Install Mod_dosevasive to your apache
Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below
Eg: Install Mod_dosevasive
bash# wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
bash# tar -zxvf mod_evasive_1.10.1.tar.gz
bash# cd mod_evasive_1.10.1
bash# $APACHE_ROOT/bin/apxs -iac mod_evasive.c
Dont get scared by the variable ``$APACHE_ROOT'' . Its nothing, but a simple variable which stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)
bash# vi /usr/loca/apache/conf/httpd.conf
After this add the below code in httpd.conf
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
bash# /usr/loca/apache/bin/apachectl restart
The following is a description of all the settings/variables:
Variable/Option: | Description: |
DOSHashTableSize | Size of the hash table. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number. |
DOSPageCount | Number of requests for the same page within the 'DOSPageInterval' interval that will get an IP address added to the blocking list. |
DOSSiteCount | Same as 'DOSPageCount', but corresponds to the number of requests for a given site, and uses the 'DOSSiteInterval' interval. |
DOSPageInterval | Interval for the 'DOSPageCount' threshold in second intervals. |
DOSSiteInterval | Interval for the 'DOSSiteCount' threshold in second intervals. |
DOSBlockingPeriod | Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked. |
DOSHashTableSize 4000
DOSWhitelist 65.213.87.*
#DOSWhitelist 169.237.*.*
DOSPageCount 5
DOSSiteCount 20
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 180
DOSEmailNotify manoj.samtani@tekritisoftware.com
Implement Sysctl protection against DDOS
Eg:
----------
bash# vi /etc/sysctl.conf
add the below code:
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Add the below code in /etc/rc.local and restart network
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies