Denial of Service (DoS) attacks aim to render a server or network resource unavailable, overwhelming it with a flood of traffic. This can cause serious problems for websites and online services. Apache, being one of the widely used web servers, can be a target for such attacks.
One way to protect Apache web server from DoS attacks is by using the mod_evasive module. It detects and provides evasive action in the event of an attack, making it an essential tool for server administrators.
The mod_evasive module monitors the IP address of incoming connections, and if it detects an abusive number of requests from an IP address, it temporarily blacklists that address. It can be configured to suit your specific requirements and environment.
$ sudo apt install libapache2-mod-evasive # Ubuntu and Debian $ sudo dnf install --assumeyes mod_evasive # CentOS and Red Hat
CentOS and RedHat variance require installation of Raven repository
Related: How to install Raven repository on CentOS, Red Hat, Rocky Linux and AlmaLinux
$ sudo a2enmod evasive # Ubuntu and Debian
$ sudo vi /etc/apache2/mods-available/evasive.conf # Ubuntu and Debian $ sudo vi /etc/httpd/conf.d/mod_evasive.conf # CentOS and Red Hat
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSEmailNotify firstname.lastname@example.org DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP" DOSLogDir "/var/log/apache2/" DOSWhitelist 127.0.0.1 </IfModule>
|DOSHashTableSize||Determines the size of the hash table used.||3097|
|DOSPageCount||Number of requests for the same page (or URI) per page interval.||2|
|DOSSiteCount||Total requests for any object by the same client IP per site interval.||50|
|DOSPageInterval||Interval for the page count threshold.||1 second|
|DOSSiteInterval||Interval for the site count threshold.||1 second|
|DOSBlockingPeriod||Duration (in seconds) for which the IP will be blocked.||10 seconds|
|DOSEmailNotify||Email address to which alerts will be sent.||None|
|DOSSystemCommand||System command to execute when a DoS attack is detected.||None|
|DOSLogDir||Directory where logs related to mod_evasive will be stored.||None|
|DOSWhitelist||IP addresses that should be whitelisted and not considered for blocking.||None|
$ sudo systemctl restart apache2 # Ubuntu, Debian $ sudo systemctl restart httpd # CentOS and Red Hat
$ ab -n 1000 -c 10 http://127.0.0.1/ This is ApacheBench, Version 2.3 <$Revision: 1903618 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ ##### snipped Complete requests: 1000 Failed requests: 994 (Connect: 0, Receive: 0, Length: 994, Exceptions: 0) Non-2xx responses: 994
Most of the requests failed due to mod_evasive blocking the requests.
Related: How to load-test web server using ApacheBench (ab)
Please ensure to perform these tests in a controlled and ethical manner. Testing against a live site without permission can lead to legal consequences.
$ sudo tail -f /var/log/apache2/error.log # Ubuntu, Debian [Thu Aug 31 09:47:52.179679 2023] [evasive20:error] [pid 11185:tid 281472643232032] [client 10.0.0.11:40044] client denied by server configuration: /var/www/html/ [Thu Aug 31 09:47:52.179803 2023] [evasive20:error] [pid 11185:tid 281472643232032] [client 10.0.0.11:40048] client denied by server configuration: /var/www/html/ [Thu Aug 31 09:47:52.179872 2023] [evasive20:error] [pid 11185:tid 281472677048608] [client 10.0.0.11:40060] client denied by server configuration: /var/www/html/
Comment anonymously. Login not required.