mod_evasive

What is mod_evasive?

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted (on a blocking list)

This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.

This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on ‘reload’ should not be affected unless they do it maliciously. mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.

Downloads:

Stable [ mod_evasive_1.10.1.tar.gz ] mod_evasive for Apache v1.3 and 2.0, and NSAPI (SunONE)

CVS Access

The mod_evasive source tree is available via CVS by using the following commands:

cvs -d :pserver:[email protected]:/usr/local/cvsroot login
cvs -d :pserver:[email protected]:/usr/local/cvsroot checkout mod_evasive

Linux RPMs

The following links are not official RPMs, but have been submitted as freely downloadable.

http://checksuite.sourceforge.net/dl/

42 Responses to mod_evasive

  1. Pingback: How Automatic System Cpanel Block Someone Download from our host? - cPanel Forums

  2. Thor says:

    Hi, I think I found a bug in mod_evasive, here I explain it in spanish:
    http://el-blog-de-thor.blogspot.com/2009/04/fallo-de-programacion-en-modevasive.html
    Summarizing you’re reseting the varible n->timestamp for each request. It’s posible that I may have misunderstood the code, if so sorry. Regards!

  3. pferreir says:

    Hello,
    I’m currently using mod_evasive, and it works beautifully. However, I’m getting a high number of false positives, since I have a script that is requested through AJAX, and since the URL is always the same, and there can be several requests per second, blacklisting becomes inevitable.
    I think that the ability to override some parameters (or just disable the module) for specific and would be very desirable. Are you planning to add this in the future? Or at least a regex that allows you to whitelist some URLs… that’d be enough for most cases.
    Keep up the good work!

  4. Pingback: FractalizeR’s WebSite » FractalizeR: VBulletin 4 extensive optimization guide

  5. Pingback: Installing mod_evasive with Sun’s Webstack | Golden Apple Enterprises Ltd.

  6. Pingback: Sudo Make Install » Absolutely required software for dDos attacks

  7. mikeyc says:

    Is mod_evasive available for Windows installations of Apache?

  8. Pingback: How to Stop an Apache DDoS Attack with mod_evasive | systemBash

  9. Pingback: | GOODEALHOSTING BLOG

  10. Pingback: Techniques for slowing down/stopping external attacks on your Apache server | random neuron misfires

  11. Pingback: DDoS Protection and Mitigation

  12. Pingback: Where to download modevasive? | HostGator Coupons Code

  13. pyeager says:

    I’m trying to use mod_evasive on a cpanel server, and having a problem.

    I can’t seem to find a configuration that allows us to view awstats without triggering mod_evasive. Even these settings won’t work:

    DOSPageCount 1000
    DOSSiteCount 1000
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 10

    I have tried defining the parameters several ways… in the cpanel pre-virtual host include, and in httpd.conf.

    It seems that no matter what I set the parameters to, viewing awstats will trigger mod-evasive, causing a 403 return.

    I recently discovered the DOSWhitelist parameter, and it appears to work. This would be a bit of a pain to implement, as we need awstats to be viewable from a variety of locations, most of which have dynamic addresses.

    Any help would be appreciated!

    Paul

  14. Pingback: JAVA Programming » Blog Archive » Re: Does mod_dosevasive work in this situation?

  15. Pingback: DDOS PROTECTION | HostGator Coupons Code

  16. JohnW says:

    I have a case where the same URL is being blacklisted over and over again from different client addresses. The URL in question is for the CSS style sheet for a single web application. Could this be a false positive? What could be causing it? Network issues?

  17. Pingback: ApacheのDoS攻撃対策でmod_evasiveをインストールとベンチワークの測定方法 | パチスロ日記と仕事メモ

  18. babajaga says:

    Hi,
    I have a problem with Whitelisting.
    Only one IP to be whitelisted, so I configured
    DOSWhitelist 127.0.0.1
    However, it will be blocked:
    + wget http://127.0.0.1/srv/www/htdocs/ga.js
    –2011-02-25 11:48:13– http://127.0.0.1/srv/www/htdocs/ga.js
    Connecting to 127.0.0.1:80… connected.
    HTTP request sent, awaiting response… 404 Not Found
    2011-02-25 11:48:13 ERROR 404: Not Found.

    + wget http://127.0.0.1/srv/www/htdocs/ga.js
    –2011-02-25 11:48:13– http://127.0.0.1/srv/www/htdocs/ga.js
    Connecting to 127.0.0.1:80… connected.
    HTTP request sent, awaiting response… 404 Not Found
    2011-02-25 11:48:13 ERROR 404: Not Found.

    + wget http://127.0.0.1/srv/www/htdocs/ga.js
    –2011-02-25 11:48:13– http://127.0.0.1/srv/www/htdocs/ga.js
    Connecting to 127.0.0.1:80… connected.
    HTTP request sent, awaiting response… 403 Forbidden
    2011-02-25 11:48:13 ERROR 403: Forbidden.

  19. babajaga says:

    Ok, some more info and some progress:
    My problem is/was in httpd.conf the line

    This makes all following config-options for mod_evasive20 useless.
    I tried different versions, like

    nothing worked.
    Only removal of altogether makes the config options effective.

    My stupid question: Which will work ?
    I use apache2.2.15, SUSE 11.3, 32bit

  20. babajaga says:

    Looks like the blog SW removed some info, so a 2’nd try:
    apache2ctl -t -D DUMP_MODULES
    ….
    evasive20_module (shared)
    …..
    The next statements in httpd.conf for apache 2.2.15 are not effective:
    “”
    “”
    “”

    Only removal of “” completely makes the config pars effective for evasive20

    Which ” will work ?

  21. babajaga says:

    WTF …
    The next statements in httpd.conf for apache 2.2.15 are not effective:
    IfModule mod_evasive20.c
    IfModule evasive20_module
    IfModule module_evasive20

    Only removal of “IfModule …” makes the config pars effective for evasive20

  22. Pingback: Optimize Vbulletin 4 [Part II]

  23. Pingback: DDOS protection strategies | Portable Digital Video Recorder

  24. Pingback: Prevent DoS Attacks with Mod_Evasive for Apache

  25. Pingback: Prevent DoS Attacks with Mod_Evasive for Apache | DDoS-Protection - DoS/DDoS Attack Protection - Blog

  26. Pingback: vBulletin 4 Optimization guide - Technyat.com

  27. Pingback: DDOS protection on apache | HostGator Coupons Code

  28. Pingback: vBulletin 4 Optimization guide - Technyat

  29. Pingback: How to track DoS attack with Apache?

  30. Pingback: Custom Opt Mod :: mod_evasive | BoatDev

  31. Pingback: Keeping script kiddies at bay with mod_evasive and iptables | Simone Tellini

  32. Pingback: nothingOS » Blog Archive » Mod_evasive – Prevent DDOS Attack

  33. Pingback: :: b l a c k o n s o l e :: » :: Install mod_evasive on cPanel

  34. amersaeed says:

    i am new to linux server, please guide me how i can edit and save httpd.conf file to add configuration into it.

  35. p1c0 says:

    Hello,

    is there any way to configure mod_evasive to count http sessions instead of single IP address?

    I’ve a lot of clients coming from enterprise’s LAN behind a single NAT, and they get blacklisted.

    Thank you

  36. Pingback: WordPress Login Security | Sixteen Small Stones

  37. Pingback: Limit Apache requests per IP Address with mod_limitipconn | kieranbarnes

  38. Pingback: DDoS Protection and Mitigation - TOS HOST

  39. Pingback: Linux tutorials » Protect Apache using Mod_Security and Mod_evasive on RHEL/CentOS & Fedora

  40. Pingback: Securing a LAMP server (Part 1) - Ross Marks

  41. Pingback: How to avoid floods like this? - Just just easy answers

  42. Pingback: Fending off web bots - SLUniverse Forums

Leave a Reply