In this article we will show how to install mod_evasive and mod_security or mod_qos.
These modules protect Apache against DOS,DDOS or brute force attacks on Linux Ubuntu 10.04 or other debian based distributions.
Here is first an description on mod_evasive and mod_security.
What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted (on a blocking list)
This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.
This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on ‘reload’ should not be affected unless they do it maliciously. mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.
What is mod_security?
ModSecurity is a web application firewall (WAF). With over 70% of attacks now carried out over the web application level, organisations need all the help they can get in making their systems secure. WAFs are deployed to establish an increased external security layer to detect and/or prevent attacks before they reach web applications. ModSecurity provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.
Create a new directory for your log files:
Set ownership to Apache:
Create a configuration file in your conf.d directory all files in this folder gets read by Apache Server
Add the following to your configuration file:
Here is what settings stand for:
- DOSHashTableSize is the size of the hash table that is created for the IP addresses monitored.
- DOSPageCount is the number of pages allowed to be loaded for the DOSPageInterval setting. In our case, 2 pages per 1 second before the IP gets flagged.
- DOSPageInterval is the number of seconds the intervals are set for DOSPageCount
- DOSSiteInterval is the number of seconds the intervals are set for DOSSiteCount
- DOSBlockingPeriod is the number of seconds the IP address will recieve the Error 403 (Forbidden) page when they have been flagged.
Enable the modules and restart Apache Server:
sudo a2enmod mod-security
sudo /etc/init.d/apache2 restart
mod_qos is a quality of service module for the Apache Web Server. It implements control mechanisms that can provide different priority to different requests and controls server access based on available resources.
# handles connections from up to 100000 different IPs
# will allow only 50 connections per IP
# maximum number of active TCP connections is limited to 256
# disables keep-alive when 70% of the TCP connections are occupied:
# minimum request/response speed (deny slow clients blocking the server):
QS_SrvMinDataRate 150 1200
# and limit request header and body: