Shashikant shah

Wednesday, 20 April 2016

Protect Apache DDoS Attacks Using Mod_evasive Modules



Protect Apache  DDoS Attacks Using Mod_evasive Modules
Denial-of-Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed denial-of-service (DDoS) is where the attack source is more than one–and often thousands of-unique IP addresses.
What is mod_evasive?
The mod_evasive Apache module, formerly known as mod_dosevasive, helps protect against DoS, DDoS (Distributed Denial of Service), and brute force attacks on the Apache web server. It can provide evasive action during attacks and report abuses via email and syslog facilities.
1.     Installing mod_evasive :-
Centos :- 6.1,  serverIP :- 192.168.1.184
# yum install mod_evasive
# ls -l /etc/httpd/conf.d/mod_evasive.conf
 
2.     Check module :- 
LoadModule evasive20_module modules/mod_evasive20.so
 
# cd /etc/httpd/modules
# ls -l | grep -Ei 'evasive'
# /etc/init.d/httpd start
# chkconfig httpd on
# /etc/init.d/httpd restart
# httpd -M | grep -Ei 'evasive'
 
# vim /etc/httpd/conf.d/mod_evasive.conf
 
LoadModule evasive20_module modules/mod_evasive20.so
 
<IfModule mod_evasive20.c>
               DOSHashTableSize    3097
               DOSPageCount        2
               DOSSiteCount        50
               DOSPageInterval     1
               DOSSiteInterval     1
               DOSBlockingPeriod   10
               DOSEmailNotify      shashi.brain11@gmail.com
               DOSSystemCommand    "sudo /etc/httpd/conf.d/ban_ip.sh %s"
               DOSLogDir           "/var/log/httpd/mod_evasive"
               DOSWhitelist   127.0.0.1
</IfModule>
  1. DOSHashTableSize: This directive specifies the size of the hash table that is used to keep track of activity on a per-IP address basis. Increasing this number will provide a faster look up of the sites that the client has visited in the past, but may impact overall performance if it is set too high.
  2. DOSPageCount: Legitimate number of identical requests to a specific URI (for example, any file that is being served by Apache) that can be made by a visitor over the DOSPageInterval interval.
  3. DOSSiteCount: Similar to DOSPageCount, but refers to how many overall requests can be made to the entire site over the DOSSiteInterval interval.
  4. DOSPageInterval: The page count interval, accepts real number as seconds. Default value is 1 second.
  5. DOSSiteInterval: The site count interval, accepts real number as seconds. Default value is 1 second.
  6. DOSBlockingPeriod: If a visitor exceeds the limits set by DOSSPageCount or DOSSiteCount, his source IP address will be blacklisted during the DOSBlockingPeriod amount of time. During DOSBlockingPeriod, any requests coming from that IP address will encounter a 403 Forbidden error.
  7.  DOSEmailNotify:
    This is an E-mail if provided will send notification once an IP is being blacklisted
  8. DOSSystemCommand:  This is a system command that can be executed once an IP is blacklist if enabled. Where %s is the blacklisted IP, this is designed for system call to IP filter or other tools
  9.  DOSLogDir: This is a directory where mod_evasive stores it’s log
 
# mkdir –p   /var/log/httpd/mod_evasive
# chmod  –R  777 /var/log/httpd/mod_evasive
 
3.     Write a shell script that handles IP blacklisting at the firewall level
 
#vim /etc/httpd/conf.d/ban_ip.sh
 
#!/bin/sh
# IP that will be blocked, as detected by mod_evasive
IP=$1
# Full path to iptables
IPTABLES="/sbin/iptables"
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/log/httpd/mod_evasive
# Add the following firewall rule (block all traffic coming from $IP)
$IPTABLES -I INPUT -s $IP -j DROP
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"
 
#chmod  777 /etc/httpd/conf.d/ban_ip.sh
 
 
4.     Enable to Iptable:-
# service iptables start
#iptable –L
#iptable –F
#iptable –t nat –L
#service  iptables save
#chkconfig iptables on 
 
5.     Add the apache user to the sudoers file
 
# vim /etc/sudoers
 
# User_Alias ADMINS = jsmith, mikem
apache ALL=NOPASSWD: /etc/httpd/conf.d/ban_ip.sh
Defaults:apache !requiretty
 
IMPORTANT: As a default security policy, you can only run sudo in a terminal. Since in this case we need to use sudo without a tty, we have to comment out the line that is highlighted in the following image:

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#Defaults    requiretty
# service httpd restart
Testing mod_evasive Setup
Another machine :-
# ab -n 100 -c 10 http://192.168.1.184/
# tail –f /var/log/httpd/evasive/
# iptables –L
Showing :-
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       all  --  192.168.1.117        anywhere

No comments:

Post a Comment