Protect Apache DDoS Attacks Using Mod_evasive Modules
Denial-of-Service
(DoS) attack is an attempt to make a machine or network resource unavailable
to its intended users, such as to temporarily or indefinitely interrupt or
suspend services of a host connected to the Internet. A distributed
denial-of-service (DDoS) is where the attack source is more than one–and often
thousands of-unique IP addresses.
What is
mod_evasive?
The
mod_evasive Apache module, formerly
known as mod_dosevasive, helps protect against DoS, DDoS (Distributed Denial of
Service), and brute force attacks on the Apache web server. It can provide
evasive action during attacks and report abuses via email and syslog
facilities.
1.
Installing
mod_evasive :-
Centos
:- 6.1, serverIP :- 192.168.1.184
# yum install mod_evasive
# ls -l /etc/httpd/conf.d/mod_evasive.conf
2. Check module :-
LoadModule evasive20_module modules/mod_evasive20.so
# cd /etc/httpd/modules
# ls -l | grep -Ei 'evasive'
# /etc/init.d/httpd start
# chkconfig httpd on
# /etc/init.d/httpd restart
# httpd -M | grep -Ei 'evasive'
# vim /etc/httpd/conf.d/mod_evasive.conf
LoadModule evasive20_module modules/mod_evasive20.so
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify shashi.brain11@gmail.com
DOSSystemCommand "sudo /etc/httpd/conf.d/ban_ip.sh %s"
DOSLogDir "/var/log/httpd/mod_evasive"
DOSWhitelist 127.0.0.1
</IfModule>
- DOSHashTableSize: This directive specifies the size of the hash table that is used to keep track of activity on a per-IP address basis. Increasing this number will provide a faster look up of the sites that the client has visited in the past, but may impact overall performance if it is set too high.
- DOSPageCount: Legitimate number of identical requests to a specific URI (for example, any file that is being served by Apache) that can be made by a visitor over the DOSPageInterval interval.
- DOSSiteCount: Similar to DOSPageCount, but refers to how many overall requests can be made to the entire site over the DOSSiteInterval interval.
- DOSPageInterval: The page count interval, accepts real number as seconds. Default value is 1 second.
- DOSSiteInterval: The site count interval, accepts real number as seconds. Default value is 1 second.
- DOSBlockingPeriod: If a visitor exceeds the limits set by DOSSPageCount or DOSSiteCount, his source IP address will be blacklisted during the DOSBlockingPeriod amount of time. During DOSBlockingPeriod, any requests coming from that IP address will encounter a 403 Forbidden error.
- DOSEmailNotify:
This is an E-mail if provided will send notification once an IP is being blacklisted - DOSSystemCommand: This is a system command that can be executed once an IP is blacklist if enabled. Where %s is the blacklisted IP, this is designed for system call to IP filter or other tools
- DOSLogDir: This is a directory where mod_evasive stores it’s log
# mkdir –p /var/log/httpd/mod_evasive
# chmod –R 777 /var/log/httpd/mod_evasive
3. Write a shell script that handles IP blacklisting at the firewall level
#vim /etc/httpd/conf.d/ban_ip.sh
#!/bin/sh
# IP that will be blocked, as detected by mod_evasive
IP=$1
# Full path to iptables
IPTABLES="/sbin/iptables"
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/log/httpd/mod_evasive
# Add the following firewall rule (block all traffic coming from $IP)
$IPTABLES -I INPUT -s $IP -j DROP
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"
#chmod 777 /etc/httpd/conf.d/ban_ip.sh
4. Enable to Iptable:-
# service iptables start
#iptable –L
#iptable –F
#iptable –t nat –L
#service iptables save
#chkconfig iptables on
5. Add the apache user to the sudoers file
# vim /etc/sudoers
# User_Alias ADMINS = jsmith, mikem
apache ALL=NOPASSWD: /etc/httpd/conf.d/ban_ip.sh
Defaults:apache !requiretty
IMPORTANT: As a default security policy, you can only run sudo in a terminal. Since in this case we need to use sudo without a tty, we have to comment out the line that is highlighted in the following image:
# Disable "ssh hostname sudo
<cmd>", because it will show the password in clear.
#Defaults requiretty
# service httpd restart
Testing mod_evasive Setup
Another machine :-
# ab -n 100 -c 10 http://192.168.1.184/
# tail –f /var/log/httpd/evasive/
# iptables –L
Showing :-
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all --
192.168.1.117 anywhere
No comments:
Post a Comment