The evasive module protects your website from application layer DOS attacks

There are many attack methods that can cause a website to go offline. More complex methods require technical knowledge in database and programming. A simpler method is called a "Denial Of ServiceDenial Of Service" (DOS) attack. The name of this attack method comes from its intention: to cause normal service requests from ordinary customers or website visitors to be denied.

Generally speaking, there are two forms of DOS attacks:

1. The third and fourth layers of the OSI model, namely network layer attacks
2. Seven layers of the OSI model, namely application layer attacks

The first type of DOS attack, the network layer, occurs when a large amount of junk traffic flows to the web server. When spam traffic exceeds the capacity of the network, the website goes down.

The second type of DOS attack is at the application layer and utilizes legitimate service requests rather than junk traffic. When the number of page requests exceeds the capacity of the web server, even legitimate visitors will be unable to use the website.

This article will focus on mitigating application layer attacks, since mitigating network layer attacks requires a large amount of available bandwidth and the cooperation of upstream providers, which is not usually possible by configuring a network server.

By configuring an ordinary web server, web pages can be protected from application layer attacks, at least with moderate protection. Preventing this form of attack is very important, as Cloudflare[1] recently reported[2] that the number of network layer attacks is decreasing, while the number of application layer attacks is increasing. Increase.

This article will introduce how to use the Apache2 module mod_evasive[4] developed by zdziarski[3].

In addition, mod_evasive will block attackers' attempts to guess (i.e., brute force attacks) by trying hundreds of username and password combinations.

mod_evasive logs the number of requests from each IP address. When this number exceeds one of several thresholds for the corresponding IP address, an error page appears. Error pages require far fewer resources than an online website that can respond to legitimate visits.

Install mod_evasive on Ubuntu 16.04

The default software library of Ubuntu 16.04 includes mod_evasive, named "libapache2-mod-evasive". You can use apt-get to complete the installation:

apt-get update
apt-get upgrade
apt-get install libapache2-mod-evasive

Now we need to configure mod_evasive.

Its configuration file is located at /etc/apache2/mods-available/evasive.conf. By default, all module settings are commented out after installation. Therefore, the module will not interfere with website traffic until the configuration file is modified.

<ifmodule mod_evasive20.c>
   #DOSHashTableSize    3097
   #DOSPageCount        2
   #DOSSiteCount        50
   #DOSPageInterval     1
   #DOSSiteInterval     1
   #DOSBlockingPeriod   10

   #DOSEmailNotify      you@yourdomain.com
   #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
   #DOSLogDir           "/var/log/mod_evasive"
</ifmodule>

The meaning of the first part of the parameters is as follows:

• DOSHashTableSize - The current list of IP addresses that are accessing the website and their number of requests.
• DOSPageCount - The number of requests for each page within a certain time interval. The time interval is defined by DOSPageInterval.
• DOSPageInterval - mod_evasive counts the time interval for page requests.
• DOSSiteCount - Same as DOSPageCount, but counts the number of requests to any page within the site from the same IP address.
• DOSSiteInterval - mod_evasive counts the time interval for website requests.
• DOSBlockingPeriod - The length of time (in seconds) that an IP address has been blacklisted.

If the default configuration shown above is used, an IP address will be blacklisted under the following circumstances:

• The same page is requested more than twice per second.
• Request more than 50 different pages per second.

If an IP address exceeds these thresholds, it will be blacklisted for 10 seconds.

This may not seem like a long time, but mod_evasive will always monitor page requests for blacklisted IP addresses and reset their blacklist start time. As long as an IP address keeps trying to DOS attack the website, it will always be on the blacklist.

The remaining parameters are:

• DOSEmailNotify - Email address used to receive DOS attack information and IP address blacklisting.
• DOSSystemCommand - Command to run when a DOS attack is detected.
• DOSLogDir - The directory used to store temporary files for mod_evasive.

Configuration mod_evasive

默认的配置是一个很好的开始，因为它不会阻塞任何合法的用户。取消配置文件中的所有参数（DOSSystemCommand 除外）的注释，如下所示：

<ifmodule mod_evasive20.c>
   DOSHashTableSize   3097
   DOSPageCount       2
   DOSSiteCount       50
   DOSPageInterval    1
   DOSSiteInterval    1
   DOSBlockingPeriod  10

   DOSEmailNotify       JohnW@example.com
   #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
   DOSLogDir            "/var/log/mod_evasive"
</ifmodule>

必须要创建日志目录并且要赋予其与 apache 进程相同的所有者。这里创建的目录是 /var/log/mod_evasive ，并且在 Ubuntu 上将该目录的所有者和组设置为 www-data ，与 Apache 服务器相同：

mkdir /var/log/mod_evasive
chown www-data:www-data /var/log/mod_evasive

在编辑了 Apache 的配置之后，特别是在正在运行的网站上，在重新启动或重新加载之前，最好检查一下语法，因为语法错误将影响 Apache 的启动从而使网站宕机。

Apache 包含一个辅助命令，是一个配置语法检查器。只需运行以下命令来检查您的语法：

apachectl configtest

如果您的配置是正确的，会得到如下结果：

Syntax OK

但是，如果出现问题，您会被告知在哪部分发生了什么错误，例如：

AH00526: Syntax error on line 6 of /etc/apache2/mods-enabled/evasive.conf:
DOSSiteInterval takes one argument, Set site interval
Action 'configtest' failed.
The Apache error log may have more information.

如果您的配置通过了 configtest 的测试，那么这个模块可以安全地被启用并且 Apache 可以重新加载：

a2enmod evasive
systemctl reload apache2.service

mod_evasive 现在已配置好并正在运行了。

测试

为了测试 mod_evasive，我们只需要向服务器提出足够的网页访问请求，以使其超出阈值，并记录来自 Apache 的响应代码。

一个正常并成功的页面请求将收到如下响应：

HTTP/1.1 200 OK

但是，被 mod_evasive 拒绝的将返回以下内容：

HTTP/1.1 403 Forbidden

以下脚本会尽可能迅速地向本地主机（127.0.0.1，localhost）的 80 端口发送 HTTP 请求，并打印出每个请求的响应代码。

你所要做的就是把下面的 bash 脚本复制到一个文件中，例如 mod_evasive_test.sh：

#!/bin/bash
set -e

for i in {1..50}; do
        curl -s -I 127.0.0.1 | head -n 1
done

这个脚本的部分含义如下：

• curl - 这是一个发出网络请求的命令。
  • -s - 隐藏进度表。
  • -I - 仅显示响应头部信息。
• head - 打印文件的第一部分。
  • -n 1 - 只显示第一行。

然后赋予其执行权限：

chmod 755 mod_evasive_test.sh

在启用 mod_evasive 之前，脚本运行时，将会看到 50 行 “HTTP / 1.1 200 OK” 的返回值。

但是，启用 mod_evasive 后，您将看到以下内容：

HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
...

前两个请求被允许，但是在同一秒内第三个请求发出时，mod_evasive 拒绝了任何进一步的请求。您还将收到一封电子邮件（邮件地址在选项 DOSEmailNotify 中设置），通知您有 DOS 攻击被检测到。

mod_evasive 现在已经在保护您的网站啦！

---

The above is the detailed content of The evasive module protects your website from application layer DOS attacks. For more information, please follow other related articles on the PHP Chinese website!