Having users constantly making HTTP requests to slow your server down and possibly causing a DOS (Denial Of Service) attack.


Deploy the mod_evasive module.

Environment Factors:

This article was tested on SUSE Linux Enterprise Server SP1.

Protecting Apache against DOS attack with mod_evasive

The Apache web server is the most popular web server on the Internet today holding a “52.65% market share for top servers across all domains August 1995 – July 2007” (Netcraft, 2007). The Apache module “mod_evasive” is an excellent module which helps defend against malicious users trying to perform HTTP DoS (Denial of Service) attacks and also helps protect against brute force attacks.

The “mod_evasive” module detects attacks using three different methods; 1) requesting the same page more than a few times per second, 2) making more than 50 concurrent requests on the same child per second and 3) making any requests while temporarily blacklisted.


The first step to installing mod_evasive is to download the source code from [2] website. Once you have downloaded the source file you will need to unpack the compressed archive using the “tar” utility as shown in Figure 1.

Linux-w2mu:~# tar zvxf mod_evasive_1.10.1.tar.gz

Figure 1: Unpacking mod_evasive.

Once mod_evasive has been unpacked change into the directory that contains the source code as we will need to compile the “mod_evasive20.c” file, but before you compile the source code you will need to install some dependencies that mod_evasive relies on.

mod_evasive dependencies

The dependencies that mod_evasive requires are listed in Table 1, you can install these dependencies off the SUSE Linux Enterprise Server CD/DVD.

Dependency Summary
apache2-devel Header and Include Files
apache2-prefork “prefork” MPM (Multi-Processing Module)

Table 1: Mod_evasive dependencies.

Once you have installed all the dependencies listed in Table 1 and unpackaged the source code, you can begin to compile the “mod_evasive20.c” file with the “apxs2” command as shown in Figure 1.1.

Linux-w2mu:~# apxs2 -ci mod_evasive20.c
/usr/lib/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -fPIC -Wall -fno-strict-aliasing -DLDAP_DEPRECATED -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DAP_DEBUG -pthread -I/usr/include/apache2  -I/usr/include   -I/usr/include/apr-1   -c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo

Figure 1.1: Compiling mod_evasive for Apache 2.

Enabling mod_evasive

Once you have compiled the mod_evasive module you will need the module to load when Apache is started or restarted. The file that needs to be modified is “/etc/sysconfig/apache2” and the directive that needs to be altered is “APACHE_MODULES=” as it needs to include the mod_evasive20 module, as shown in Figure 2.

APACHE_MODULES="mod_evasive20 actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5"

Figure 2: Altered /etc/sysconfig/apache2 configuration file.

Once you have modified the “/etc/sysconfig/apache2” configuration file you will need to check the Apache syntax using the “service” command as shown in Figure 2.1.

Linux-w2mu:~# service apache2 configtest
Syntax OK

Figure 2.1: Verifying the syntax is OK.

Mod_evasive configuration

Once you have modified the “/etc/sysconfig/apache2” configuration file you will need to create a configuration file for the mod_evasive module. In the “/etc/apache2” directory you will need to create a file called: “mod_evasive.conf” with the following or similar content shown in Figure 3.

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10

Figure 3: mod_evasive.conf

The key pairs that are used in the “mod_evasive.conf” configuration file are listen in Table 2 along with a description.

Key Description
DOSHashTableSize The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space
DOSPageCount This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount This is the threshold for the total number of requests for any object by the same client on the same listener per site interval.
DOSPageInterval The interval for the page count threshold; defaults to 1 second intervals.
DOSSiteInterval The interval for the site count threshold; defaults to 1 second intervals.
DOSBlockingPeriod The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds).
DOSEmailNotify If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.
DOSSystemCommand If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools.
DOSLogDir Choose an alternative temp directory, default is /tmp.

Table 2: Mod_evasive key pairs.

Once you are happy with your “mod_evasive.conf” configuration file you can restart the Apache web server and test your new configuration. There are two methods of checking mod_evasive is function correctly. The first method is to run the “” file in the mod_evasive directory as shown in Figure 3.1.

Linux-w2mu:~# perl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

Figure 3.1: Checking mod_evasive.

The second method to check mod_evasive is functioning correctly is to connect to your web server and hit the refresh button really fast and you should be presented with a “403 Forbidden” message.

Final Thoughts

Now that you have installed and configured mod_evasive, your Apache web server should be able to defend against HTTP DOS attacks and brute force attacks. I would also recommend placing offending IP addresses into your IP tables using the “DOSSystemCommand” key. The reason you should add the offending IP address into your IP tables is so they don’t even get to see the “403 Forbidden” message thus making your website look down.



(Visited 1 times, 1 visits today)
Tags: , ,
Category: SUSE Linux Enterprise Server, Technical Solutions
This entry was posted Monday, 19 November, 2007 at 8:56 am
You can follow any responses to this entry via RSS.


  • kschal says:

    i’ve installed, but first, there is a compile error:

    mod_evasive20.c: In function âaccess_checkerâ:
    mod_evasive20.c:212: warning: implicit declaration of function âgetpidâ
    mod_evasive20.c:212: warning: format â%ldâ expects type âlong intâ, but argument 4 has type âintâ
    mod_evasive20.c:229: warning: ignoring return value of âsystemâ, declared with attribute warn_unused_result
    mod_evasive20.c: In function âdestroy_hit_listâ:
    mod_evasive20.c:301: warning: control reaches end of non-void function
    mod_evasive20.c: In function âcreate_hit_listâ:
    mod_evasive20.c:118: warning: control reaches end of non-void function

    an second, the testscript issn’t working:

    root:/usr/src/mod_evasive# perl
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    HTTP/1.1 302 Found
    HTTP/1.1 200 OK
    HTTP/1.1 302 Found
    HTTP/1.1 200 OK

    is there any solution?! google doesn’t help me … :-/

  • DamianMyerscough says:

    Hello kschal,

    Could you please specify more details, I can provide more help if you can provide the following details:

    What version of SUSE are you running?
    What version of GCC have you installed?

  • Leave a Reply

    Your email address will not be published. Required fields are marked *