The mod_evasive Apache module is a popular DIY security solution that provides a measure of protection against application layer denial of service (DoS) attacks. It works by inspecting and verifying incoming traffic to an application’s server using a dynamic hash table of IP addresses and URLs.
Essentially, mod_evasive is a rate limiting solution that blocks traffic from IPs that exceed a predetermined threshold for the number of requests to a specific URI or domain. It can also be configured to talk to ipchains, firewalls and routers for additional protection against DDoS attacks.
To better understand how mod_evasive can be used to protect your web server, here we will be going over how to install and configure the module, as well as its numerous benefits and limitations.
Installation and configuration
The only requirements for installing mod_evasive are a server running CentOS or Fedora with Apache installed and a static IP address.
Installation is a quick, three step process.
- First, the EPEL yum repository needs to be installed on the server by running the following command:
sudo rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
- mod_evasive can then be installed by running the following command:
sudo yum –enablerepo=epel install mod_evasive
- After installation, the module can be verified by running this command:
sudo httpd -M | grep evasive
If mod_evasive is enabled, you will see the following output:evasive20_module (shared)
mod_evasive comes with the default settings shown here:
These settings are fully customizable and should be configured based on your server’s capabilities and expected traffic flows.
The individual criteria breaks down as follows:
- DOSHashTableSize: Specifies the number of top-level nodes for each child’s hash table. Increasing the number improves performance, but also consumes more memory.
- DOSPageCount: Specifies the number of requests for the same page per page interval before an IP address is blocked.
- DOSSiteCount: Specifies the number of requests for any object by the same client per site interval before the IP address is blocked.
- DOSPageInterval: The interval used in the page count threshold (measured in seconds).
- DOSSiteInterval: The interval used in the site count threshold (measured in seconds).
- DOSBlockingPeriod: Specifies the period of time (in seconds) that an IP is blocked. During this time, all requests originating from the affected IP are given a 403 redirect.
Pros and Cons
There are a number of benefits associated with mod_evasive, including:
- Cost effectiveness – the module is available for free.
- Ease of use – installation and configuration are both easily achieved, while settings can be adjusted on-the-fly to account for any changes to legitimate traffic flows.
- DoS mitigation capabilities – single source attacks are easily identified and blocked.
At the same time, the module’s limitations make it ineffective at mitigating network layer and DDoS attacks.
Specifically, users need to consider that:
- mod_evasive is ineffective against network layer attacks
- Highly distributed attacks may not trigger mod_evasive thresholds configurations.
- Low-and-slow attacks won’t trigger a response from mod_evasive.
- Because traffic is blocked based on rudimentary criteria, mod_evasive is very prone to false positives.
For these reasons, mod_evasive is often thought of as a blunt instrument rather than a comprehensive website security solution. Despite its free price point and relative ease of use, mod_evasive lacks the capabilities to block network layer and DDoS attacks.
What have your experiences with mod_evasive been like? Do you have any installation or configuration suggestions? Let us know in the comments below.