Now that the installation is complete and verified, let us look into the configuration of the module. mod_evasive can be easily customized through the mod_evasive.conf
configuration file. We will discuss some of the configuration parameters in this tutorial. Please refer to the configuration file for information on all the parameters — it contains a description of each parameter.
One of the configuration options you need to change is DOSEmailNotify
. This is a very useful directive. If this value is set, an email will be sent to the email address specified whenever an IP address is blacklisted. The email body will show mod_evasive HTTP Blacklisted 111.111.111.111
For example, if you want to send mod_evasive alerts to say, sammy@example.com, edit the file:
- sudo nano /etc/httpd/conf.d/mod_evasive.conf
Uncomment the DOSEmailNotify
line by removing the #
in front of the line, and change the email address to yours:
DOSEmailNotify sammy@example.com
Note: mod_evasive uses /bin/mail
for sending email alerts. You need to have a mail server installed and working, please refer to this tutorial for information on how to set up a simple mail server so that email notifications work.
Another parameter you might want to set is DOSWhitelist
. Using this option, IP addresses of trusted clients can be added to the whitelist to ensure they are never denied. The purpose of whitelisting is to protect software, scripts, local search bots, or other automated tools from being denied for requesting large amounts of data from the server.
To whitelist an IP address, for example 111.111.111.111, add an entry to the configuration file like this:
DOSWhitelist 111.111.111.111
Wildcards can be used on up to the last 3 octets of the IP address if necessary.
To whitelist multiple IP addresses from different IP ranges, you can add separate DOSWhitelist lines in the configuration file like this:
DOSWhitelist 111.111.111.111
DOSWhitelist 222.222.222.222
DOSPageCount
and DOSSiteCount
are two other parameters recommended to be changed to less aggressive values to avoid clients getting blocked unnecessarily.
DOSPageCount
is the limit for the number of requests for the same page per page interval (usually set to one second) by an IP address. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocked list. The default value is set quite low at 2. You can change it to a higher value, say 20, by editing the following in /etc/httpd/conf.d/mod_evasive.conf
:
DOSPageCount 20
DOSSiteCount
is the limit for the total number of requests for the same website by an IP address per site interval (defaults to 1 second). To change it to a larger value such as 100 seconds:
DOSSiteCount 100
There are a few other parameters you can change to achieve better performance.
One is DOSBlockingPeriod
, which is the amount of time (in seconds) that a client (IP address) will be blocked for if they are added to the blocked list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) error and the timer being reset (defaults to 10 seconds).
For example, if you want to increase the blocking period to 300 seconds:
DOSBlockingPeriod 300
Another is DOSLogDir
which refers to the temporary directory used by mod_evasive. By default /tmp
will be used for a locking mechanism, which opens some security issues if your system is open to shell users. In the event you have non-privileged shell users, you will want to create a directory writeable only to the user Apache is running as (usually apache) then set this parameter in your mod_evasive.conf file.
For example, to set the directory used by mod_evasive to /var/log/mod_evasive
, create the directory using:
- sudo mkdir /var/log/mod_evasive
Then set the ownership to apache
user:
- sudo chown -R apache:apache /var/log/mod_evasive
Now edit the mod_evasive configuration and change the directory as follows:
DOSLogDir "/var/log/mod_evasive"
Another parameter is DOSSystemCommand
. If a value is set, the command specified will be executed whenever an IP address is blacklisted. Using this parameter, you can integrate mod_evasive with the firewall installed on your server or a shell script and block the IP addresses blacklisted by mod_evasive in the firewall.
source: https://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7