Denial of service attacks are a pain. There’s a module you can use with Apache 2 called mod_dosevasive (or mod_evasive), written by Jonathan A. Zdziarski over at Nuclear Elephant. The module helps stop DoS attacks. It let’s you configure parameters that should not be surpassed. Let’s take a semi-detailed look at that module before you download a copy and dive into using it.
In the suggested default configuration it’ll block any IP that makes more than 2 requests for the same page in 1 second or less, plus any IP that makes more than 50 requests to the site in 1 second or less. When that happens that IP becomes blocked for 10 seconds.
While it’s written for Linux systems there is a Windows port available (based on version 1.8) put together by a guy named Steffen in the Netherlands. You can download a copy of mod_dosevasive for Windows from this Web site. Source code is included, and the configuration options are listed below. Be aware that based ona cursory examination of the source code it seems that Steffen disabled the email notification functionality, so that might not work. But the other features should, in theory.
Drop the DLL file into your Apache 2 modules directory and configure Apache to load it:
LoadModule dosevasive_module c:apache2modulesmod_dosevasive.dll
Be sure to insert the configuration directives in your Apache 2 configuration file too. A directive block might look something like this:
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
You can also include a few other directives:
DOSEmailNotify you@yourdomain.com
DOSSystemCommand “do-this.bat %1″
DOSLogDir “c:templockmod_dosevasive”
DOSWhitelist 127.0.0.1
Just remember that the email notification feature appears to be disabled in this Windows-based version of the module. That said, here’s what those parameters do, and here’s a link to Zdiarski’s mod_evasive site where you can download the current version for Linux (version 1.10.1 at the time of this posting), which contains a more extensive README file that you should probably take a look at.
DOSHashTableSize
The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_evasive.c for a list of primes used).
DOSPageCount
This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount
This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSPageInterval
The interval for the page count threshhold; defaults to 1 second intervals.
DOSSiteInterval
The interval for the site count threshhold; defaults to 1 second intervals.
DOSBlockingPeriod
The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.
Whitelisting IP Addresses
IP addresses of trusted clients can be whitelisted to insure they are never denied. The purpose of whitelisting is to protect software, scripts, local searchbots, or other automated tools from being denied for requesting large amounts of data from the server. Whitelisting should *not* be used to addcustomer lists or anything of the sort, as this will open the server to abuse. This module is very difficult to trigger without performing some type of malicious attack, and for that reason it is more appropriate to allow the module to decide on its own whether or not an individual customer should be blocked.
To whitelist an address (or range) add an entry to the Apache configuration in the following fashion:
DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*
Wildcards can be used on up to the last 3 octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.
Reference: http://bestofsecurity.net/tools/Mod_dosevasive_for_Apache2_on_Windows-1/
My Blog List
-
The repository ‘http://deb.debian.org/debian buster-backports Release’ no longer has a Release file. - [image: See all Debian/Ubuntu Linux related FAQ] When you run the sudo apt update, you may see the following message or error on a Debian Linux: Err:5 http...3 days ago
-
A Closer Look at Remote Peering: Technologies and Techniques - In the realm of digital communication, the significance of efficient internet traffic exchange has escalated with the surge in global cloud content. With...2 weeks ago
-
PaloAlto init-cfg.txt Bootstrap Config file Layout with Examples - When you install and configure the PaloAlto firewall, when the firewall boots up for the first time, it does the bootstrapping process. PaloAlto uses the s...1 year ago
-
Clusterssh – Administer multiple ssh or rsh shells simultaneously - Sponsored Link The command opens an administration console and an xterm to all specified hosts. Any text typed into the administration console is replicate...3 years ago
-
Web Application Vulnerability Scanning Tools - Web Application Vulnerability Scanning Tools Nessus http://www.tenable.com/products/nessus PortSwigger https://portswigger.net/ qualys https://www.qualys....5 years ago
-
What You Don’t Know About Linux Open Source Could Be Costing to More Than You Think - Guest post by Marc Fisher If you would like to test out Linux before completely switching it as your everyday driver, there are a number of means by which ...5 years ago
-
Resolving Sysprep problems with App-X packages (Part 1) - This is the first of two articles explaining how to fix systems that won't Sysprep if Windows Native/App-X applications have been removed and Windows patches.6 years ago
-
V2V Communications security considerations - The future of vehicles, road infrastructure and driving are changing. We are progressing with vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) ...6 years ago
-
10 UNIX / Linuz Size Command Examples for ObjectFiles - Linux size is part of GNU binutils. This utility is very helpful for programmers to analyze the data from the executable files (or object files). By defaul...9 years ago
-
Updating VMware Tools on Red Hat Enterprise/Scientific/CentOS Linux 6 for VMware ESXi 5 - In a previous post I discussed installing the open source VMware tools for Red Hat Enterprise/Scientific/CentOS Linux 6 from a yum package repository provi...12 years ago
