Apache Mod_Evasive Lab - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Pre-Lab Work

If you have not done so already - Remove the "123 Testing Page" from your web server

  • edit the file name /etc/httpd/conf.d/welcome.conf
  • make sure that you have a file called index.html in /var/www/html
  • restart httpd
  • make sure you can access your web server.

Introduction

The mod_evasive Apache module, formerly known as mod_dosevasive, helps protect against DoS, DDoS (Distributed Denial of Service), and brute force attacks on the Apache web server. It can provide evasive action during attacks and report abuses via email and syslog facilities. The module works by creating an internal dynamic table of IP addresses and URIs as well as denying any single IP address from any of the following:

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blocklisted

If any of the above conditions are met, a 403 response is sent and the IP address is logged. Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address.

Step 1: Installing mod_evasive

In this section, we will be installing the packages required for mod_evasive to function and finally install mod_evasive.

First, we need to install the EPEL (Extra Packages for Enterprise Linux). EPEL is a Fedora Special Interest Group that creates, maintains, and manages a high quality set of open source add-on software packages for Enterprise Linux. Run the following command to install and enable the EPEL raven repository on your server

  • sudo dnf install https://pkgs.dyn.su/el8/base/x86_64/raven-release-1.0-1.el8.noarch.rpm
  • Now we are ready for the mod_evasive module. Run the following command to enable it:
    • sudo dnf --enablerepo=raven-extras install mod_evasive

Step 2: Verifying the Installation

Now that mod_evasive is installed, let's verify that configuration file has been installed and that the module is being loaded.

During installation, the mod_evasive configuration file /etc/httpd/conf.d/mod_evasive.conf was added. To verify this run:

  • ls -al /etc/httpd/conf.d/mod_evasive.conf

image

By default, the LoadModule line will be added to the top of configuration file mod_evasive.conf

  • Open the file and add the line if it is not already present
    • This line tells the Apache web server to load and use the mod_evasive module.
  • View /etc/httpd/conf.d/mod_evasive.conf
    • look for this line --> LoadModule evasive20_module modules/mod_evasive24.so

image

  • list the modules loaded for the Apache web server and look for mod_evasive
    • sudo httpd -M | grep evasive

image

Step 3: Testing mod_evasive

  • Restart httpd to make sure the module is active

Let us do a short test to see if the module is working correctly. We will be using a perl script test.pl written by mod_evasive developers. To execute the script, we need to first install perl package on the server.

  • yum install -y perl
  • The test script is installed with mod_evasive here:
    • /usr/share/doc/mod_evasive/test.pl

image

By default, the test script requests the same page from your Apache web server 100 times in a row to trigger mod_evasive. You can review the script:

  • more /usr/share/doc/mod_evasive/test.pl
  • execute the script --> perl /usr/share/doc/mod_evasive/test.pl

NOTE: If you are receiving 400 Bad Requests - that may be because the Apache server is expecting a host header. The test.pl script may have an issue on some versions of Apache due to Carriage Return/New line syntax. Changing ā€œ/n/nā€ in script to ā€œ/r/n/r/nā€ should fix it. Can also update to HTTP/1.1 by adding Host Header to HTTP request in script ā€œ...HTTP/1.1\r\nHost:test.co\r\n\r\nā€

image

the more command is similar to cat as it prints the contents of a file, but it does it one screen at a time, and is better to use with bigger files

The Working Script Running

image

The script makes 100 requests to your web server. the 403 response code indicates access is denied by the web server.

Step 4: Customizing mod_evasive

Now that the installation is complete and verified, let us look into the configuration of the module. mod_evasive can be easily customized through the mod_evasive.conf configuration file. We will discuss some of the configuration parameters in this tutorial. Please refer to the configuration file for information on all the parameters ā€” it contains a description of each parameter.

Settings found in /etc/httpd/conf.d/mod_evasive.conf

DOSPageCount

DOSPageCount sets a threshold of how many times a client IP can load a single page during the DOSPageInterval.

  • The default page count is 2
  • Change the DOSPageInterval from 1 second to 20 seconds.
    • This means that reloading the page more than twice in 20 seconds will blacklist the IP.

image

  • Restart httpd
  • From your workstation, refresh your page multiple times. You should receive a Forbidden (403) after 2 reloads.
    • It will only Blacklist your IP for 10 seconds (the DOSBlockingPeriod)

200 HTTP Status after first load

image

304 Error after multiple refreshes

image