How to Check if mod_evasive is working in Apache


check if mod_evasive is working in apache

mod_evasive is a useful Apache module that protects your website from malicious requests, DOS and DDOS attacks. It automatically logs and emails suspicious activity to web admins. It also maintains a dynamic table of IPs and URLs and blocks them if they are suspicious in nature. However, even after installing mod_evasive you might need to check if mod_evasive is working in Apache.

 

How to Check if mod_evasive is working in Apache

Here are the steps to check if mod_evasive is working in Apache. If you have already installed mod_evasive on your system, skip to step 4. The 1st 3 steps show you how to install the module

 

1. Update Linux System

Open a terminal or SSH into your Linux system and run the following commands


$ sudo apt-get update -y
$ sudo apt-get upgrade -y

 

2. Install mod_evasive

Install mod_evasive with the following command in Ubuntu


$ sudo apt-get install libapache2-mod-evasive

 

Check if mod_evasive is installed with the following command


$ sudo apachectl -M | grep evasive

 

You will see output as


evasive20_module (shared)

 

3. Configure mod_evasive

mod_evasive configuration is disabled by default. Open its config file in a text editor


$ sudo vim /etc/apache2/mods-enabled/evasive.conf

 

Update the config as shown


<IfModule mod_evasive20.c>
 DOSHashTableSize 3097
 DOSPageCount 2
 DOSSiteCount 50
 DOSPageInterval 1
 DOSSiteInterval 1
 DOSBlockingPeriod 10
 DOSEmailNotify email@yourdomain.com
 DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
 DOSLogDir "/var/log/mod_evasive"
</IfModule>

In the above code,

  • DOSHashTableSize : How mod_evasive keep tracks who’s accessing what
  • DOSPageCount : Threshold for the number of requests per page per page interval.
  • DOSSiteCount : Threshold for the total number of requests for any object by the same client on the same per site interval.
  • DOSPageInterval : Interval for page count threshold.
  • DOSSiteInterval : Interval for site count threshold.
  • DOSBlockingPeriod : Time (in seconds) that an IP is blocked.
  • DOSEmailNotify : Email address that should be notified if IP address becomes blacklisted.
  • DOSLogDir : Log directory

Save and close the config file.

Create a log directory for mod_evasive


$ mkdir /var/log/mod_evasive
$ chown -R www-data:www-data /var/log/mod_evasive

 

Restart Apache Server


$ systemctl restart apache2

 

4. Test mod_evasive

mod_evasive comes with a test.pl created by its developers to help you test mod_evasive

You will find it at /usr/share/doc/libapache2-mod-evasive/examples/test.pl


perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

 

If there are no errors, you will see the following output


HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

 

That’s it! Apache will automatically detect and block malicious requests to your website.

 

 

 

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!