DDOS (distributed denial of service) is an age old way to attack and bring down remote servers and cause denial of service. They not only bring down your site but also affect credibility of your products & services. Luckily, Apache provides mod_evasive module (formerly mod_dosevasive) that allows servers to take evasive action against DOS, DDOS and brute force attacks by creating a dynamic table of IP addresses and preventing any single IP from the following:
- Requesting the same URL more than a few times every second
- Creating more than 50 concurrent connections on same child process per second
- Sending requests if it is blacklisted
If any IP is found to be doing any of the above, it is blacklisted and sent a 403 forbidden response. It will also send an email notification to the system admin, so they can block the IP.
Let us look at how to protect Apache from DDOS attacks on CentOS.
How to Protect Apache from DDOS Attacks on CentOS
Before we proceed, please ensure you have installed Apache server on your CentOS system.
1. Install mod_evasive
First, we install the pre-requisite packages for installation of mod_evasive, and finally we’ll install the module.
Install the Extra Packages for Enterprise Linux (EPEL)
for CentOS 7:
$ sudo rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
for CentOS 6:
$ sudo rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Verify if the EPEL repo is installed:
$ sudo yum repolist
If you see “epel/x86_64” in the putput, we’re good.
Next you need to protect some of the base packages from EPEL using protectbase plugin. This protects those packages from getting updated accidentally by the non-protected packages.
$ sudo yum install yum-plugin-protectbase.noarch -y
Finally, install mod_evasive with the command:
$ sudo yum install mod_evasive -y
2. Verify the Installation
During the installation, mod_evasive would have automatically added a new config file /etc/httpd/conf.d/mod_evasive.conf
You can check if it is present with the command
$ sudo ls -al /etc/httpd/conf.d/mod_evasive.conf
The file name, its owners & permissions will be displayed in the output. Also, mod_evasive will add the following line to the top of its config file
LoadModule evasive20_module modules/mod_evasive24.so
LoadModule evasive20_module modules/mod_evasive20.so
You can simply open it with a text editor to see if the line is present
$ sudo vim /etc/httpd/conf.d/mod_evasive.conf
3. Configure mod_evasive
Now let’s configure mod_evasive.conf file according to our requirement. You have already opened the file in the previous step.
First, we’ll set the DOSEMailNotify directive by assigning an email address to it. It basically sends an email every time an IP address is blacklisted. If you want the emails to be send to firstname.lastname@example.org then add the following line
mod_evasive uses /bin/mail to send email alerts. So ensure that you have installed mail server so that you get email notifications.
Next, you need to set the DOSWhitelist directive. It contains a list of IP addresses that you want to whitelist. These can be IPs of your trusted clients, software, scripts, bots and automated tools. These IPs will be able to send large number of requests and request large amount of data from your server. Here’s an example of whitelisting two IPs
DOSWhitelist 18.104.22.168 DOSWhitelist 22.214.171.124
You can also use wildcard characters up to last 3 octets of IP addresses to specify IP ranges. If you don’t want to whitelist any IP, you can skip this part.
The next 3 settings are very important to protect Apache from DDOS attacks on CentOS.
Set the DOSPageCount directive. DOSPageCount is the maximum number of requests for a single page, per second. If the threshold is exceeded for that 1 second interval, then the IP address is blacklisted and blocked. The default value is 2, which can be quite low. You can set it to 20.
Next, set the DOSSiteCount directive, which is the maximum number of requests to your website from an IP in a given interval of time (1 second). It defaults to 1. You can set it as 75
Also, set the DOSBlockingPeriod directive, which is the amount of time (in seconds) an IP should be blocked if it is added to the blocked list. During this time, all requests from this IP to your site will get a “403 Forbidden” response.
Its default value is 10 seconds. You can set it to 300 seconds
4. Load the mod_evasive module
Once you have updated mod_evasive config file, restart Apache to apply the changes.
$ sudo systemctl restart httpd.service
$ sudo service httpd restart
Now you are ready to protect Apache from DDOS attacks on CentOS
5. Test mod_evasive
Now let us test the installation. mod_evasive developers have provided a handy perl script test.pl that we can use. Let us install perl first
$ sudo yum install -y perl
During installation, mod_evasive automatically copies the test script to
The script basically requests the same page from your server 100 times in 1 second, triggering mod_evasive.
You can execute the script by running:
$ sudo perl /usr/share/doc/mod_evasive-1.10.1/test.pl
You will see the output:
HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden
The 403 Forbidden response indicates that access is denied to the IP. It will also be included in blocked list. You can see that in its log file using the command:
$ sudo tailf /var/log/messages
It will show a line similar to :
Nov 23 00:11:18 servername mod_evasive: Blacklisting address 127.0.0.1: possible DoS attack.
which indicates that the IP is blocked
You will also receive an email with the message:
mod_evasive HTTP Blacklisted 127.0.0.1
Now you can protect Apache from DDOS attacks on CentOS