Part 10: Install and configure mod_evasive for Apache 2.4.x

mod_evasive provides (D)DOS detection, alerting and throttling.

1) Install mod_evasive

cd
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar zxvf mod_evasive_*
cd mod_evasive

2) modify mod_evasive20.c to conform with apache 2.4.x standards:
If you attempted to build mod_evasive20.c for apache 2.4.x you will receive the following error(s):

mod_evasive20.c: In function 'access_checker':
mod_evasive20.c:142: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:146: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:158: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:165: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:180: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:187: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:208: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:212: warning: implicit declaration of function 'getpid'
mod_evasive20.c:215: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:221: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:222: error: 'conn_rec' has no member named 'remote_ip'
mod_evasive20.c:228: error: 'conn_rec' has no member named 'remote_ip'
apxs:Error: Command failed with rc=65536

As remote_ip has been changed to client_ip (in this case), perform the following:

cp mod_evasive{20,24}.c
sed s/remote_ip/client_ip/g -i mod_evasive24.c

3) Build mod_evasive for Apache 2.4.x:

apxs -i -a -c mod_evasive24.c

4) Add the following to /etc/httpd/conf/httpd.conf, maybe right below the :

Include conf/modevasion.conf

5) Generate /etc/httpd/conf/modevasion.conf

echo "" > /etc/httpd/conf/modevasion.conf
echo "    #increases size of hash table. Good, but uses more RAM." >> /etc/httpd/conf/modevasion.conf
echo "    DOSHashTableSize    3097" >> /etc/httpd/conf/modevasion.conf
echo "    #Interval, in seconds, of the page interval." >> /etc/httpd/conf/modevasion.conf
echo "    DOSPageInterval     1" >> /etc/httpd/conf/modevasion.conf
echo "    #Interval, in seconds, of the site interval." >> /etc/httpd/conf/modevasion.conf
echo "    DOSSiteInterval     1" >> /etc/httpd/conf/modevasion.conf
echo "    #period, in seconds, a client is blocked.  The counter is reset to 0 with every access within this interval." >> /etc/httpd/conf/modevasion.conf
echo "    DOSBlockingPeriod   10" >> /etc/httpd/conf/modevasion.conf
echo "    #threshold of requests per page, per page interval.  If hit == block." >> /etc/httpd/conf/modevasion.conf
echo "    DOSPageCount        2" >> /etc/httpd/conf/modevasion.conf
echo "    #threshold of requests for any object by the same ip, on the same listener, per site interval." >> /etc/httpd/conf/modevasion.conf
echo "    DOSSiteCount        50" >> /etc/httpd/conf/modevasion.conf
echo "    #locking mechanism prevents repeated calls.  email can be sent when host is blocked (leverages the following by default "/bin/mail -t %s")" >> /etc/httpd/conf/modevasion.conf
echo "    DOSEmailNotify      mbrown@domainy.com" >> /etc/httpd/conf/modevasion.conf
echo "    #locking mechanism prevents repeated calls.  A command can be executed when a host is blocked.  %s is the host IP." >> /etc/httpd/conf/modevasion.conf
echo "    #DOSSystemCommand    \"su - someuser -c \'/sbin/... %s ...\'\"" >> /etc/httpd/conf/modevasion.conf
echo "    #DOSLogDir           \"/var/lock/mod_evasive\"" >> /etc/httpd/conf/modevasion.conf
echo "    #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.*" >> /etc/httpd/conf/modevasion.conf
echo "    #DOSWhiteList 127.0.0.1" >> /etc/httpd/conf/modevasion.conf
echo "" >> /etc/httpd/conf/modevasion.conf

6) If you need to further minimize traffic from DOS attacks set MaxRequestsPerChild above 10000, but not unlimited. See the mod_evasive README and apache docs.

Advertisements
  1. Leo Prince
    July 23, 2014 at 2:56 pm

    Thanks… That’s a good solution for Apache 2.4.

  2. September 25, 2015 at 8:21 am

    resolved it.

    • September 25, 2015 at 8:26 am

      My bust. Great! Happy to help.

  3. Nhan
    September 25, 2015 at 4:38 pm

    HI.
    After I folow step 5, I restart httpd , but i see some error:

    AH00526: Syntax error on line 1 of /usr/local/apache/conf/modevasion.conf:
    Invalid command ‘echo’, perhaps misspelled or defined by a module not included in the server configuration

    Help..

  4. Nhan
    September 28, 2015 at 9:28 am

    resolved it.

  5. Victor Macaulay
    January 28, 2016 at 8:09 am

    Hello Pals,

    I am having a similar issue with installing mod_jk.so…and I can stuck at this point of installation…

    I am following this guide..plz see the error below and advise..Thanks..

    ==========================================
    http://www.serveridol.com/2015/02/03/how-do-i-install-mod_jk-on-apache-2-4-webserver/

    =======================================

    [root@localhost native]# make && make install
    Making all in common
    make[1]: Entering directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/common'
    make[1]: Nothing to be done for `all'.
    make[1]: Leaving directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/common'
    Making all in apache-2.0
    make[1]: Entering directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/apache-2.0'
    /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -std=gnu99 -I/usr/include/httpd  -DHAVE_CONFIG_H -DUSE_APACHE_MD5 -I ../common -I /include -I /include/unix   -DLINUX -D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -  m64 -mtune=generic -pthread -DHAVE_APR  -I/usr/include/apr-1 -I/usr/include/apr-1  -DHAVE_CONFIG_H -pthread -DLINUX -D_REENTRANT -D_GNU_SOURCE -c mod_jk.c -o mod_jk.l  o
    mod_jk.c: In function 'init_ws_service':
    mod_jk.c:735:39: error: 'conn_rec' has no member named 'remote_ip'
             s->remote_addr = r->connection->remote_ip;
                                           ^
    mod_jk.c:999:46: error: 'conn_rec' has no member named 'remote_ip'
                    STRNULL_FOR_NULL(r->connection->remote_ip),
                                                  ^
    mod_jk.c:124:31: note: in definition of macro 'STRNULL_FOR_NULL'
     #define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
                                   ^
    mod_jk.c:999:46: error: 'conn_rec' has no member named 'remote_ip'
                    STRNULL_FOR_NULL(r->connection->remote_ip),
                                                  ^
    mod_jk.c:124:37: note: in definition of macro 'STRNULL_FOR_NULL'
     #define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
                                         ^
    make[1]: *** [mod_jk.lo] Error 1
    make[1]: Leaving directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/apache-2.0'
    make: *** [all-recursive] Error 1
    [root@localhost native]# make
    Making all in common
    make[1]: Entering directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/common'
    make[1]: Nothing to be done for `all'.
    make[1]: Leaving directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/common'
    Making all in apache-2.0
    make[1]: Entering directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/apache-2.0'
    /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -std=gnu99 -I/usr/include/httpd  -DHAVE_CONFIG_H -DUSE_APACHE_MD5 -I ../common -I /include -I /include/unix   -DLINUX -D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -  m64 -mtune=generic -pthread -DHAVE_APR  -I/usr/include/apr-1 -I/usr/include/apr-1  -DHAVE_CONFIG_H -pthread -DLINUX -D_REENTRANT -D_GNU_SOURCE -c mod_jk.c -o mod_jk.l  o
    mod_jk.c: In function 'init_ws_service':
    mod_jk.c:735:39: error: 'conn_rec' has no member named 'remote_ip'
             s->remote_addr = r->connection->remote_ip;
                                           ^
    mod_jk.c:999:46: error: 'conn_rec' has no member named 'remote_ip'
                    STRNULL_FOR_NULL(r->connection->remote_ip),
                                                  ^
    mod_jk.c:124:31: note: in definition of macro 'STRNULL_FOR_NULL'
     #define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
                                   ^
    mod_jk.c:999:46: error: 'conn_rec' has no member named 'remote_ip'
                    STRNULL_FOR_NULL(r->connection->remote_ip),
                                                  ^
    mod_jk.c:124:37: note: in definition of macro 'STRNULL_FOR_NULL'
     #define STRNULL_FOR_NULL(x) ((x) ? (x) : "(null)")
                                         ^
    make[1]: *** [mod_jk.lo] Error 1
    make[1]: Leaving directory `/usr/local/src/tomcat-connectors-1.2.31-src/native/apache-2.0'
    make: *** [all-recursive] Error 1
    [root@localhost native]#
    
    • February 1, 2016 at 12:29 pm

      You need to change all instances of the string “remote_ip” in mod_jk.c and change them to “conn_rec” You should be able to run the same `sed` line against mod_jk.c that I ran against `mod_evasive.c`. Locate mod_jk.c then make the change as noted in the original post.

  6. February 1, 2016 at 12:36 pm

    Hello Brown,

    Thanks for the response.. This issue was resolved by installing a new version of mod_jk.so 4.1…

    Thanks.

  7. Marco Lazzarotto
    April 19, 2016 at 9:24 am

    Hi, I followed all the steps, but the mod_evasive isn’t loading.
    I renamed the file from mod_evasive20.c to mod_evasive24.c, then I used sed.
    After that I used apxs -iac mod_evasive24.c.
    I also added the line

    LoadModule evasive20_module               /usr/lib64/apache2/mod_evasive24.so
    

    to /etc/apache2/loadmodule.conf but the module isn’t working!
    Can you help me?

    • April 19, 2016 at 10:24 am

      What is your error?

      • Marco Lazzarotto
        April 19, 2016 at 10:31 am

        I don’t have any error, simply the module is not blocking any connection. I tried by keeping pressed F5 and also by the test in the package

  8. An Admin
    June 21, 2017 at 7:24 am

    Maybe “apxs” isn’t installed, so let’s do the trick:
    `apt-get install apache2-dev`

  9. Allen Weng
    August 23, 2017 at 2:02 pm

    hi, as for ‘r->connection->client_ip’, you can also use ‘r->useragent_ip’

    https://httpd.apache.org/docs/2.4/developer/new_api_2_4.html

    When you require the IP address of the user agent, which might be connected directly to the server, or might optionally be separated from the server by a transparent load balancer or proxy, use request_rec->useragent_ip and request_rec->useragent_addr.

    When you require the IP address of the client that is connected directly to the server, which might be the useragent or might be the load balancer or proxy itself, use conn_rec->client_ip and conn_rec->client_addr.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: