Support #562
Updated by Daniel Curtis almost 10 years ago
{{>toc}}
This is a simple guide for installing and configuring mod_evasive for Apache 2.4 on FreeBSD 9.2.
* Update the system and ports tree:
<pre>
pkg update && pkg upgrade
portsnap fetch extract
</pre>
* Install git:
<pre>
pkg install git
</pre>
---
h1. Install mod_evasive
* Edit the mod_evasive Makefile:
<pre>
cd /usr/ports/www/mod_evasive
vi Makefile
</pre>
#* And change the line *USE_APACHE=22* to:
<pre>
USE_APACHE= 24
</pre>
* Begin compilation:
<pre>
make install clean
</pre>
#* Currently the port will fail with output similar to the following:
<pre>
mod_evasive20.c: In function 'access_checker':
mod_evasive20.c:142: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:146: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:158: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:165: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:180: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:187: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:208: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:212: warning: implicit declaration of function 'getpid'
mod_evasive20.c:215: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:221: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:222: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:228: error: 'conn_rec' has no member named 'remote_ip'
apxs:Error: Command failed with rc=65536
.
*** [do-build] Error code 1
Stop in /usr/ports/www/mod_evasive.
</pre>
* Fix the working mod_evasive source code:
<pre>
sed -i '' -e 's/remote_ip/client_ip/g' work/mod_evasive/mod_evasive20.c
</pre>
* Then finish installing mod_evasive:
<pre>
make install clean
</pre>
* Create the mod_evasive config file:
<pre>
vi /usr/local/etc/apache24/modules.d/010_mod_evasive.conf
</pre>
#* And add the following:
<pre>
LoadModule evasive20_module libexec/apache24/mod_evasive20.so
<IfModule evasive20_module>
#increases size of hash table. Good, but uses more RAM.
DOSHashTableSize 3097
#Interval, in seconds, of the page interval.
DOSPageInterval 1
#Interval, in seconds, of the site interval.
DOSSiteInterval 1
#period, in seconds, a client is blocked. The counter is reset to 0 with every access within this interval.
DOSBlockingPeriod 10
#threshold of requests per page, per page interval. If hit == block.
DOSPageCount 2
#threshold of requests for any object by the same ip, on the same listener, per site interval.
DOSSiteCount 50
#locking mechanism prevents repeated calls. email can be sent when host is blocked (leverages the following by default "/bin/mail -t %s")
DOSEmailNotify admin@example.com
#locking mechanism prevents repeated calls. A command can be executed when a host is blocked. %s is the host IP.
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
#DOSLogDir "/var/lock/mod_evasive"
#whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.*
#DOSWhiteList 127.0.0.1
</IfModule>
</pre>
* Restart apache24 to enable mod_evasive
<pre>
service apache24 restart
</pre>
* Now check to see that the module loaded correctly:
<pre>
apachectl -M
</pre>
#* _Truncated output_
<pre>
Loaded Modules:
...
evasive20_module (shared)
</pre>
---
h1. Testing mod_evasive
h2. Using Perl
* On a remote machine, create test-evasive.pl:
<pre>
vi test-evasive
</pre>
#* And add the following:
<pre>
#!/usr/bin/perl
# test-evasive.pl: small script to test mod_evasive's effectiveness
use IO::Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO::Socket::INET( Proto => "tcp",
PeerAddr=> "www.example.com:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0nn";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}
</pre>
*NOTE*: Change the *@PeerAddr@* to the URL to be tested.
* Once the file is saved, run it:
<pre>
perl test-evasive.pl
</pre>
h2. Using Apache Bench
* Apache server benchmarking tool.
<pre>
ab -n1000 -c1000 http://centos.gabrielcanepa.com.ar/index.php
</pre>
#* n: Number of requests to perform for the benchmarking session.
#* c: Number of multiple requests to perform at a time.