How to Install and Configure ModEvasive with Apache on Ubuntu

Protecting your web server against different kinds of attacks is a crucial responsibility for any system administrator.  ModEvasive is an Apache web server module that helps you to protect your web server in the event of DoS, DDoS, and brute-force attacks. These types of attacks cause the server to run out of memory, crashing your website.

The mod_evasive module works by creating a hash table of IP Addresses and URIs and monitoring for suspicious incoming server requests, such as:

• Making more than 100 concurrent connections per second.
• Requesting the same page several times per second.

If such a suspicious request occurs, the mod_evasive module sends a 403 error and blocks the IP address.

In this tutorial, we will show you how to install and configure mod_evasive with Apache on an Ubuntu 18.04 server.

Step 1 – Install mod_evasive

Before starting, Apache webserver needs to be installed on your server. If not installed, you can install it with the following command:

apt-get install apache2 apache2-utils -y

Once Apache web server is installed, you can install mod_evasive with the following command:

apt-get install libapache2-mod-evasive -y

During the installation, you will be asked to configure a Postfix mail server for email notification. You can choose your desired option to complete the installation. If you are unsure, just choose local only or no configuration.

After installing mod_evasive, you can verify whether the mod_evasive module is enabled by running the following command:

apachectl -M | grep evasive

You should get the following output:

[Mon Jan 27 13:55:35.707317 2020] [so:warn] [pid 29031] AH01574: module dav_module is already loaded, skipping
 evasive20_module (shared)

At this point, the mod_evasive module is installed and enabled. You can now proceed to the next step.

Step 2 – Configure mod_evasive

The default configuration file of mod_evasive is located at /etc/apache2/mods-enabled/evasive.conf. You will need to configure this file per your requirements.

You can open this file using the nano editor as shown below:

nano /etc/apache2/mods-enabled/evasive.conf

Change the file as shown below. We recommend amending DOSEmailNotify to the address you want the email sent to (if configured) and DOSSystemCommand – for example “su – richard -c ‘/sbin… %s …’”

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   100
    DOSEmailNotify      root@ubuntu1804  
    DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           "/var/log/mod_evasive"
</IfModule>

Save and close the file when you are finished.

A brief explanation of each option is shown below:

• DOSHashTableSize: mod_evasive uses this option to control the hash table size. It is recommended to increase this if you have a busy web server.
• DOSPageCount: This option specifies the threshold limit for the number of requests allowed to the same URI per second. Once the threshold limit has been exceeded, the client’s IP address will be blacklisted.
• DOSSiteCount: This option specifies the limit on the total number of requests allowed to the same IP address.
• DOSPageInterval: This option specifies the page count interval.
• DOSSiteInterval: This option specifies the site count interval.
• DOSBlockingPeriod : This option defines the amount of time in seconds that a client will be blocked.
• DOSEmailNotify: This option sends an email to the specified address when an IP address has been blacklisted.
• DOSSystemCommand: Whenever an IP address has been blacklisted, the specified system command will be executed.
• DOSLogDir: This option defines the mod_evasive log directory.

Next, create a directory to store the mod_evasive log and change its ownership to www-data with the following command:

mkdir /var/log/mod_evasive
chown -R www-data:www-data /var/log/mod_evasive

Finally, restart the Apache service to implement the changes:

systemctl restart apache2

Step 3 – Test mod_evasive

At this point, the mod_evasive module is installed and configured. It’s time to test whether the module is working correctly.

Go to the remote system and send a bulk page request to the server using the ab command:

ab -n 1000 -c 20 http://your-server-ip/

This command will cause the equivalent of a DoS attack by sending 1000 page requests in 10 concurrent connections.

On the server, check the mail log by running the following command:

tail -15 /var/mail/root

You should see that the client IP address has been blacklisted by mod_evasive:

Received: by ubuntu1804 (Postfix, from userid 33)
            id B0C3EC1753; Mon, 27 Jan 2020 14:15:09 +0000 (UTC)
To: root@ubuntu1804
MIME-Version: 1.0
Content-Type: text/plain; charset="ANSI_X3.4-1968"
Content-Transfer-Encoding: 8bit
Message-Id: <20200127141509.B0C3EC1753@ubuntu1804>
Date: Mon, 27 Jan 2020 14:15:09 +0000 (UTC)
From: www-data <www-data@ubuntu1804>

To: root@ubuntu1804
Subject: HTTP BLACKLIST 103.250.161.100

mod_evasive HTTP Blacklisted 103.250.161.100

You can also test mod_evasive using the test.pl built-in script. You will need to modify this script to make it works.

You can edit the script as shown below:

nano /usr/share/doc/libapache2-mod-evasive/examples/test.pl

Find the following line:

print $SOCKET "GET /?$_ HTTP/1.0\n\n";

Replace it with the following:

print $SOCKET "GET /?$_ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n";

Save and close the file when you are finished. Then, run the script using the perl command:

perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

If everything works correctly, you should get the following output:

HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

Conclusion

Congratulations! The mod_evasive module is now configured to protect your server against DDoS and Brute force attacks.