Installing Apache mod_evasive in Ubuntu Server
Recently we’ve been converting an ISP’s servers from Debian Linux to Ubuntu Server. Ubuntu is heavily based on Debian so most things are the same. The most limiting factor so far has been that Ubuntu’s Main software package repository contains far fewer packages than Debian.
One Apache module we like to use on production servers is mod_evasive, a simple denial of service detection tool that helps prevent miscreants from hammering a server to death with requests. It won’t stop a determined attacker who has a few hundred bots under his control from flooding you offline, but mod_evasive is useful additional layer of defense for a production web server.
If you enable Ubuntu’s “universe” repository you can access almost the same number of packages as provided by Debian. However, those packages are not supported, meaning timely security fixes may not be released and they may break the ability to perform a seamless upgrade to subsequent releases of Ubuntu. A package for mod_evasive is available in Universe, but it’s only for Apache 1.3.x. The supported version of Apache in Ubuntu 6.06 is 2.0.55 (there goes our dream of being able to avoid compiling things from source).
All the support libraries and utilities needed to compile Apache modules from source are available in Main, so it’s possible to download mod_evasive and install it yourself for Apache 2. Here’s how:
To compile any Apache module in Ubuntu, install the development package that corresponds to the Apache Multi-processing Module (MPM) you are using. Apache 2 gives you a choice of MPMs but if the server is running PHP5, Apache will be using the default “Prefork MPM”. For that MPM, install package apache2-prefork-dev:
apt-get install apache2-prefork-dev
Download the mod_evasive source tarball and unpack into a temporary directory. To allow sending of email alerts when activity is blocked, edit the file mod_evasive20.c to change the #define MAILER to “/usr/bin/mail %s”.
Compile and install the module with the following command:
/usr/bin/apxs2 -i -c mod_evasive20.c
Normally the module would be enabled by added a LoadModule directive to file httpd.conf. However on Ubuntu the directive is specified in a file located in /etc/apache2/mods-available. Create a file named “evasive.load” in that directory containing the following:
LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so
Directives controlling the behavior of mod_evasive should be specified in a file created in directory /etc/apache2/conf.d. Create a file named “evasive” in that directory and add the mod_evasive directives you want for your server. For example:
<ifmodule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify you@example.com
</ifmodule>
Finally, enable the module and restart Apache:
en2mod evasive
/etc/init.d/apache2 force-reload
Some Linux distributions make it very difficult to add your own customizations such as Apache modules. Ubuntu (and of course Debian) make it fairly straightforward.
Related posts:
- Installing eAccelerator in Ubuntu Server
- Thoughts on moving from Debian to Ubuntu Server
- Ubuntu Server 6.10 released
- Upgrading to Ubuntu Server 6.10 (edgy)
11 Responses to “Installing Apache mod_evasive in Ubuntu Server”:
October 20th, 2006 at 5:16 am
No luck with edgy. It seems there is no equivalent there for apache2-prefork-dev? Probably just me being thick, but I can’t find any apache*-dev package in edgy.
October 20th, 2006 at 7:25 am
Hmm… that package is listed for the upcoming Edgy release:
http://packages.ubuntu.com/edgy/devel/apache2-prefork-dev
…so you should be able to find it in your packages list. Perhaps the apt source you’re installation using is corrupt or incomplete? You can always download the package directly from the above and install using ‘dpkg’.
October 20th, 2006 at 8:37 am
Yep – corrupted apt sources, it seems. I did another “apt-get update” 15 minutes ago and I was able to install it.
Sorry, I should have been more patient.
October 23rd, 2006 at 4:56 am
A small note, replace the “” at the end of /etc/apache2/conf.d/evasive with “”, or apache won’t start.
October 23rd, 2006 at 4:57 am
Unfortunately, I just had to disable it, as it assumes that ajaxterm is doing a DoS attack.
October 23rd, 2006 at 8:16 am
Well of course mod_evasive requires tuning to match your specific environment. The default threshold values are just examples. I’ve been using the following on one production server:
DOSHashTableSize 3097
DOSPageCount 4
DOSSiteCount 80
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
For specific applications on a server that normally get a lot of requests (like AJAX) you might be able to set higher evasive settings inside an Apache <Directory> or <location> statement.
October 24th, 2006 at 4:35 am
Ok, will try that. I tried more permissive settings, but it still blocked, so I’ll have to do that at a time where I have physical access to the server.
My note above, that got mangled, was to replace the final “\” with “\”
October 24th, 2006 at 4:36 am
lol, it seems I can’t get it right. What is the escape char to post here?
December 2nd, 2006 at 3:58 pm
where can i download it? the page of the developer is down. can anybody give me an alternative link?
December 2nd, 2006 at 9:48 pm
Hmm… the main site http://www.zdziarski.com/projects/mod_evasive/ is working for me (from Canada) so it might just be a temporary problem from where you are.
It could also be your ISP is blocking that site for some reason (or that the site is blocking your ISP
In that case maybe try reaching it via an open web proxy (for example, try a CGI Proxy like the one at http://proxify.com/)
May 15th, 2008 at 10:17 pm
[...] ref : http://advosys.ca/viewpoints/2006/08/installing-mod_evasive-in-ubuntu/ [...]