Protecting Apache Server From Denial-of-Service (Dos) Attack
A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed denial-of-service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.
Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks, credit card payment gateways; but motives of revenge, blackmail or activism can be behind other attacks.
The scale of DDOS attacks has continued to rise over recent years; web security company, CloudFlare, reported in 2016 they consistently mitigated attacks of 400Gbps.
What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Installing mod_evasive
Server Distro: Debian 8 jessie
Apache Version: Apache/2.4.10
mod_evasive appears to be in the Debian official repository, we will need to install using apt
We have mod_evasive installed but not configured, mod_evasive config is located at /etc/apache2/mods-available/evasive.conf. We will be editing that which should look similar to this
This configuration is what I’m using which is working well and I recommend it if you don’t know how to go about the configuration
mod_evasive set up correctly, now we are going to test if our web server has protection again DoS attack using ab (Apache Benchmark). Install ab if you don’t have it by typing:
www.hackthesec.co.in
A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed denial-of-service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.
Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks, credit card payment gateways; but motives of revenge, blackmail or activism can be behind other attacks.
The scale of DDOS attacks has continued to rise over recent years; web security company, CloudFlare, reported in 2016 they consistently mitigated attacks of 400Gbps.
What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Installing mod_evasive
Server Distro: Debian 8 jessie
Apache Version: Apache/2.4.10
mod_evasive appears to be in the Debian official repository, we will need to install using apt
# apt-get update
# apt-get install libapache2-mod-evasive
Setting up mod_evasiveWe have mod_evasive installed but not configured, mod_evasive config is located at /etc/apache2/mods-available/evasive.conf. We will be editing that which should look similar to this
<IfModule mod_evasive20.c> #DOSHashTableSize 3097 #DOSPageCount 2 #DOSSiteCount 50 #DOSPageInterval 1 #DOSSiteInterval 1 #DOSBlockingPeriod 10 #DOSEmailNotify you@yourdomain.com #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" #DOSLogDir "/var/log/mod_evasive" </IfModule>mod_evasive Configuration Directives
- DOSHashTableSize
- DOSPageCount
- DOSSiteCount
- DOSPageInterval
- DOSSiteInterval
- DOSBlockingPeriod
- DOSEmailNotify
- DOSSystemCommand
- DOSLogDir
This configuration is what I’m using which is working well and I recommend it if you don’t know how to go about the configuration
<IfModule mod_evasive20.c> DOSHashTableSize 2048 DOSPageCount 5 DOSSiteCount 100 DOSPageInterval 1 DOSSiteInterval 2 DOSBlockingPeriod 10 DOSEmailNotify you@yourdomain.com #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" DOSLogDir "/var/log/mod_evasive" </IfModule>As you’ll replace you@yourdomain.com with your email. Since mod_evasive doesn’t create the log directory automatically, we are to create it for it:
# mkdir /var/log/mod_evasive
# chown :www-data /var/log/mod_evasive
# chmod 771 /var/log/mod_evasive
Once setup is done, make sure mod_evasive is enabled by typing:# a2enmod evasive
Restart Apache for changes to take effect# systemctl restart apache2
Testing mod_evasive Setupmod_evasive set up correctly, now we are going to test if our web server has protection again DoS attack using ab (Apache Benchmark). Install ab if you don’t have it by typing:
# apt-get install apache2-utils
Current stat of our /var/log/mod_evasiveroot@hackthesec:/var/log/mod_evasive# ls -l total 0 root@hackthesec:/var/log/mod_evasive#We will now send bulk requests to the server, causing a DoS attack by typing:
# ab -n 100 -c 10 http://serverip/
Sending 100 request on 10 concurrent requests per request, the current stat of my /var/log/mod_evasive directory is nowroot@hackthesec:/var/log/mod_evasive# ls -l
total 4
-rw-r--r-- 1 www-data www-data 18 May 16 22:10 dos-10.42.0.1
Checking Apache access logs at /var/log/apache2/access.log we can see all connections from ApacheBench/2.3 were dropped to 403:www.hackthesec.co.in
0 comments:
Post a Comment