Last week, I began working with mod_evasive, a Web-based security tool that helps defend Apache HTTP Server against Denial of Service (DoS) attacks. Mod_evasive is a typical loadable module that looks for particular behavior and then blocks it.

Mod_evasive is similar to Suhosin, which I wrote about back in December (at the URL below). You might remember that Suhosin is a patch for the PHP scripting engine that makes it far more secure. It helps detect and prevent all sorts of potentially bad Web-based content from reaching your systems and network beyond the PHP engine.

http://www.windowsitpro.com/Article/ArticleID/94673/94673

Mod_evasive keeps track of IP addresses that send URL requests to your Apache server, then gauges whether the request rates from any given IP address exceed your acceptable predefined limits. If the limits are exceeded, then the IP address is temporarily blocked from making any more requests.

Like many other Apache modules, mod_evasive allows the administrator to set various parameters that control module behavior. For example, you can set the maximum number of pages that one IP address can request from your entire site (DOSSiteCount) within a specified time period (DOSPageInterval), the maximum number of page reloads one IP address can request(DOSPageCount) within a specified time period (DOSPageInterval), and the period of time to block the requesting IP address if it exceeds the limits (DOSBlockingPeriod).

To help clarify, here's an example. If you set DOSSiteCount to 100, DOSPageCount to 3, DOSPageInterval to 2, and DOSBlockingPeriod to 10, then mod_evasive will work like this: If an IP address requests more than 100 different pages or reloads the same page more than three times in two seconds, that IP address will be blocked for 10 seconds.

There are a few other parameters you can configure too. You can set the size of the hash table mod_evasive uses to track IP addresses. The larger the hash table, the more IP addresses it can keep track of. You can also define an email address that will receive a short notice any time an IP address is blocked. And you can set a logging directory that records the IP addresses about which you've received email messages. Mod_evasive uses the log to keep from sending you numerous messages about the same IP address.

Overall mod_evasive seems like a reasonable addition to Apache. It will in fact help fend off some intruders. However, if you aren't careful about the settings, it might block relatively innocent users whose browsers or proxy servers perform aggressive preloading of Web pages--typically used to enhance the browsing experience and speed up overall browsing. So be careful configuring the settings and be sure to monitor the email mod_evasive sends (if you use that feature) to determine whether you've configured it to be too restrictive.

Mod_evasive is available from the developer, Jonathan A. Zdziarski, in source code format (at the URL below), so you must compile it by using Apache's apxs tool (see the readme file for details). That typically isn't a problem for Linux administrators; however it might present a problem for Windows users, who might not have apxs or other required tools.

http://www.zdziarski.com/projects/mod_evasive/

You can get apxs for Windows at Apache Lounge, at the URL below, provided as a Perl script. Be aware that you'll need some Apache-related libraries to use it, so when you install Apache on Windows you need to choose the custom install and select "Build Headers and Libraries" as part of your installation. Make sure the libraries are located in the lib subdirectory of your Apache installation directory before using the apxs tool.

http://www.apachelounge.com/download

Or, to simplify matters, you can get a precompiled copy of mod_evasive for Windows, including source code, at the URL below.

http://bestofsecurity.net/2007/02/04/mod-dosevasive-mod-evasive

Finally, keep in mind that while mod_evasive is effective at protecting Apache against DoS attacks, it's not a cure-all. Attackers could still saturate your bandwidth or overload your Web server's CPU. So keep that in mind and take other measures, if you can, to prevent those possibilities from becoming reality.