Installing mod_evasive with Sun’s Webstack
I’ve been running Webstack builds on some of my servers for a while now, and have been pretty happy with the performance and the ease of configuration. One of my webhosts deals with some pretty high traffic, and odds are that such a visible machine will sooner or later come under a DoS attack.
mod_evasive is an Apache module specifically designed to deal with this. From the author’s site:
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
So this is how you go about installing mod_evasive when using Sun’s Webstack build of Apache. Apache’s extension tool (apxs) makes this a quick and simple task, but bear in mind that you will need the Sun Studio compiler installed on your build box. Because you’re not throwing this together on a live webserver, right?
Just to provide the numbers for the build environment I’ve used in this example – I’ve got Sun Studio 12 Update 1 installed, and the box is running Solaris 10 10/09, with Webstack 1.5, which gives me Apache 2.2.11. However there’s nothing too specific, version wise, in any of this, and the process should be the pretty much the same for different versions of Webstack and Solaris 10.
First of all, head on over to Jonathan Zdziarski’s site to download the latest version (1.10.1 as of writing this).
bash-3.00# wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz --09:29:02-- http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz => `mod_evasive_1.10.1.tar.gz' Resolving www.zdziarski.com... 126.96.36.199 Connecting to www.zdziarski.com|188.8.131.52|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 20,454 (20K) [application/x-tar] 100%[====================================>] 20,454 62.37K/s 09:29:03 (62.25 KB/s) - `mod_evasive_1.10.1.tar.gz' saved [20454/20454]
Then uncompress the archive and extract the files:
bash-3.00# gzcat mod_evasive_1.10.1.tar.gz | tar -xvf - x mod_evasive, 0 bytes, 0 tape blocks x mod_evasive/.cvsignore, 26 bytes, 1 tape blocks x mod_evasive/LICENSE, 18103 bytes, 36 tape blocks x mod_evasive/Makefile.tmpl, 470 bytes, 1 tape blocks x mod_evasive/README, 14269 bytes, 28 tape blocks x mod_evasive/mod_evasive.c, 19395 bytes, 38 tape blocks x mod_evasive/mod_evasive20.c, 18242 bytes, 36 tape blocks x mod_evasive/mod_evasiveNSAPI.c, 15621 bytes, 31 tape blocks x mod_evasive/test.pl, 406 bytes, 1 tape blocks x mod_evasive/CHANGELOG, 1373 bytes, 3 tape blocks
With Webstack, apxs can be found at /opt/webstack/apache2/2.2/bin/apxs
Simple call apxs and get it to build the Apache 2.0 version of the mod_evasive module:
bash-3.00# /opt/webstack/apache2/2.2/bin/apxs -cia mod_evasive20.c
Important point here – if you expect this to work, you’ll need at least the following setup:
bash-3.00# export PATH=/usr/ccs/bin:/opt/sunstudio12.1/bin:$PATH
apxs will run off, compile the module, and copy everything into place, and then the final message it gives you is this:
[activating module `evasive20' in /etc/opt/webstack/apache2/2.2/conf.d/modules-32.load]
And sure enough, we’ve now got:
bash-3.00# grep evasive /etc/opt/webstack/apache2/2.2/conf.d/modules-32.load LoadModule evasive20_module /var/opt/webstack/apache2/2.2/libexec/mod_evasive20.so
Looking good so far, but we have a final chunk of configuration to put into place. mod_evasive needs a few tunables adding to control how it responds to traffic. These are some sensible defaults which I’d recommend trying out initially:
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 </IfModule>
I highly recommend reading through the README that came with the source, and then keeping a sharp eye on what your webserver does, to see if you need to tweak any defaults. I’d also suggest adding the email alerting option inside the IfModule configuration:
DOSEmailNotify [email protected]
Now you just need to restart Apache:
bash-3.00# svcadm restart sun-apache22 bash-3.00# svcs sun-apache22 STATE STIME FMRI online 9:56:05 svc:/network/http:sun-apache22
mod_evasive comes with a test script – test.pl – and I’d recommend running that in your test/build environment, to check that everything works as it should.
Hopefully this has shown how easy it is to build mod_evasive DoS protection into Sun’s Webstack build of Apache running on Solaris 10.