Difference between revisions of "Howto install mod evasive with fail2ban"
(Created page with "==Howto install mod evasive with fail2ban== mod_evasive ais used to secure Apache Web Server from DDoS and brute force attacks by implementing web application firewall. The ...") |
(No difference)
|
Revision as of 16:34, 17 April 2014
Contents
Howto install mod evasive with fail2ban
mod_evasive ais used to secure Apache Web Server from DDoS and brute force attacks by implementing web application firewall.
The mod_evasive authoring site (zdziarski.com) states that mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera..
Install the EPEL repo
First you will want to install the epel repos as mod_evasive is included in those repo's.
For the x86x64
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
For the i386
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
Now install them into YUM
rpm -Uvh epel-release-6*.rpm
Install Mod Evasive
Then you can install mod_evasive
yum install mod_evasive
Configure mod_evasive for use with fail2ban
vim /etc/httpd/conf.d/mod_evasive.conf
Adjust the following settings
DOSPageCount 3 DOSSiteCount 100 DOSPageInterval 3 DOSSiteInterval 5 DOSBlockingPeriod 240 DOSEmailNotify [email protected]
**add any additional email addresses on new lines DOSLogDir "/var/log/mod_evasive" #DOSWhitelist 127.0.0.1 #DOSWhitelist 192.168.0.* **add as many new DOSWhitelist lines as necessary per customer request
Now lets create the log directory and change the ownership to apache
mkdir -p /var/log/mod_evasive && chown apache:apache /var/log/mod_evasive
Create the fail2ban configuration
vim /etc/fail2ban/filter.d/apache-dosevasive.conf
Add the following
# Fail2Ban configuration file
[Definition] # Option: failregex # Notes.: regex to match the Forbidden log entrys in apache error.log # maybe (but not only) provided by mod_evasive # # Values: TEXT # failregex = ^\^\*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex
and
vim /etc/fail2ban/jail.conf
add the following
enabled = true filter = apache-dosevasive action = iptables-allports[name=dos] logpath = /home/*/var/*/logs/*.log bantime = 240 maxretry = 10