Debian 12 bookworm
Sponsored Link

Apache2 : Configure mod_evasive2023/07/04

 
Enable mod_evasive module to defend from DoS attacks and so on.
[1] Install and configure mod_evasive.
root@www:~#
apt -y install libapache2-mod-evasive
root@www:~#
vi /etc/apache2/mods-available/evasive.conf
# uncomment each line to configure

<IfModule mod_evasive20.c>
    # hash table size
    DOSHashTableSize    3097
    # threshold for the number of requests for the same page per page interval
    DOSPageCount        2
    # threshold for the total number of requests for any object by the same client on the same listener per site interval
    DOSSiteCount        50
    # the interval for the page count threshold
    DOSPageInterval     1
    # the interval for the site count threshold
    DOSSiteInterval     1
    # amount of time (in seconds) that a client will be blocked for if they are added to the blocking list
    DOSBlockingPeriod   10

    # uncomment and configure follows if you need
    # notification address if IP address becomes blacklisted
    #DOSEmailNotify      root@localhost
    # possible to set any command
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    # log directory
    #DOSLogDir           "/var/log/mod_evasive"
</IfModule>

root@www:~#
mkdir /var/log/mod_evasive

root@www:~#
chown www-data:www-data /var/log/mod_evasive

root@www:~#
systemctl reload apache2

[2] Test to access to Apache2.
root@www:~#
for ((i=1; i <= 20; i++)); do curl -I localhost; done


.....
.....

HTTP/1.1 200 OK
Date: Tue, 04 Jul 2023 02:10:05 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Mon, 03 Jul 2023 23:32:47 GMT
ETag: "29cd-5ff9d958ee6c0"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

HTTP/1.1 200 OK
Date: Tue, 04 Jul 2023 02:10:05 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Mon, 03 Jul 2023 23:32:47 GMT
ETag: "29cd-5ff9d958ee6c0"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

# turn to "403 Forbidden" if blocked
HTTP/1.1 403 Forbidden
Date: Tue, 04 Jul 2023 02:10:05 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 403 Forbidden
Date: Tue, 04 Jul 2023 02:10:05 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

.....
.....

# if blocked, logs are recorded

root@www:~#
ll /var/log/mod_evasive

total 4
-rw-r--r-- 1 www-data www-data 5 Jul  3 21:14 dos-127.0.0.1

# if set notification, it is sent like follows

root@www:~#
mail

Mail version 8.1.2 01/15/2001.  Type ? for help.
"/var/mail/root": 1 message 1 unread
>U  1 www-data@www.srv.  Tue Jul 04 13:16   20/621
& 1
Message 1:
From www-data@www.srv.world  Tue Jul 04 13:16:38 2023
X-Original-To: root@localhost
To: root@localhost
MIME-Version: 1.0
Content-Type: text/plain; charset="ANSI_X3.4-1968"
Content-Transfer-Encoding: 8bit
Date: Tue, 04 Jul 2023 13:16:38 +0900 (JST)
From: www-data <www-data@www.srv.world>

To: root@localhost
Subject: HTTP BLACKLIST 127.0.0.1

mod_evasive HTTP Blacklisted 127.0.0.1
Matched Content