Apache HTTP server and mod_evasive
When it comes to Apache HTTP server the installation is usually straightforward. In this post I will describe the configuration for mod_evasive.
Installing apache and mod_evasive on Armbian
Use apt-get
to install
Apache HTTP server,
mailx program (required by mod_evasive) and
mod_evasive itself:
sudo apt-get install apache2 heirloom-mailx libapache2-mod-evasive
mailx
mailx
is utility program to send emails. It may be used to send notifications on possible DoS attacks discovered by mod_evasive
. For configuration options see
mailx documentation
and
sample script.
There is also configuration for GMail certificates (nss-config-dir) — more info may be found at serverfault question about certificate for mailx.
Configuring mod_evasive
After installing mod_evasive should be enabled: sudo a2enmod evasive
.
Sample configuration (/etc/apache2/mods-available/evasive.conf
):
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageInterval 1
DOSPageCount 5
DOSSiteInterval 1
DOSSiteCount 50
DOSBlockingPeriod 5
#DOSEmailNotify some.address@gmail.com
DOSSystemCommand "/etc/apache2/evasive.sh %s"
#DOSLogDir "/tmp"
DOSWhitelist 127.0.0.1
</IfModule>
Please notice that email notifications for some.address@gmail.com
are disabled. This is because we wil use DOSSystemCommand
to send notification email. The script provided could also
add IPTables rules.
When mod_evasive detects possible DoS attack it creates a lock file. The lock file name is usually sth like /tmp/dos-234.77.88.99
where the 234.77.88.99
is the IP of the attacker. This file holds an information about recognized attack.
Notes for configuration
- The
%s
placeholder for system command will be replaced with IP of the attacker. - Email notifications and system commands actions are performed only for new attacks — those which nonexistent lock file.
- The script in example:
/etc/apache2/evasive.sh
will be executed aswww-data
user so it needs proper permissions
Sample script for sending notifications
Real GMail account may be needed to send notifications to GMail recipients. Let’s say we own pi@gmail.com
with password P@ssw0rd
.
#!/usr/bin/env bash
SOURCE_IP="$1"
echo "sending notfication email"
echo "Possible DoS attack blocked from: '$SOURCE_IP'" | \
MAILRC=/dev/null /usr/bin/mailx \
-s "'$SOURCE_IP' was blocked by mod_evasive" \
-S smtp="smtp.gmail.com:587" \
-S smtp-use-starttls \
-S smtp-auth=login \
-S smtp-auth-user="pi@gmail.com" \
-S smtp-auth-password="Passw0rd" \
-S ssl-verify=ignore \
recipient@gmail.com
echo "notification email sent for '$SOURCE_IP'"
To check if the permissions for the script are correct:
sudo -u www-data /etc/apache2/evasive.sh 234.77.88.99