Apache DOS Protection

In this tutorial I will be looking at simple DOS protection for Apache using mod_security. I am starting from the point where you already have mod_security installed.

Installation

We can implement some simple DOS protection for Apache using mod_security and a couple of scripts. By using the httpd-guardian and blacklist scripts, you can block IP addresses in iptables which are making lot’s of HTTP requests. You’ll need to download the two scripts from http://apache-tools.cvs.sourceforge.net/apache-tools/

By default httpd-guardian will defend against clients that send more than 120 requests per minute, or more than 360 requests in five minutes.

So copy the downloaded scripts into /etc/apache2 and make them executable (chmod 755). And the following line to /etc/apache2/apache2.conf -:

SecGuardianLog "|/etc/apache2/httpd-guardian"

Edit the httpd-guardian script and change the following options -:

my $PROTECT_EXEC = "/etc/apache2/blacklist block %s 3600";
my $THRESHOLD_1MIN = 1; # 60  requests in a minute
my $THRESHOLD_5MIN = 1; # 360 requests in 5 minutes

Now edit the blacklist script and change the following options -:

my $FWCMD = "iptables";

You then need to create the following iptables ruleset, put this in /etc/rc.local or similar to survive reboots -:

iptables -N BLACKLIST
iptables -A INPUT -p tcp --dport 80 -j BLACKLIST

You need to run the following to start the blacklist script, so add to /etc/rc.local or similar -:

/etc/apache2/blacklist start

You should get the following output -:

/sbin/iptables -F BLACKLIST
/sbin/iptables -A BLACKLIST -j RETURN

Next you need to put the following command in cron to run every 5 minutes or so -:

/etc/apache2/blacklist unblock_stale

This makes sure stale entries are removed from iptables.

Now restart apache with apache2ctl graceful and you should be protected from DOS attacks.

Incoming search terms:

• apache dos protection