Block Attacks with EasyApache 4’s Mod_evasive

Posted by Allura on 09 10 2018.

Introduction

The mod_evasive Apache module is provided by EasyApache 4  released on 7^th of November, 2017.

What Is Mod_evasive?

This Apache module helps to protect one’s server against the vicious attacks of DoS, DDoS. This module works even as a detection tool and one can design it to establish a communication with iptables, firewalls, routers and even other things alike.

This module is designed to work in dealing with single-server attacks, distributed attacks and brute-force attacks. It is capable of withstanding larger attacks if one assimilate with one’s firewall or IP filters. For getting the best protection, one is advised to assimilate it with one’s firewalls and routers.

If one’s infrastructure is incapable of defending various DoS attacks, then this module will only help in keeping a limit of one’s total bandwidth or server capacity for returning 403 errors.

What Does the Module Do?

Working of this module involves creation of an internal, dynamic hash table of IP address, URIs and also denies any single IP address that:

• Appeal for a same page more than a few times per second.
• Makes more than 50 concurrent appealing on the same part per second.
• Make any appealing while being temporarily blacklisted.

This module ensures a built-in clean-up mechanism and good scaling by creating an instance for each listener. Because of this feature, it will rarely hold an appropriate request, even if a user clicks on reload time and again.

How can one Stop the Attacks?

A DoS attacker requests a URL from one’s server as many times as they can to cause one trouble.

To stop such attacks, perform the steps:

• Firstly, install mod_evasive on the server with the command yum install ea-apache 24-mod_evasive.

The cPanel and WHM provides a default configuration which blocks most attacks without extra changes in the configuration. Server’s response to the attackers will change to 403 Forbidden. This simply means that this module successfully detects and blocks the attack before one’s system got the time to process the request.

• After that, a message in one’s Apache error_log file will be received:

Client denied by server configuration.

• A message in /var/log/messageswill arrive:

localhost mod_evasive [2635]:

Blacklisting address X.X.X.X: possible

DoS attack

However, this module does not blacklist the clients forever. One can configure the block time. But it will block them well enough to put an affective stop to the attack. One can adjust the time period to block the attackers by adjusting the DOSBlockingPeriod directive in the mod_evasive configuration file.

Module Installation

One can install it either through the EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4) or with the help of yum install ea-apache24-mod_evasive command.

For more information, one can go through the Apache Module: Evasive documentation.

Conclusion

This module helps a great deal to put a stop to the efforts of the attackers to attack the server and hamper the technical working of the server.