Support #562
Install mod_evasive for Apache 2.4 on FreeBSD
Description
This is a simple guide for installing and configuring mod_evasive for Apache 2.4 on FreeBSD 9.2.
- Update the system and ports tree:
pkg update && pkg upgrade portsnap fetch extract
- Install git:
pkg install git
Install mod_evasive¶
- Edit the mod_evasive Makefile:
cd /usr/ports/www/mod_evasive vi Makefile
- And change the line USE_APACHE=22 to:
USE_APACHE= 24
- And change the line USE_APACHE=22 to:
- Begin compilation:
make install clean
- Currently the port will fail with output similar to the following:
mod_evasive20.c: In function 'access_checker': mod_evasive20.c:142: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:146: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:158: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:165: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:180: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:187: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:208: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:212: warning: implicit declaration of function 'getpid' mod_evasive20.c:215: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:221: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:222: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:228: error: 'conn_rec' has no member named 'remote_ip' apxs:Error: Command failed with rc=65536 . *** [do-build] Error codhttp://xmodulo.com/harden-apache-web-server-mod_security-mod_evasive-centos.htmle 1 Stop in /usr/ports/www/mod_evasive.
- Currently the port will fail with output similar to the following:
- Fix the working mod_evasive source code:
sed -i '' -e 's/remote_ip/client_ip/g' work/mod_evasive/mod_evasive20.c
- Then finish installing mod_evasive:
make install clean
- Create the mod_evasive config file:
vi /usr/local/etc/apache24/modules.d/010_mod_evasive.conf
- And add the following:
LoadModule evasive20_module libexec/apache24/mod_evasive20.so <IfModule evasive20_module> #increases size of hash table. Good, but uses more RAM. DOSHashTableSize 3097 #Interval, in seconds, of the page interval. DOSPageInterval 1 #Interval, in seconds, of the site interval. DOSSiteInterval 1 #period, in seconds, a client is blocked. The counter is reset to 0 with every access within this interval. DOSBlockingPeriod 10 #threshold of requests per page, per page interval. If hit == block. DOSPageCount 2 #threshold of requests for any object by the same ip, on the same listener, per site interval. DOSSiteCount 50 #locking mechanism prevents repeated calls. email can be sent when host is blocked (leverages the following by default "/bin/mail -t %s") DOSEmailNotify admin@example.com #locking mechanism prevents repeated calls. A command can be executed when a host is blocked. %s is the host IP. #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" #DOSLogDir "/var/lock/mod_evasive" #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.* #DOSWhiteList 127.0.0.1 </IfModule>
- And add the following:
- Restart apache24 to enable mod_evasive
service apache24 restart
- Now check to see that the module loaded correctly:
apachectl -M
- Truncated output
Loaded Modules: ... evasive20_module (shared)
- Truncated output
Testing mod_evasive¶
Using Perl¶
- On a remote machine, create test-evasive.pl:
vi test-evasive
- And add the following:
#!/usr/bin/perl # test-evasive.pl: small script to test mod_evasive's effectiveness use IO::Socket; use strict; for(0..100) { my($response); my($SOCKET) = new IO::Socket::INET( Proto => "tcp", PeerAddr=> "www.example.com:80"); if (! defined $SOCKET) { die $!; } print $SOCKET "GET /?$_ HTTP/1.0nn"; $response = <$SOCKET>; print $response; close($SOCKET); }
NOTE: Change thePeerAddr
to the URL to be tested.
- And add the following:
- Once the file is saved, run it:
perl test-evasive.pl
Using Apache Bench¶
- Apache server benchmarking tool.
ab -n1000 -c1000 http://www.example.com/index.php
- -n: Number of requests to perform for the benchmarking session.
- -c: Number of multiple requests to perform at a time.
Resources¶
Related issues