Skip to content
Permalink
Fetching contributors…
Cannot retrieve contributors at this time
317 lines (288 sloc) 10.9 KB

EVASIVE DDoS securing module

For openSUSE Leap 42.3 run the following as root:

zypper addrepo https://download.opensuse.org/repositories/Apache:Modules/openSUSE_Leap_42.3/Apache:Modules.repo
zypper refresh
zypper install apache2-mod_evasive
  • Default config is in vim /etc/apache2/conf.d/mod_evasive.conf
<IfModule mod_evasive24.c>
	#
	# The hash table size defines the number of top-level nodes for each
	# child's hash table. Increasing this number will provide faster
	# performance by decreasing the number of iterations required to get to
	# the record, but consume more memory for table space. You should
	# increase this if you have a busy web server. The value you specify
	# will automatically be tiered up to the next prime number in the
	# primes list (see mod_evasive.c for a list of primes used).
	#
	DOSHashTableSize    3097

	#
	# This is the threshhold for the number of requests for the same page
	# (or URI) per page interval. Once the threshhold for that interval has
	# been exceeded, the IP address of the client will be added to the
	# blocking list.
	#
	DOSPageCount        2

	#
	# This is the threshhold for the total number of requests for any
	# object by the same client on the same listener per site interval.
	# Once the threshhold for that interval has been exceeded, the IP
	# address of the client will be added to the blocking list.
	#
	DOSSiteCount        50

	#
	# The interval for the page count threshhold; defaults to 1 second
	# intervals.
	#
	DOSPageInterval     1

	#
	# The interval for the site count threshhold; defaults to 1 second
	# intervals.
	#
	DOSSiteInterval     1

	#
	# The blocking period is the amount of time (in seconds) that a client
	# will be blocked for if they are added to the blocking list. During
	# this time, all subsequent requests from the client will result in a
	# 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).
	# Since the timer is reset for every subsequent request, it is not
	# necessary to have a long blocking period; in the event of a DoS
	# attack, this timer will keep getting reset.
	#
	DOSBlockingPeriod   10

	#
	# If this value is set, an email will be sent to the address specified
	# whenever an IP address becomes blacklisted. A locking mechanism using
	# /tmp prevents continuous emails from being sent.
	#
	# NOTE: Requires /bin/mail (provided by mailx)
	#
	#DOSEmailNotify      you@yourdomain.com

	#
	# If this value is set, the system command specified will be executed
	# whenever an IP address becomes blacklisted. This is designed to
	# enable system calls to ip filter or other tools. A locking mechanism
	# using /tmp prevents continuous system calls. Use %s to denote the IP
	# address of the blacklisted IP.
	#
	#DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"

	#
	# Choose an alternative temp directory By default "/tmp" will be used
	# for locking mechanism, which opens some security issues if your
	# system is open to shell users.
	#
	#   http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01
	#
	# In the event you have nonprivileged shell users, you'll want to
	# create a directory writable only to the user Apache is running as
	# (usually root), then set this in your httpd.conf.
	#
	#DOSLogDir           "/var/lock/mod_evasive"

	#
	# You can use whitelists to disable the module for certain ranges of
	# IPs. Wildcards can be used on up to the last 3 octets if necessary.
	# Multiple DOSWhitelist commands may be used in the configuration.
	#
	#DOSWhitelist   127.0.0.1
	#DOSWhitelist   192.168.0.*
</IfModule>
  • By default version mod_evasive24 is enabled after installation
  • check if the module is enabled
apachectl -M | grep evasive
  • Testing after installing
#!/usr/bin/perl

# test.pl: small script to test mod_dosevasive's effectiveness

use IO::Socket;
use strict;

for(0..100) {
  my($response);
  my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",
                                      PeerAddr=> "127.0.0.1:80");
  if (! defined $SOCKET) { die $!; }
  print $SOCKET "GET /?$_ HTTP/1.0\n\n";
  $response = <$SOCKET>;
  print $response;
  close($SOCKET);
}
  • or direct
perl /usr/share/doc/packages/apache2-mod_evasive/test.pl

Test in Real timewith 10000requests using DDoS bot

  • Output
[Mon Jun 24 15:57:05.759656 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.762618 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.763579 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.764434 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.765246 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.766167 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.767654 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.768792 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.769580 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.770392 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/
[Mon Jun 24 15:57:05.771195 2019] [:error] [pid 6054] [client 192.168.1.14:54792] client denied by server configuration: /srv/www/htdocs/

Manual installation for OLD Linux Distros

  • Compiling Mod_evasive Mod_evasive:Read

  • Direct download, installing and configuring: Link

Once you have compiled the mod_evasive module you will need the module to load when Apache is started or restarted. The file that needs to be modified is “/etc/sysconfig/apache2” and the directive that needs to be altered is “APACHE_MODULES=” as it needs to include the mod_evasive24 module.

APACHE_MODULES="   (mod_evasive24)   actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5"

Beginning

  • Check version
apachectl -M | grep evasive
  • in my case the output is

evasive24_module (shared)

  • Enabling
a2enmod evasive24_module
  • or
a2enmod mod_evasive24

Mod_evasive configuration

Once you have modified the “/etc/sysconfig/apache2” configuration file you will need to create a configuration file for the mod_evasive module. In the “/etc/apache2” directory you will need to create a file called: “mod_evasive.conf” with the following or similar content.

<IfModule mod_evasive24.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    #DOSSiteCount        50
    DOSSiteCount        200
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule> 
  • Manually restrict from nu11secur1ty
<IfModule mod_evasive24.c>
   DOSHashTableSize 2048
   DOSPageCount 25  # maximum number of requests for the same page
   DOSSiteCount 300  # total number of requests for any object by the same client IP on the same listener
   DOSPageInterval 1.0 # interval for the page count threshold
   DOSSiteInterval 1.0  # interval for the site count threshold
   DOSBlockingPeriod 10.0 # time that a client IP will be blocked for
   DOSLogDir “/var/log/apache2/evasive”
   DOSEmailNotify admin@domain.com
<IfModule>
  • From Rapid7
 <IfModule mod_evasive24.c> 
     DOSHashTableSize 3097 
     DOSPageCount 2 
     DOSSiteCount 50 
     DOSPageInterval 1 
     DOSSiteInterval 1 
     DOSBlockingPeriod 10 
     DOSEmailNotify email@yourdomain.com 
     DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" 
     DOSLogDir "/var/log/mod_evasive" 
 </IfModule>
  • Test Apache2 config
apachectl -t
  • Output must be
Syntax OK
  • Restart Apache2
rcapache2 restart
  • Test evasive module
perl /usr/share/doc/packages/apache2-mod_evasive/test.pl
  • Output should be
<p>You don't have permission to access / on this server.</p>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
<h1>Forbidden</h1>
<p>You don't have permission to access / on this server.</p>
  • if you have another securing method "POST" "GET" "HTTP" "HTTPS" "REQUESTS" ;)
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
  • or
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden 
 HTTP/1.1 403 Forbidden
  • You can check the logs, in
tail -f /var/log/apache2/access_log
tail -f /var/log/apache2/error_log

Uninstalling

zypper remove apache2-mod_evasive
mv /etc/apache2/mod_evasive.conf /etc/apache2/mod_evasive.conf.back
a2dismod evasive24_module
  • to be sure
cd /etc/apache2/
rm mod_evasive.conf
  • Restart Apache2
rcapache2 restart

Apache-Bench Testing

You can’t perform that action at this time.