familiar with Linux;
 
 
2.3 mod_evasive configuration;
 
 
After compilation and installation are complete, a line is automatically inserted into the Apache configuration file. For Apache 2.x, a line similar to the following should be included in the configuration file;
 
LoadModule evasive20_module lib/httpd/modules/mod_evasive+so
For Apache 1.x, it should be similar, but the paths are basically different;
 
Then, modify the Apache configuration file named httpd. conf;
 
To add Apache v1.x;
 
<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
Add in Apache v2.x;
 
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
If you do not know where to insert these data, you can use the following method;
 
Create a file in the/etc directory, such as mod_evasive.conf;
 
# Touch/etc/mod_evasive.conf
Add the corresponding content according to your Apache version;
 
Next, modify httpd. conf and add it to the last line.
 
Include/etc/mod_evasive.conf
After modification, restart the Apache server;
 
For example, to restart Apache 2.x in Slackware 12.0, we need to use
 
#/Etc/rc. d/rc. httpd restart
Apache in Redhat, Fededora, Debian, Ubuntu, and CentOS can be used;
 
#/Etc/init. d/httpd restart
Or
#/Etc/init. d/apache restart
This is basically the case ......
 
 
2.4 test and verify mod_evasive;
 
 
After the anti-DDOS module is ready, we can verify it. We can use the AB tool that comes with Apache. The system is installed in the/usr/sbin directory by default; for example;
 
#/Usr/sbin/AB-n 1000-c 50 http://www.google.com: 80/
Note: In the above example, if your server is a google WEB server, we want to send a data request packet, a total of 1000, each concurrency of 50;
 
Another test tool is the directory of the decompressed package of mod_evasive, which contains test. pl. You can modify the IP address and then use
 
# Perl test. pl
Is it effective? Check the result based on the AB tool or test script;
 
Because the default configuration is used when mod_evasive is compiled, logs are stored in the/tmp directory. If DDOS attacks occur, logs are generated in/tmp. Log Files start with dos;
 
 
3. Advanced Configuration of mod_evasive;
 
 
If you want to change some of the parameters that suit you, some of the necessary parameters do not work through the configuration file modification, we need to modify the mod_evasive.c (Apache 1. x) or mod_evasive20.c (Apache 2. x );
 
# Define DEFAULT_HASH_TBL_SIZE 3097ul // Default hash table size
# Define DEFAULT_PAGE_COUNT 2 // Default maximum page hit count per interval
# Define DEFAULT_SITE_COUNT 50 // Default maximum site hit count per interval
# Define DEFAULT_PAGE_INTERVAL 1 // Default 1 Second page interval
# Define DEFAULT_SITE_INTERVAL 1 // Default 1 Second site interval
# Define DEFAULT_BLOCKING_PERIOD 10 // Default for Detected IPs; blocked for 10 seconds
# Define DEFAULT_LOG_DIR "/tmp" // Default temp directory
For example, it is easy to understand the numbers in English. For example, modify the log storage directory and change/tmp to another directory. If you do not know where to store the data, use the default setting;
 
If you have changed the parameters here, do not forget to modify the mod_evasive parameter in the Apache configuration file;
 
If you want to add some other parameters, please refer to the README in the source code package, which has detailed instructions. Most of them are not necessary ......
 
This file is very important. If you want to change some settings, You need to modify this file ......

From a blog