How to protect Apache against DoS attacks

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks overwhelm web servers with excessive requests, making them inaccessible for legitimate users. Such intrusions degrade performance, cause extended downtime, and pose financial risks to organizations that depend on high availability. The widespread use of Apache often makes it a prime target for these attacks.

The mod_evasive module identifies abnormal traffic patterns and blocks requests coming from suspicious sources. It checks request rates from each IP address, enforces configurable thresholds, and reduces the impact on server resources by denying further connections from offending hosts.

These configurations can be adapted to different environments by adjusting thresholds, block periods, and other parameters. Administrators can also enable notifications, log activity, and automate additional defenses to enhance overall security.

Steps to configure mod_evasive for Apache:

Launch terminal.
Install the mod_evasive module for your specific Apache version.
```
$ sudo apt install libapache2-mod-evasive # Ubuntu and Debian
$ sudo dnf install --assumeyes mod_evasive # CentOS and Red Hat
```
CentOS and RedHat variance require installation of Raven repository
Related: How to install Raven repository on CentOS, Red Hat, Rocky Linux and AlmaLinux

Enable the module if it is not activated.

$ sudo a2enmod evasive # Ubuntu and Debian

Open mod_evasive configuration file using your preferred text editor.

$ sudo vi /etc/apache2/mods-available/evasive.conf # Ubuntu and Debian
$ sudo vi /etc/httpd/conf.d/mod_evasive.conf # CentOS and Red Hat

Configure mod_evasive options.

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
    DOSEmailNotify      email@example.com
    DOSSystemCommand    "/sbin/iptables -I INPUT -s %s -j DROP"
    DOSLogDir           "/var/log/apache2/"
    DOSWhitelist        127.0.0.1
</IfModule>

Parameter	Description	Default
DOSHashTableSize	Determines the size of the hash table used.	3097
DOSPageCount	Number of requests for the same page (or URI) per page interval.	2
DOSSiteCount	Total requests for any object by the same client IP per site interval.	50
DOSPageInterval	Interval for the page count threshold.	1 second
DOSSiteInterval	Interval for the site count threshold.	1 second
DOSBlockingPeriod	Duration (in seconds) for which the IP will be blocked.	10 seconds
DOSEmailNotify	Email address to which alerts will be sent.	None
DOSSystemCommand	System command to execute when a DoS attack is detected.	None
DOSLogDir	Directory where logs related to mod_evasive will be stored.	None
DOSWhitelist	IP addresses that should be whitelisted and not considered for blocking.	None

Save the changes and exit the editor.

Restart the Apache server to apply the new settings.

$ sudo systemctl restart apache2 # Ubuntu, Debian
$ sudo systemctl restart httpd # CentOS and Red Hat

Simulate a DoS attack to test the module's effectiveness.

$ ab -n 1000 -c 10 http://127.0.0.1/
This is ApacheBench, Version 2.3 <$Revision: 1903618 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

##### snipped

Complete requests:      1000
Failed requests:        994
   (Connect: 0, Receive: 0, Length: 994, Exceptions: 0)
Non-2xx responses:      994

Most of the requests failed due to mod_evasive blocking the requests.
Related: How to load-test web server using ApacheBench (ab)

Please ensure to perform these tests in a controlled and ethical manner. Testing against a live site without permission can lead to legal consequences.

Monitor server logs to verify the module's behavior.

$ sudo tail -f /var/log/apache2/error.log # Ubuntu, Debian
[Thu Aug 31 09:47:52.179679 2023] [evasive20:error] [pid 11185:tid 281472643232032] [client 10.0.0.11:40044] client denied by server configuration: /var/www/html/
[Thu Aug 31 09:47:52.179803 2023] [evasive20:error] [pid 11185:tid 281472643232032] [client 10.0.0.11:40048] client denied by server configuration: /var/www/html/
[Thu Aug 31 09:47:52.179872 2023] [evasive20:error] [pid 11185:tid 281472677048608] [client 10.0.0.11:40060] client denied by server configuration: /var/www/html/

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.