Howto install mod evasive with fail2ban

From Brian Nelson Ramblings
Jump to: navigation, search

Howto install mod evasive with fail2ban

mod_evasive ais used to secure Apache Web Server from DDoS and brute force attacks by implementing web application firewall.

The mod_evasive authoring site (zdziarski.com) states that mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera..

Install the EPEL repo

First you will want to install the epel repos as mod_evasive is included in those repo's.

For the x86x64

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

For the i386

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Now install them into YUM

rpm -Uvh epel-release-6*.rpm

Install Mod Evasive

Then you can install mod_evasive

yum install mod_evasive

Configure mod_evasive for use with fail2ban

vim  /etc/httpd/conf.d/mod_evasive.conf

Adjust the following settings

DOSPageCount        3
DOSSiteCount        100
DOSPageInterval     3
DOSSiteInterval     5
DOSBlockingPeriod   240
DOSEmailNotify      you@yourdomain.com

**add any additional email addresses on new lines
   DOSLogDir           "/var/log/mod_evasive"
   #DOSWhitelist   127.0.0.1
   #DOSWhitelist   192.168.0.* 
**add as many new DOSWhitelist lines as necessary per customer request

Now lets create the log directory and change the ownership to apache

mkdir -p /var/log/mod_evasive && chown apache:apache /var/log/mod_evasive

Create the fail2ban configuration

vim  /etc/fail2ban/filter.d/apache-dosevasive.conf 

Add the following

# Fail2Ban configuration file

[Definition]

# Option:  failregex
# Notes.:  regex to match the Forbidden log entrys in apache error.log
#          maybe (but not only) provided by mod_evasive
#
# Values:  TEXT
#
failregex = ^\^\*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex 

and

vim /etc/fail2ban/jail.conf

add the following

enabled = true
filter  = apache-dosevasive
action = iptables-allports[name=dos]
logpath = /home/*/var/*/logs/*.log 
bantime = 240
maxretry = 10

per AJ over at BrainMint