The mod_evasive module is an Apache web services module that helps your server stay running in the event of an attack. A common type of cyber attack comes in the form of a Denial of Service (DoS), Distributed Denial of Service (DDoS), or brute-force attempting to overwhelm your security.
Install Mod evasive On CentOS
Download Zip: https://8mistimone.blogspot.com/?hh=2vJjPl
Mod_evasive is a module for Apache that automatically detects an HTTP DDOS attack or brute force attack. Mod_evasive can log and report abuse and notify problems via email. Before enabling this module, the server must be installed with LAMP.
The mod_evasive Apache module takes evasive action at the time of a DDoS attack or a BruteForce attack and protect Apache from these types of attacks. It gives reports by email or logging facility. This module restrict the concurrent connections from an IP and blacklist if necessary. To configure mod_evasive on centos 7 server, Please follow the below steps.1. Install EPEL yum repository packages. EPEL (Extra Packages for Enterprise Linux) is an open source and free community based repository project from Fedora team which provides 100% high quality add-on software packages for Linux distribution including RHEL (Red Hat Enterprise Linux), CentOS and Scientific Linux. To activate EPEL on server, execute the below commands in the terminal.
The module will be already configured with default values and if you want to alter the mod_evasive configuration, open the configuration file mentioned below using any editor and make sure httpd service is restarted if the config file is altered
The latest cpanel version(v68.0.29) yum repository already have the packages for mod_evasive. The only difference when installing the mod_evasive in a cpanel server is in the yum install command. The easyapache package for mod_evasive should be installed in the server. Please use the below command for installing mod_evasive in latest cpanel server. All other steps remain the same.
The mod_evasive Apache module, formerly known as mod_dosevasive, helps protect against DoS, DDoS (Distributed Denial of Service), and brute force attacks on the Apache web server. It can provide evasive action during attacks and report abuses via email and syslog facilities. The module works by creating an internal dynamic table of IP addresses and URIs as well as denying any single IP address from any of the following:
First, we need to install the EPEL (Extra Packages for Enterprise Linux) yum repository on the server. EPEL is a Fedora Special Interest Group that creates, maintains, and manages a high quality set of open source add-on software packages for Enterprise Linux. Run the following command to install and enable the EPEL repository on your server:
By default, the following LoadModule line will be added to the top of configuration file mod_evasive.conf. Open the file and add the line if it is not already present. This line tells the Apache web server to load and use the mod_evasive module.
One of the configuration options you need to change is DOSEmailNotify. This is a very useful directive. If this value is set, an email will be sent to the email address specified whenever an IP address is blacklisted. The email body will show mod_evasive HTTP Blacklisted 111.111.111.111
Note: mod_evasive uses /bin/mail for sending email alerts. You need to have a mail server installed and working, please refer to this tutorial for information on how to set up a simple mail server so that email notifications work.
DOSPageCount is the limit for the number of requests for the same page per page interval (usually set to one second) by an IP address. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocked list. The default value is set quite low at 2. You can change it to a higher value, say 20, by editing the following in /etc/httpd/conf.d/mod_evasive.conf:
Another is DOSLogDir which refers to the temporary directory used by mod_evasive. By default /tmp will be used for a locking mechanism, which opens some security issues if your system is open to shell users. In the event you have non-privileged shell users, you will want to create a directory writeable only to the user Apache is running as (usually apache) then set this parameter in your mod_evasive.conf file.
Another parameter is DOSSystemCommand. If a value is set, the command specified will be executed whenever an IP address is blacklisted. Using this parameter, you can integrate mod_evasive with the firewall installed on your server or a shell script and block the IP addresses blacklisted by mod_evasive in the firewall.
Note: Please note that mod_evasive appears to conflict with the FrontPage Server Extensions. You might also want to check your Apache web server settings to make sure mod_evasive is able to function well. Suggested Apache tweaks are to have a very high value for MaxRequestsPerChild but not unlimited (A value of zero implies unlimited) and to have KeepAlive enabled with KeepAliveTimeout set reasonably long.
Let us do a short test to see if the module is working correctly. We will be using a perl script test.pl written by mod_evasive developers. To execute the script, we need to first install perl package on the server using:
The script makes 100 requests to your web server. the 403 response code indicates access is denied by the web server. mod_evasive also logs to syslog when the IP address is blocked. Check the log file using:
mod_security (open-source intrusion detection and prevention engine for web applications that integrates seamlessly with the webserver) and mod_evasive are two very important tools that can be used to protect a web server against brute force or (D)DoS attacks.
In this article, we will discuss how to install, configure, and put them into play along with Apache on RHEL/CentOS 8 and 7 as well as Fedora. In addition, we will simulate attacks in order to verify that the server reacts accordingly.
Now, in order to integrate these two modules with Apache and have it load them when it starts, make sure the following lines appear in the top-level section of mod_evasive.conf and mod_security.conf, respectively:
Note that modules/mod_security2.so and modules/mod_evasive24.so are the relative paths, from the /etc/httpd directory to the source file of the module. You can verify this (and change it, if needed) by listing the contents of the /etc/httpd/modules directory:
In a few words, a Core Rule Set (aka CRS) provides the web server with instructions on how to behave under certain conditions. The developer firm of mod_security provides a free CRS called OWASP (Open Web Application Security Project) ModSecurity CRS that can be downloaded and installed as follows.
The default mod_evasive.conf file has the following directives enabled (note that this file is heavily commented, so we have stripped out the comments to highlight the configuration directives below):
With mod_security and mod_evasive enabled, the simulated attack causes the CPU and RAM to experiment with a temporary usage peak for only a couple of seconds before the source IPs are blacklisted and blocked by the firewall. Without these tools, the simulation will surely knock down the server very fast and render it unusable during the duration of the attack.
mod_evasive is a module for Apache that provides evasive action in the event of an HTTP Distributed Denial of Service (DDoS/DoS) attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities.
mod_evasive works on top of a dynamic IP table and URIs to issue or deny permissions to incoming requests. This enables executive evasive actions during sophisticated attacks on your systems and reports certain actions to your web servers.
To understand how mod_evasive handles both DDoS and brute force attacks, we must understand the attacks themselves. In a DDoS attack, your servers experience a high volume of requests. In a brute force attack, they receive a high number of log-in attempts using different username and password combinations. mod_evasive works by handling the common denominator between these two attacks: the surge in the number of requests to your servers.
In the output above, the part that says Blacklisting address 127.0.0.1: possible DoS attack highlights a mod_evasive action. Here the IP address 127.0.0.1 is blocked by mod_evasive as a result of the test we ran earlier.
Use the mod_evasive Apache module to help to protect your server against DoS, DDoS, and brute force attacks. We strongly recommend that you integrate this module with your firewall and router for the best protection. For more information, read the Configuration section.
EasyApache 4 sets the DOSLogDir directive to the /var/log/apache2/mod_evasive/ directory. We strongly recommend that you do not change this location. If you do, the new directory must possess the same permissions.
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, etc. mod_evasive presently reports abuses via email and syslog facilities.
During the installation, you will be asked to configure a Postfix mail server for email notification. You can choose your desired option to complete the installation. If you are unsure, just choose local only or no configuration.
The third party mod_evasive module is fairly easy to use and can help us block requests from malicious user agents that try to overload our servers. It can provide evasive actions against HTTP DoS/DDoS attacks or brute force attacks. It can even be configured to talk to firewalls, routers, etc. on detection of an attack from one or more IP addresses so that blacklisting can happen at a higher layer. 2ff7e9595c
Comments