cPanel® Blog

Blocking attacks with EasyApache 4’s mod_evasive

With the release of EasyApache 4 on Nov 7th, 2017, we now provide the mod_evasive Apache module. You can install it either in the EasyApache 4 interface, or with yum install ea-apache24-mod_evasive on the command line.

What is mod_evasive?

Themod_evasive Apache module helps to protect your server against DoS, DDoS, and brute force attacks. It also acts a detection tool, and you can configure it to communicate with iptables, firewalls, and routers, among other things.

This module works well for single-server attacks, distributed attacks, and brute-force attacks. If you integrate it with your firewall or IP filters, it can withstand even large attacks. For the best protection, you should integrate it with your firewalls and routers.

If your infrastructure cannot fend off other types of DoS attacks, this module will only help to the limits of your total bandwidth or server capacity for returning 403 errors.

What does the module do?

The mod_evasive Apache module creates an internal, dynamic hash table of IP addresses and URIs, and denies any single IP address that does the following:

  • Requests the same page more than a few times per second.
  • Makes more than 50 concurrent requests on the same child per second.
  • Makes any request while temporarily blacklisted.

The module creates an instance for each listener, ensuring a built-in cleanup mechanism and good scaling. Because of this, it will rarely catch a legitimate request, even if a user repeatedly clicks on reload.

How do I stop an attack?

So what do you do if you are the target of an DoS attack? In a DoS attack, an attacker may request a URL from your server as many times as they can in an attempt to cause you trouble. Because of the quantity of requests, your webserver may become unresponsive.

To stop the attack, first install mod_evasive on your server with the following command:

yum install ea-apache24-mod_evasive

The default configuration provided by cPanel & WHM will block most attacks without any extra configuration changes. The server’s response to those attackers will change to 403 Forbidden. This means that mod_evasive detected and blocked the attack before your system processed the request.

You will now see the following message in your Apache error_log file:

Client denied by server configuration

You will also see a message in /var/log/messages that resembles the following example:

localhost mod_evasive[2635]: Blacklisting address X.X.X.X: possible DoS attack.

The mod_evasive module does not blacklist clients forever, as you can configure the block time, but it will block them long enough to put a stop to the attack. Adjust the DOSBlockingPeriod directive in the mod_evasive configuration file to adjust how long to block those attacks.

What next?

If you would like to install mod_evasive, you can either install it in the Apache Modules section of WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4), or you can install it on the command line with the yum install ea-apache24-mod_evasive command.

For more information, including all the configuration details, read our Apache Module: Evasive documentation.

Happy blocking!