ddos DOS/DDOS Prevention with mod_evasive module in CWP Apache 2.4

[Sandeep B.]

install mod_evasive module in CWP apache 2.4 to prevent from DDOS attacks.

DDoS stands for Distributed Denial of Service. It is a malicious attack where multiple compromised computers are used to flood a target system or network with an overwhelming amount of traffic, causing it to become unavailable to legitimate users.

mod_evasive is an Apache module designed to provide protection against Distributed Denial of Service (DDoS) attacks. It detects and blocks suspicious or malicious requests from reaching the web server, thereby mitigating the impact of such attacks.

TO install mod_evasive module with apache 2.4.x follow this simple steps :

Step 1 :

yum install libtool git -y
cd /usr/local/src 
rm -rf master* mod_evasive*
wget https://github.com/shivaas/mod_evasive/archive/refs/heads/master.zip
unzip master.zip 
cd mod_evasive-master
/usr/local/apache/bin/apxs -a -i -c mod_evasive24.c

at this point it will get installed, now go with configuration part :

Step 2 :
To configure mod_evasive create a configuration file named mod_evaisve.conf in apache conf.d dir :

nano /usr/local/apache/conf.d/mod_evaisve.conf

then paste this below config :

<IfModule !evasive20_module>
    LoadModule evasive20_module   modules/mod_evasive24.so
</IfModule>

<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 10
    DOSEmailNotify you@yourdomain.com
</IfModule>

save it and restart apache service systemctl restart httpd

Parameters and Settings
There are many mod_evasive parameters you can configure:

DOSHashTableSize: Increase this for busier web servers. This configuration allocates space for running the lookup operations. Increasing the size improves the speed at the cost of memory.

DOSPageCount: The number of requests for an individual page that triggers blacklisting. This is set to 2, which is low (and aggressive) – increase this value to reduce false-positives.

DOSSiteCount: The total number of requests for the same site by the same IP address. By default, this is set to 50. You can increase to 100 to reduce false-positives.

DOSPageInterval: Number of seconds for DOSPageCount. By default, this is set to 1 second. That means that if you don’t change it, requesting 2 pages in 1 second will temporarily blacklist an IP address.

DOSSiteInterval: Similar to DOSPageInterval, this option specifies the number of seconds that DOSSiteCount monitors. By default, this is set to 1 second. That means that if a single IP address requests 50 resources on the same website in a single second, it will be temporarily blacklisted.

DOSBlockingPeriod: The amount of time an IP address stays on the blacklist. Set to 10 seconds by default, you can change this to any value you like. Increase this value to keep blocked IP addresses in time-out for a more extended period.

DOSLogDir: These logs can be reviewed later to evaluate client behavior.

All logs can be found here for mod_evasive at :

/usr/local/apache/logs/access_log

mod_evaisve will block ddos connections with 400 error code and can be found in the access_log for apache

Test if it works or not :

cd /usr/local/src/mod_evasive-master
perl test.pl

if you’re behind nginx proxy edit the test.pl and change the port 80 to 8181 and then run the perl test.pl

if the mod_evaisve is installed correctly the test.pl will output :

HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
...