Tuesday, December 30, 2008

Apache DOS/DDOS Security


Install Mod_dosevasive to your apache

Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below
Eg: Install Mod_dosevasive
bash# wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
bash# tar -zxvf mod_evasive_1.10.1.tar.gz
bash# cd mod_evasive_1.10.1
bash# $APACHE_ROOT/bin/apxs -iac mod_evasive.c
Dont get scared by the variable ``$APACHE_ROOT'' . Its nothing, but a simple variable which stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)
bash# vi /usr/loca/apache/conf/httpd.conf
After this add the below code in httpd.conf


DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
bash# /usr/loca/apache/bin/apachectl restart
The following is a description of all the settings/variables:

Variable/Option:

Description:

DOSHashTableSize

Size of the hash table. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.

DOSPageCount

Number of requests for the same page within the 'DOSPageInterval' interval that will get an IP address added to the blocking list.

DOSSiteCount

Same as 'DOSPageCount', but corresponds to the number of requests for a given site, and uses the 'DOSSiteInterval' interval.

DOSPageInterval

Interval for the 'DOSPageCount' threshold in second intervals.

DOSSiteInterval

Interval for the 'DOSSiteCount' threshold in second intervals.

DOSBlockingPeriod

Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.





DOSHashTableSize 4000


DOSWhitelist 65.213.87.*


#DOSWhitelist 169.237.*.*


DOSPageCount 5


DOSSiteCount 20


DOSPageInterval 1


DOSSiteInterval 1


DOSBlockingPeriod 180


DOSEmailNotify manoj.samtani@tekritisoftware.com





Implement Sysctl protection against DDOS

Eg:
----------
bash# vi /etc/sysctl.conf
add the below code:
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Add the below code in /etc/rc.local and restart network
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies