View Full Version : DOS Attacks and mod_evasive

WestHost - DWinans
03-14-2008, 08:55 AM
Dear Clients,

I thought this may be of some use to those who may deal with DoS attacks in the future. There is an Apache module called mod_evasive you can install to help mitigate the affects of DoS/DDoS attacks. It's fairly easy to install, so I figured I'd include the instructions here.

Just a run down in simple terms of what the module does. It keeps a table of IP addresses to URI's. It dynamically blacklists IP addresses based on thresholds you set in the configuration. It also has a timer, if an IP is black listed it stays blacklisted till the timer runs out. If that IP doesn't send any other requests it is de-listed. However if it sends subsequent requests then the timer starts over, and the IP ramains blacklisted. If an IP is blacklisted it is handed the 403 forbidden message. Its fairly simple and can prove quite useful, I'd probably recommend you install it before you're actually under attack however :)

Here are the steps I took to get it going on my 3.0 account.

//Make a directory for the source files

cd ~
mkdir mod_evasive
cd mod_evasive

//Get the source files

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

//Extract the files

tar -zxf mod_evasive_1.10.1.tar.gz

//Add the module via the Apache Extensions tool

cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c

//Edit your apache configuration, find the last load module line.
LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so

//Add the following below it

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

//run a config test and httpd -t to make sure you have no configuration errors.

[/etc/httpd/conf]$ apachectl configtest
Syntax OK
[/etc/httpd/conf]$ httpd -t
Syntax OK

//Restart apache

apachectl restart

You're done! You can fine tune the settings however you see fit. The source comes with a README file that explains everything in detail, including a whitelist feature as well as a directive for receiving email notifications.

03-14-2008, 02:16 PM
For those cut and pasters... the download link is

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
Copying the link from above will produce an error

05-25-2008, 09:51 AM
Unfortunately, I followed these instructions and I get this error:

Syntax error on line 190 of /etc/httpd/conf/httpd.conf:
Cannot load /usr/lib/httpd/modules/mod_evasive20.so into server: /usr/lib/httpd/modules/mod_evasive20.so: cannot open shared object file: No such file or directory

And when I try to re-install, following the instructions again, I now get this message:

/usr/sbin/apxs -cia mod_evasive20.c
cannot open /usr/lib/httpd/build/config_vars.mk: No such file or directory at /usr/sbin/apxs line 196.

Furthermore, something obviously went wrong, since this command:

find / -name mod_evasive20.so

Produces nothing. At all. So something went wrong and the module wasn't installed, and now I'm not sure how to clear it. Help?

05-26-2008, 05:20 AM
To clear it all you need to do is remove the edits to the httpd.conf file.

You should have a /usr/home/[yourusername]/mod_evasive/mod_evasive if you followed the directions in this post and in that directory should be a mod_evasive20.c file.

When you ran:

/usr/sbin/apxs -cia mod_evasive20.c What output did you receive if any?

If that command failed then more then likely you need to install the GNU Compliler (http://www.helpdocs.westserver.net/sitemanager/SA_GNU_Compiler.htm) via your Site Manager.

05-26-2008, 05:47 AM
I thought I would add a bit of information about the instructions that DWinans posted.

First the line of code in httpd.conf that reads:

LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so
is not somthing you add but should be added when you run:

/usr/sbin/apxs -cia mod_evasive20.c

Second the code block under "//run a config test and httpd -t to make sure you have no configuration errors." in his instructions may be a bit confusing to some. If you are a cut and past type person then this is the code you would actually run:

cd /etc/httpd/conf

apachectl configtest

httpd -t
I placed them each in thier own code box for easy cut and past. :) The other code in DWinans code box is the output generated from the above commands if everything is ok.

Also when you run the command:

/usr/sbin/apxs -cia mod_evasive20.c
You should get output similar to this:

/bin/sh /usr/lib/apr/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -m32 -march=i386 -mtune=pentium4 -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apr-0 -I/usr/include/httpd -c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo
/bin/sh /usr/lib/apr/build/libtool --silent --mode=link gcc -o mod_evasive20.la -rpath /usr/lib/httpd/modules -module -avoid-version mod_evasive20.lo
/usr/lib/httpd/build/instdso.sh SH_LIBTOOL='/bin/sh /usr/lib/apr/build/libtool' mod_evasive20.la /usr/lib/httpd/modules
/bin/sh /usr/lib/apr/build/libtool --mode=install cp mod_evasive20.la /usr/lib/httpd/modules/
cp .libs/mod_evasive20.so /usr/lib/httpd/modules/mod_evasive20.so
cp .libs/mod_evasive20.lai /usr/lib/httpd/modules/mod_evasive20.la
cp .libs/mod_evasive20.a /usr/lib/httpd/modules/mod_evasive20.a
ranlib /usr/lib/httpd/modules/mod_evasive20.a
chmod 644 /usr/lib/httpd/modules/mod_evasive20.a
PATH="$PATH:/sbin" ldconfig -n /usr/lib/httpd/modules
Libraries have been installed in:

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
chmod 755 /usr/lib/httpd/modules/mod_evasive20.so
[activating module `evasive20' in /etc/httpd/conf/httpd.conf]

Also since I know that there are WestHost clients that use Frontpage Extensions and they may not read the README file that comes with this module I'll go ahead and post this..


- This module appears to conflict with the Microsoft Frontpage Extensions.
Frontpage sucks anyway, so if you're using Frontpage I assume you're asking
for problems, and not really interested in conserving server resources anyway.

I hope this helps others down the line when they try to install this.