mod_evasive is not blocking IPs causing DoS, but is logging them

Question

mod_evasive is not blocking IPs that are causing DoS, but it is logging the IPs in the /tmp directory. The files it generates to this directory are named dos-XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX being the IP). The OS is FreeBSD.

Have read that mod_evasive does not work well with the mpm_prefork_module because it uses processes over threads. This is not being used, but mpm_event_module is (not mpm_worker_module). Not sure if this is the problem?

Here is the content of the mod_evasive config file created at /usr/local/etc/apache24/Includes/mod_evasive.conf:

<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSPageInterval 1
    DOSSiteCount 50
    DOSSiteInterval 1
    DOSBlockingPeriod 60
    DOSEmailNotify example@example.com
</IfModule>

Have also read that mod_evasive uses iptables, but ipfw is being used. Again, I'm not sure if this is the issue?

Also noticed a trend of sudo privileges being given to Apache in some of the examples found online (particularly when using mod_evasive's DOSSystemCommand). I don't intend to give Apache sudo privileges, but have tried adding deny directives to ipfw using DOSSystemCommand with sudo privileges:

DOSSystemCommand "sudo ipfw add 00010 deny ip from %s to any"

This also didn't end well. Any help appreciated, thanks.

I suggest you try a suitable mailing list https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/eresources-mail.html people are much more active there than on SO. — Greg, May 26 '16 at 22:59
mod_evasive doesn't use `iptables` or `ipfw`. It can launch any command using the `DOSSystemCommand` directive. — cherouvim, Oct 12 '16 at 12:42

score 1 · Answer 1 · answered Dec 08 '18 at 04:18

1

The problem might be using mod evasive in version 2.0 for apache version 2.4. You need a newer version of mod evasive. There is 2.4 version source code available.

answered Dec 08 '18 at 04:18

pbies

666
11
28

Ajith Redrigo · Answer 2 · 2022-05-30T07:50:47.453

Check whether you installed it properly,

#pkg search mod_evasive

ap24-mod_evasive-1.10.1_1 Apache module to try to protect the HTTP Server from DoS/DDoS attacks

#pkg install ap24-mod_evasive-1.10.1_1

Now open the mod_evasive configuration,

sudo nano /etc/apache2/mods-available/evasive.conf

<IfModule mod_evasive20.c>
DOSHashTableSize    3097
DOSPageCount        2
DOSSiteCount        50
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   10
#DOSEmailNotify      you@yourdomain.com
#DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
DOSLogDir           "/var/log/mod_evasive"
</IfModule>

Create the directory

sudo mkdir /var/log/mod_evasive

Now whitelist the IPs you want, inside the configuration

<IfModule mod_evasive20.c>
DOSWhitelist 127.0.0.1
</IfModule>

Now enable the evasive module and restart the apache

sudo a2enmod evasive

sudo service apache2 restart

Now you can check the blocked IPs in the below location

cd /var/log/mod_evasive

Also, you can check the Blacklisted IPs by checking the apache status

sudo service apache2 status

mod_evasive is not blocking IPs causing DoS, but is logging them

2 Answers2