Mod_evasive is an Apache module designed to prevent Denial of service attacks by monitoring traffic and blocking IP addresses when an attacks is detected.
Installing mod_evasive
First thing you must do is download mod_evasive source code from http://www.zdziarski.com/projects/mod_evasive/. After downloading the package you have to extract it using tar zvxf mod_evasive_1.10.1.tar.gz. After you have unpacked the files you are almost ready to compile mod_evasive, but you must have 2 dependencies installed (apache2-devel and apache2-prefork). If you already have these dependencies installed or have finished installing them compile mod_evasive20.c file. For Apache 2.0 use /usr/local/apache/bin/apxs -i -a -c mod_evasive20.c and for 1.3 /usr/local/apache/bin/apxs -i -a -c mod_evasive.c. If your Apache is not located at /usr/local/apache/bin/apxs replace it with path your Apache directory.
Next thing you must do is enable mod_evasive whenever Apache is started, for that locate etc/sysconfig/apache2 and add mod_evasive20 to APACHE_MODULES if you are using Apache 2.0, just mod_evasive in case you are using Apache 1.3. Once you have done that create file mod_evasive.conf to your Apache directory with following content:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
That’s the most common mod_evasive configuration. You don’t probably need to change any of the configuration values. If you are installing mod_evasive to Apache 1.3 replace the <IfModule mod_evasive20.c> with <IfModule mod_evasive.c>. Now restart Apache webserver for the changes to take effect and mod_evasive to activate
Advanced Policy Firewall (APF) is, like (D)DoS fleat, a iptables based firewall software for Linux box. APF is a powerful, yet easy to install and configure firewall.
Installing APF
Type the following into shell:
cd /usr/local/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh
After you have installed the firewall you will see a message: “Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
Listening UDP ports: 53,55880“. This is just an output example, these ports are not auto configured. You have to configure the firewall manually.
Configuring APF
pico /etc/apf/conf.apf
At first you must enable development mode in the firewall configuration file. To do that, you must find DEVEL_MODE and set its value to 1.
Enabling ingress filtering
Find line # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD from configuration file. In next line you can list all the ports to which you want to apply ingress filtering, for example:
IG_TCP_CPORTS=”21,22,25,53,80,110,143″
Enabling egress filtering
Find line # Egress filtering [0 = Disabled / 1 = Enabled]. To enable egress filtering set EGF=”1″ followed by the list of ports where egress filtering will be applied. For example:
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,80″
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53″
Configuring Anti DOS
AntiDOS is a new feature to APF, which is meant to protect your system from Denial of Service attacks. The configuration file is located at /etc/apf/and log file at /var/log/apfados_log.
Find USE_AD and set it to 1. Now make the machine rune AntiDOS in every 2 minutes. It is not recommended to run it more often because it will create a bottleneck. Running it with more than 5 minutes gaps will most likely blank it’s use, thereby 2 minutes it the most optimal setting.
*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1
You should also make APF start at boot time with chkconfig –level 2345 apf on
After you have finished configuring the firewall restart it with apf –r.
Now disable the development mode again by setting DEVEL_MODE to 0.
Start the firewall with /usr/local/sbin/apf -s