Mod_Evasive : What is it? Mod_Evasive

Ideal place for discussions related to Linux/Windows server security, Apache, MySQL, MS SQL and PHP, including tutorials and questions.
Site Admin
Posts: 50
Joined: Thu May 30, 2013 10:28 pm

Mod_Evasive : What is it? Mod_Evasive

Postby hrdedicated » Sat Jun 01, 2013 12:06 pm

Install Mod_Evasive


mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.

Installation for Apache 2.X:

1. Login to root and fire following cmds

2. mkdir /root/download

3. cd /root/download

4. wget http://www.zdziarski...e_1.10.1.tar.gz

5. tar zxf mode_evasive-1.10.1.tar.gz

6. cd mod_evasive*
then run the following command for apache2...
7. /usr/local/apache/bin/apxs -cia mod_evasive20.c
Once mod evasive is installed, place the following lines in your
8. vi /etc/httpd/conf/httpd.conf
9. Add following under the Loadmodule TAB

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 25
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

10. Check httpd configuration using cmd: service httpd configtest >> result should be “OK”
11 . Restart Apache/httpd service on the server
service httpd stop and service httpd start

There are a lot of ways to configure mod_evasive. See below manual configuration for mod_evasive:


Size of the hash table. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.


Number of requests for the same page within the ‘DOSPageInterval’ interval that will get an IP address added to the blocking list.


Same as ‘DOSPageCount’, but corresponds to the number of requests for a given site, and uses the ‘DOSSiteInterval’ interval.


Interval for the ‘DOSPageCount’ threshold in second intervals.


Interval for the ‘DOSSiteCount’ threshold in second intervals.


Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.


If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.
PS: The mod_evasive is not the only way to prevent DDoS attack, and not guarantee would be a perfect way to stop the attacker from attacking you.

Return to “System Security”

Who is online

Users browsing this forum: No registered users and 1 guest