Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks target web servers to make them unavailable by flooding them with excessive requests. This can severely impact the performance and accessibility of online services. Apache is particularly at risk of such attacks.

The mod_evasive module offers a solution to protect the Apache server from DoS attacks. It identifies abnormal traffic patterns, such as too many requests from a single IP address, and blocks those requests to prevent server overload.

This module is configurable to suit different environments. Server administrators can adjust settings like request limits and blocking durations, ensuring the server remains protected without affecting legitimate traffic.

Steps to prevent DoS attacks with mod_evasive in Apache:

  1. Launch terminal.
  2. Install the mod_evasive module for your specific Apache version.
    $ sudo apt install libapache2-mod-evasive # Ubuntu and Debian
    $ sudo dnf install --assumeyes mod_evasive # CentOS and Red Hat

    CentOS and RedHat variance require installation of Raven repository
    Related: How to install Raven repository on CentOS, Red Hat, Rocky Linux and AlmaLinux

  3. Enable the module if it is not activated.
    $ sudo a2enmod evasive # Ubuntu and Debian
  4. Open mod_evasive configuration file using your preferred text editor.
    $ sudo vi /etc/apache2/mods-available/evasive.conf # Ubuntu and Debian
    $ sudo vi /etc/httpd/conf.d/mod_evasive.conf # CentOS and Red Hat
  5. Configure mod_evasive options.
    <IfModule mod_evasive20.c>
        DOSHashTableSize    3097
        DOSPageCount        2
        DOSSiteCount        50
        DOSPageInterval     1
        DOSSiteInterval     1
        DOSBlockingPeriod   10
        DOSEmailNotify      email@example.com
        DOSSystemCommand    "/sbin/iptables -I INPUT -s %s -j DROP"
        DOSLogDir           "/var/log/apache2/"
        DOSWhitelist        127.0.0.1
    </IfModule>
    Parameter Description Default
    DOSHashTableSize Determines the size of the hash table used. 3097
    DOSPageCount Number of requests for the same page (or URI) per page interval. 2
    DOSSiteCount Total requests for any object by the same client IP per site interval. 50
    DOSPageInterval Interval for the page count threshold. 1 second
    DOSSiteInterval Interval for the site count threshold. 1 second
    DOSBlockingPeriod Duration (in seconds) for which the IP will be blocked. 10 seconds
    DOSEmailNotify Email address to which alerts will be sent. None
    DOSSystemCommand System command to execute when a DoS attack is detected. None
    DOSLogDir Directory where logs related to mod_evasive will be stored. None
    DOSWhitelist IP addresses that should be whitelisted and not considered for blocking. None
  6. Save the changes and exit the editor.
  7. Restart the Apache server to apply the new settings.
    $ sudo systemctl restart apache2 # Ubuntu, Debian
    $ sudo systemctl restart httpd # CentOS and Red Hat
  8. Simulate a DoS attack to test the module's effectiveness.
    $ ab -n 1000 -c 10 http://127.0.0.1/
    This is ApacheBench, Version 2.3 <$Revision: 1903618 $>
    Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
    Licensed to The Apache Software Foundation, http://www.apache.org/
    
    ##### snipped
    
    Complete requests:      1000
    Failed requests:        994
       (Connect: 0, Receive: 0, Length: 994, Exceptions: 0)
    Non-2xx responses:      994

    Most of the requests failed due to mod_evasive blocking the requests.
    Related: How to load-test web server using ApacheBench (ab)

    Please ensure to perform these tests in a controlled and ethical manner. Testing against a live site without permission can lead to legal consequences.

  9. Monitor server logs to verify the module's behavior.
    $ sudo tail -f /var/log/apache2/error.log # Ubuntu, Debian
    [Thu Aug 31 09:47:52.179679 2023] [evasive20:error] [pid 11185:tid 281472643232032] [client 10.0.0.11:40044] client denied by server configuration: /var/www/html/
    [Thu Aug 31 09:47:52.179803 2023] [evasive20:error] [pid 11185:tid 281472643232032] [client 10.0.0.11:40048] client denied by server configuration: /var/www/html/
    [Thu Aug 31 09:47:52.179872 2023] [evasive20:error] [pid 11185:tid 281472677048608] [client 10.0.0.11:40060] client denied by server configuration: /var/www/html/
Discuss the article:

Comment anonymously. Login not required.