apache DDos防范模块 mod_evasive
什么是mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted (on a blocking list)
This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.
This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on ‘reload’ should not be affected unless they do it maliciously. mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.
官方网站:http://www.nuclearelephant.com/projects/mod_evasive/
原理
mod_evasive是apache防范DDOS攻击的模块,其原理大致如下:
有新访问到达时:
- 查看黑名单中是否有该客户IP。
- 将IP和请求URL一起HASH;查找HASH表看过去1秒是否连续请求同一页。
- 将IP和请求URL一起HASH;查找HASH表看过去1秒是否请求超过50个连接。
满足任意一条就返回403并阻止该IP一定时间,该时间由DOSSiteInterval决定。
1、安装mod_evasive
bear@bear-laptop:~$ sudo apt-get install libapache2-mod-e
libapache2-mod-encoding libapache2-mod-evasive
bear@bear-laptop:~$ sudo apt-get install libapache2-mod-evasive
[sudo] password for bear:
正在读取软件包列表… 完成
正在分析软件包的依赖关系树
正在读取状态信息… 完成
下列软件包是自动安装的并且现在不再被使用了:
linux-headers-2.6.31-14 linux-headers-2.6.31-14-generic
使用’apt-get autoremove’来删除它们
下列【新】软件包将被安装:
libapache2-mod-evasive
共升级了 0 个软件包,新安装了 1 个软件包,要卸载 0 个软件包,有 0 个软件未被升级。
需要下载 15.9kB 的软件包。
解压缩后会消耗掉 115kB 的额外空间。
获取:1 http://ubuntu.cn99.com karmic/universe libapache2-mod-evasive 1.10.1-1 [15.9kB]
下载 15.9kB,耗时 0 秒 (121kB/s)
选中了曾被取消选择的软件包 libapache2-mod-evasive。
(正在读取数据库 … 系统当前总共安装有 151313 个文件和目录。)
正在解压缩 libapache2-mod-evasive (从 …/libapache2-mod-evasive_1.10.1-1_amd64.deb) …
正在设置 libapache2-mod-evasive (1.10.1-1) …
* Reloading web server config apache2 apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName
[ OK ]
bear@bear-laptop:~$
2、配置mod_evasive
sudo vi /etc/apache/conf.d/mod_evasive
#添加以下:
<IfModule mod_evasive20.c> DOSHashTableSize 3097:定义哈希表大小。 DOSSiteCount 50:允许客户机的最大并发连接。 DOSPageCount 2:允许客户机访问同一页的间隔。 DOSPageInterval 1:网页访问计数器间隔。 DOSSiteInterval 1:全站访问计数器间隔。 DOSSiteInterval 60:加入黑名单后拒绝访问时间。 DOSEmailNotify crdd1130@gmail.com:有IP加入黑名单后通知管理员。 DOSSystemCommand "sudo iptables -A INPUT -s %s -j DROP":IP加入黑名单后执行的系统命令。 DOSLogDir "/tmp":锁定机制临时目录。 DOSWhiteList 127.0.0.1:防范白名单,不阻止白名单IP。 </IfModule>