header background

kubiczak.pl

It is better to be ten minutes before, than five after.

Apache HTTP server and mod_evasive

tech
linux apache2 orange pi

When it comes to Apache HTTP server the installation is usually straightforward. In this post I will describe the configuration for mod_evasive.

Installing apache and mod_evasive on Armbian

Use apt-get to install Apache HTTP server, mailx program (required by mod_evasive) and mod_evasive itself: 

sudo apt-get install apache2 heirloom-mailx libapache2-mod-evasive

mailx

mailx is utility program to send emails. It may be used to send notifications on possible DoS attacks discovered by mod_evasive. For configuration options see mailx documentation and sample script.

There is also configuration for GMail certificates (nss-config-dir) — more info may be found at serverfault question about certificate for mailx.

Configuring mod_evasive

After installing mod_evasive should be enabled: sudo a2enmod evasive.

Sample configuration (/etc/apache2/mods-available/evasive.conf): 

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageInterval     1
    DOSPageCount        5
    DOSSiteInterval     1
    DOSSiteCount        50
    DOSBlockingPeriod   5
    #DOSEmailNotify     some.address@gmail.com
    DOSSystemCommand    "/etc/apache2/evasive.sh %s"
    #DOSLogDir           "/tmp"
    DOSWhitelist        127.0.0.1
</IfModule>

Please notice that email notifications for some.address@gmail.com are disabled. This is because we wil use DOSSystemCommand to send notification email. The script provided could also add IPTables rules.

When mod_evasive detects possible DoS attack it creates a lock file. The lock file name is usually sth like /tmp/dos-234.77.88.99 where the 234.77.88.99 is the IP of the attacker. This file holds an information about recognized attack.

Notes for configuration

  • The %s placeholder for system command will be replaced with IP of the attacker.
  • Email notifications and system commands actions are performed only for new attacks — those which nonexistent lock file.
  • The script in example: /etc/apache2/evasive.sh will be executed as www-data user so it needs proper permissions

Sample script for sending notifications

Real GMail account may be needed to send notifications to GMail recipients. Let’s say we own pi@gmail.com with password P@ssw0rd.

#!/usr/bin/env bash
SOURCE_IP="$1"
echo "sending notfication email"
echo "Possible DoS attack blocked from: '$SOURCE_IP'" |     \
    MAILRC=/dev/null /usr/bin/mailx                         \
    -s "'$SOURCE_IP' was blocked by mod_evasive"            \
    -S smtp="smtp.gmail.com:587"                            \
    -S smtp-use-starttls                                    \
    -S smtp-auth=login                                      \
    -S smtp-auth-user="pi@gmail.com"                        \
    -S smtp-auth-password="Passw0rd"                        \
    -S ssl-verify=ignore                                    \
    recipient@gmail.com
echo "notification email sent for '$SOURCE_IP'"

To check if the permissions for the script are correct: 

sudo -u www-data /etc/apache2/evasive.sh 234.77.88.99

Comments
Copyright © 2016 License
Lead background: Tatra Mountains
Powered by Hugo