Part 10: Install and configure mod_evasive for Apache 2.4.x

mod_evasive provides (D)DOS detection, alerting and throttling.

1) Install mod_evasive

cd
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar zxvf mod_evasive_*
cd mod_evasive

2) modify mod_evasive20.c to conform with apache 2.4.x standards:
If you attempted to build mod_evasive20.c for apache 2.4.x you will receive the following error(s):

mod_evasive20.c: In function 'access_checker':
mod_evasive20.c:142: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:146: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:158: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:165: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:180: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:187: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:208: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:212: warning: implicit declaration of function 'getpid'
mod_evasive20.c:215: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:221: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:222: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:228: error: 'conn_rec' has no member named 'remote_ip'
apxs:Error: Command failed with rc=65536

As remote_ip has been changed to client_ip (in this case), perform the following:

cp mod_evasive{20,24}.c
sed s/remote_ip/client_ip/g -i mod_evasive24.c

3) Build mod_evasive for Apache 2.4.x:

apxs -i -a -c mod_evasive24.c

4) Add the following to /etc/httpd/conf/httpd.conf, maybe right below the :

Include conf/modevasion.conf

5) Generate /etc/httpd/conf/modevasion.conf

echo "" > /etc/httpd/conf/modevasion.conf
echo "    #increases size of hash table. Good, but uses more RAM." >> /etc/httpd/conf/modevasion.conf
echo "    DOSHashTableSize    3097" >> /etc/httpd/conf/modevasion.conf
echo "    #Interval, in seconds, of the page interval." >> /etc/httpd/conf/modevasion.conf
echo "    DOSPageInterval     1" >> /etc/httpd/conf/modevasion.conf
echo "    #Interval, in seconds, of the site interval." >> /etc/httpd/conf/modevasion.conf
echo "    DOSSiteInterval     1" >> /etc/httpd/conf/modevasion.conf
echo "    #period, in seconds, a client is blocked.  The counter is reset to 0 with every access within this interval." >> /etc/httpd/conf/modevasion.conf
echo "    DOSBlockingPeriod   10" >> /etc/httpd/conf/modevasion.conf
echo "    #threshold of requests per page, per page interval.  If hit == block." >> /etc/httpd/conf/modevasion.conf
echo "    DOSPageCount        2" >> /etc/httpd/conf/modevasion.conf
echo "    #threshold of requests for any object by the same ip, on the same listener, per site interval." >> /etc/httpd/conf/modevasion.conf
echo "    DOSSiteCount        50" >> /etc/httpd/conf/modevasion.conf
echo "    #locking mechanism prevents repeated calls.  email can be sent when host is blocked (leverages the following by default "/bin/mail -t %s")" >> /etc/httpd/conf/modevasion.conf
echo "    DOSEmailNotify      mbrown@domainy.com" >> /etc/httpd/conf/modevasion.conf
echo "    #locking mechanism prevents repeated calls.  A command can be executed when a host is blocked.  %s is the host IP." >> /etc/httpd/conf/modevasion.conf
echo "    #DOSSystemCommand    \"su - someuser -c \'/sbin/... %s ...\'\"" >> /etc/httpd/conf/modevasion.conf
echo "    #DOSLogDir           \"/var/lock/mod_evasive\"" >> /etc/httpd/conf/modevasion.conf
echo "    #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.*" >> /etc/httpd/conf/modevasion.conf
echo "    #DOSWhiteList 127.0.0.1" >> /etc/httpd/conf/modevasion.conf
echo "" >> /etc/httpd/conf/modevasion.conf

6) If you need to further minimize traffic from DOS attacks set MaxRequestsPerChild above 10000, but not unlimited. See the mod_evasive README and apache docs.

  1. Leo Prince
    July 23, 2014 at 2:56 pm

    Thanks… That’s a good solution for Apache 2.4.

  2. September 25, 2015 at 8:21 am

    resolved it.

    • September 25, 2015 at 8:26 am

      My bust. Great! Happy to help.

  3. Nhan
    September 25, 2015 at 4:38 pm

    HI.
    After I folow step 5, I restart httpd , but i see some error:

    AH00526: Syntax error on line 1 of /usr/local/apache/conf/modevasion.conf:
    Invalid command ‘echo’, perhaps misspelled or defined by a module not included in the server configuration

    Help..

  4. Nhan
    September 28, 2015 at 9:28 am

    resolved it.

  5. Victor Macaulay
    January 28, 2016 at 8:09 am

    Hello Pals,

    I am having a similar issue with installing mod_jk.so…and I can stuck at this point of installation…

    I am following this guide..plz see the error below and advise..Thanks..

    ==========================================
    http://www.serveridol.com/2015/02/03/how-do-i-install-mod_jk-on-apache-2-4-webserver/

    =======================================

    [root@localhost native]# make && make install
    Making all in common
    make[1]: Entering directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/common'
    make[1]: Nothing to be done for `all'.
    make[1]: Leaving directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/common'
    Making all in apache-2.0
    make[1]: Entering directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/apache-2.0'
    /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -std=gnu99 -I/usr/include/httpd  -DHAVE_CONFIG_H -DUSE_APACHE_MD5 -I ../common -I /include -I /include/unix   -DLINUX -D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -  m64 -mtune=generic -pthread -DHAVE_APR  -I/usr/include/apr-1 -I/usr/include/apr-1  -DHAVE_CONFIG_H -pthread -DLINUX -D_REENTRANT -D_GNU_SOURCE -c mod_jk.c -o mod_jk.l  o
    mod_jk.c: In function 'init_ws_service':
    mod_jk.c:735:39: error: 'conn_rec' has no member named 'remote_ip'
             s->remote_addr = r->connection->remote_ip;
                                           ^
    mod_jk.c:999:46: error: 'conn_rec' has no member named 'remote_ip'
                    STRNULL_FOR_NULL(r->connection->remote_ip),
                                                  ^
    mod_jk.c:124:31: note: in definition of macro 'STRNULL_FOR_NULL'
     #define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
                                   ^
    mod_jk.c:999:46: error: 'conn_rec' has no member named 'remote_ip'
                    STRNULL_FOR_NULL(r->connection->remote_ip),
                                                  ^
    mod_jk.c:124:37: note: in definition of macro 'STRNULL_FOR_NULL'
     #define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
                                         ^
    make[1]: *** [mod_jk.lo] Error 1
    make[1]: Leaving directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/apache-2.0'
    make: *** [all-recursive] Error 1
    [root@localhost native]# make
    Making all in common
    make[1]: Entering directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/common'
    make[1]: Nothing to be done for `all'.
    make[1]: Leaving directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/common'
    Making all in apache-2.0
    make[1]: Entering directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/apache-2.0'
    /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -std=gnu99 -I/usr/include/httpd  -DHAVE_CONFIG_H -DUSE_APACHE_MD5 -I ../common -I /include -I /include/unix   -DLINUX -D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -  m64 -mtune=generic -pthread -DHAVE_APR  -I/usr/include/apr-1 -I/usr/include/apr-1  -DHAVE_CONFIG_H -pthread -DLINUX -D_REENTRANT -D_GNU_SOURCE -c mod_jk.c -o mod_jk.l  o
    mod_jk.c: In function 'init_ws_service':
    mod_jk.c:735:39: error: 'conn_rec' has no member named 'remote_ip'
             s->remote_addr = r->connection->remote_ip;
                                           ^
    mod_jk.c:999:46: error: 'conn_rec' has no member named 'remote_ip'
                    STRNULL_FOR_NULL(r->connection->remote_ip),
                                                  ^
    mod_jk.c:124:31: note: in definition of macro 'STRNULL_FOR_NULL'
     #define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
                                   ^
    mod_jk.c:999:46: error: 'conn_rec' has no member named 'remote_ip'
                    STRNULL_FOR_NULL(r->connection->remote_ip),
                                                  ^
    mod_jk.c:124:37: note: in definition of macro 'STRNULL_FOR_NULL'
     #define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
                                         ^
    make[1]: *** [mod_jk.lo] Error 1
    make[1]: Leaving directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/apache-2.0'
    make: *** [all-recursive] Error 1
    [root@localhost native]#
    
    • February 1, 2016 at 12:29 pm

      You need to change all instances of the string “remote_ip” in mod_jk.c and change them to “conn_rec” You should be able to run the same `sed` line against mod_jk.c that I ran against `mod_evasive.c`. Locate mod_jk.c then make the change as noted in the original post.

  6. February 1, 2016 at 12:36 pm

    Hello Brown,

    Thanks for the response.. This issue was resolved by installing a new version of mod_jk.so 4.1…

    Thanks.

  7. Marco Lazzarotto
    April 19, 2016 at 9:24 am

    Hi, I followed all the steps, but the mod_evasive isn’t loading.
    I renamed the file from mod_evasive20.c to mod_evasive24.c, then I used sed.
    After that I used apxs -iac mod_evasive24.c.
    I also added the line

    LoadModule evasive20_module               /usr/lib64/apache2/mod_evasive24.so
    

    to /etc/apache2/loadmodule.conf but the module isn’t working!
    Can you help me?

    • April 19, 2016 at 10:24 am

      What is your error?

      • Marco Lazzarotto
        April 19, 2016 at 10:31 am

        I don’t have any error, simply the module is not blocking any connection. I tried by keeping pressed F5 and also by the test in the package

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: