Install and Configure mod_evasive on CentOS

In this Documentation, we will guide you through the installation and configuration process of mod_evasive on CentOS.

Mod_evasive is an Apache module designed to proactively protect Apache servers from various types of attacks, including brute force and DDoS/DoS attacks. Functioning as both a defensive tool and a detection mechanism, mod_evasive collaborates with routers, firewalls, ipchains, and more. It reports server vulnerabilities or attacks via email and Syslog facilities. Mod_evasive takes preventive action by restricting or blacklisting an IP address if it meets any of the following criteria:

  1. Repeatedly requesting the same page within a predefined time frame.

  2. Initiating requests while the IP is temporarily blacklisted.

  3. Generating multiple concurrent requests on the same child within a second.

It’s essential to note that root access is required for the installation of mod_evasive on your server. This tutorial will provide comprehensive instructions on configuring mod_evasive on your CentOS server.

Install mod_evasive on CentOS

To install mod_evasive Apache on your CentOS server, follow the below steps:

Make sure that the EPEL yum repository is available on the server. The EPEL (Extra Packages for Enterprise Linux) is a free, open-source community-based repository project. To check if the EPEL yum repository packages are available on your system, run the following command.

rpm -qa | grep epel

If it is not available on the server, execute the following command to install and activate EPEL.

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

rpm -ivh epel-release-latest-8.noarch.rpm

Run the following command to install the mod_evasive Apache module on your server.

yum install mod_evasive -y

Open the mod_evasive modules configuration file by using the following command to verify if the installation is successful.

cat /etc/httpd/conf.d/mod_evasive.conf

If the configuration file opens up, then the installation of the mod_evasive Apache module is successful.

Configure mod_evasive

  1. Open the modules configuration file.

cat /etc/httpd/conf.d/mod_evasive.conf

  1. To make sure that the module loads correctly, add the following line in the mod_evasive configuration file.

LoadModule evasive20_module modules/mod_evasive24.so

  1. Then, you can see the default configuration value of mod_evasive on the file.

  2. To make the changes reflect, restart the httpd service by using the following command.

httpd -M | grep -Ei ‘(evasive)’
or
/etc/init.d/httpd restart

  1. If the mod_evasive module loads correctly, you can see the following output.

evasive24_module (shared)

MOD_EVASIVE Configuration Options

The module has default configuration values set to it, and you can customize or alter these values by opening the configuration file and make the changes to the options available. There are different options in the mod_evasive configuration file that you can change to customize the configuration of your mod_evasive Apache module. Some of the mod_evasive configuration options are:

vim /etc/httpd/conf.d/mod_evasive.conf

1. DOSHashTableSize

The hash table size is the number of top-level nodes for each child’s hash table. If you increase the value of the DOSHashTableSize, then the module decreases the number of iterations required to get into the records and that offer faster performance. But the mod_evasive consumes more memory if there is an increase in the hash table size. The default value of the hash table size is 3097, so you are recommended to increase the value only if you have a busy web server.

DOSHashTableSize 3097

2. DOSSiteCount

The DOSSiteCount option in the configuration file helps to set the threshold value for the total number of requests by the same client or listener to a particular object at a certain site interval. If any of the client or listener exceeds the number of requests from the set threshold value, then their IP gets added to the block list of your server.

DOSSiteCount 50

3. DOSPageCount

The DOSPageCount is the threshold for the number of requests allowed to the same page or URI at a particular page interval. If any of the IP request the same page more than the threshold value, then that IP gets blacklisted or rejected in the server. The default threshold value of DOSPageCount is 2. You can uncomment or edit the following line in the configuration file to set the threshold value.

DOSPageCount 2

4. DOSSiteInterval

The value of the DOSSiteInterval option is the interval for the site count threshold. The default value of the DOSSiteInterval is one second.

DOSSiteInterval 1

5. DOSPageInterval

The value of the DOSPageInterval option is the interval for the page count threshold. The default value of the DOSPageInterval is one second.

DOSPageInterval 1

6. DOSBlockingPeriod

The DOSBlockPeriod option in the mod_evasive configuration file helps you to set the amount of time (in seconds) the client’s IP gets blocked when added into the blocking list. During this period, all the subsequent actions and requests from the client throw a 403 Forbidden error, and the timer of the IP block gets rested. For example, the default value of DOSBlockPeriod is 10 seconds, so any action by the blocked IP during these 10 seconds, reset the timer to another 10 seconds. During the time of any attacks like DDoS/DoS attack, this timer keeps getting reset.

DOSBlockingPeriod 10

7. Email Alert

In the mod_evasive Apache configuration file, go to line number 48 in the configuration file and uncomment or edit the following line. In the following line, replace the <You@yourdomain.com> flag with your email id. So, in case of any DDoS/DoS attack or if any IP gets blacklisted or rejected, the system sends an alert to the mentioned email address automatically.

DOSEmailNotify <You@yourdomain.com>

After tweaking the values in the mod_evasive configuration file, restart the httpd service to reflect the changes. Restart the httpd service by running the following command.

httpd -M | grep -Ei ‘(evasive)’
or
/etc/init.d/httpd restart

How to Whitelist a BLOCKED or REJECTED IP

To whitelist the IP’s that are blocked by mod_evasive, do the following:

Open the mod_evasive configuration file.

Add the IP’s that need to be whitelisted in the configuration file as follows.

DOSWhitelist <IP_address>

To whitelist a list of IP’s, add the following line.

DOSWhitelist 164.52.0.*

After adding the IP in the configuration file, restart the httpd service.

/etc/init.d/httpd restart

Please comment below for any questions or queries. If you are an InterServer customer, please reach out to our support team for further help.