How to Protect Apache from DDOS Attacks on CentOS


how to protect apache from ddos attack centos

DDOS (distributed denial of service) is an age old way to attack and bring down remote servers and cause denial of service. They not only bring down your site but also affect credibility of your products & services. Luckily, Apache provides mod_evasive module (formerly mod_dosevasive) that allows servers to take evasive action against DOS, DDOS and brute force attacks by creating a dynamic table of IP addresses and preventing any single IP from the following:

  • Requesting the same URL more than a few times every second
  • Creating more than 50 concurrent connections on same child process per second
  • Sending requests if it is blacklisted

If any IP is found to be doing any of the above, it is blacklisted and sent a 403 forbidden response. It will also send an email notification to the system admin, so they can block the IP.

Let us look at how to protect Apache from DDOS attacks on CentOS.

 

How to Protect Apache from DDOS Attacks on CentOS

Before we proceed, please ensure you have installed Apache server on your CentOS system.

 

1. Install mod_evasive

First, we install the pre-requisite packages for installation of mod_evasive, and finally we’ll install the module.

Install the Extra Packages for Enterprise Linux (EPEL)

for CentOS 7:


$ sudo rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

for CentOS 6:


$ sudo rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

 

Verify if the EPEL repo is installed:


$ sudo yum repolist

If you see “epel/x86_64” in the putput, we’re good.

 

Next you need to protect some of the base packages from EPEL using protectbase plugin. This protects those packages from getting updated accidentally by the non-protected packages.


$ sudo yum install yum-plugin-protectbase.noarch -y

 

Finally, install mod_evasive with the command:


$ sudo yum install mod_evasive -y

 

2. Verify the Installation

During the installation, mod_evasive would have automatically added a new config file /etc/httpd/conf.d/mod_evasive.conf

You can check if it is present with the command


$ sudo ls -al /etc/httpd/conf.d/mod_evasive.conf

The file name, its owners & permissions will be displayed in the output. Also, mod_evasive will add the following line to the top of its config file

CentOS 7:


LoadModule evasive20_module modules/mod_evasive24.so

CentOS 6:


LoadModule evasive20_module modules/mod_evasive20.so

 

You can simply open it with a text editor to see if the line is present


$ sudo vim /etc/httpd/conf.d/mod_evasive.conf

 

 

3. Configure mod_evasive

Now let’s configure mod_evasive.conf file according to our requirement. You have already opened the file in the previous step.

First, we’ll set the DOSEMailNotify directive by assigning an email address to it. It basically sends an email every time an IP address is blacklisted. If you want the emails to be send to admin@example.com then add the following line


DOSEmailNotify admin@example.com

mod_evasive uses /bin/mail to send email alerts. So ensure that you have installed mail server so that you get email notifications.

Next, you need to set the DOSWhitelist directive. It contains a list of IP addresses that you want to whitelist. These can be IPs of your trusted clients, software, scripts, bots and automated tools. These IPs will be able to send large number of requests and request large amount of data from your server. Here’s an example of whitelisting two IPs


DOSWhitelist 111.111.111.111
DOSWhitelist 222.222.222.222

You can also use wildcard characters up to last 3 octets of IP addresses to specify IP ranges. If you don’t want to whitelist any IP, you can skip this part.

 

The next 3 settings are very important to protect Apache from DDOS attacks on CentOS.

 

Set the DOSPageCount directive. DOSPageCount is the maximum number of requests for a single page, per second. If the threshold is exceeded for that 1 second interval, then the IP address is blacklisted and blocked. The default value is 2, which can be quite low. You can set it to 20.


DOSPageCount 20

 

Next, set the DOSSiteCount directive, which is the maximum number of requests to your website from an IP in a given interval of time (1 second). It defaults to 1. You can set it as 75


DOSSiteCount 75

 

Also, set the DOSBlockingPeriod directive, which is the amount of time (in seconds) an IP should be blocked if it is added to the blocked list. During this time, all requests from this IP to your site will get a “403 Forbidden” response.

Its default value is 10 seconds. You can set it to 300 seconds


DOSBlockingPeriod 300

 

4. Load the mod_evasive module

Once you have updated mod_evasive config file, restart Apache to apply the changes.

CentOS 7:


$ sudo systemctl restart httpd.service

CentOS 6:


$ sudo service httpd restart

 

Now you are ready to protect Apache from DDOS attacks on CentOS

 

5. Test mod_evasive

Now let us test the installation. mod_evasive developers have provided a handy perl script test.pl that we can use. Let us install perl first


$ sudo yum install -y perl

During installation, mod_evasive automatically copies the test script to


/usr/share/doc/mod_evasive-1.10.1/test.pl

 

The script basically requests the same page from your server 100 times in 1 second, triggering mod_evasive.

You can execute the script by running:


$ sudo perl /usr/share/doc/mod_evasive-1.10.1/test.pl

 

You will see the output:


HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

 

The 403 Forbidden response indicates that access is denied to the IP. It will also be included in blocked list. You can see that in its log file using the command:


$ sudo tailf /var/log/messages

It will show a line similar to :


Nov 23 00:11:18 servername mod_evasive[18290]: Blacklisting address 127.0.0.1: possible DoS attack.

which indicates that the IP is blocked

You will also receive an email with the message:


mod_evasive HTTP Blacklisted 127.0.0.1

Now you can protect Apache from DDOS attacks on CentOS

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!