Repelling DDoS using mod_evasive + firewall (CentOS, Red Hat)

Analysis of DDoS you can make sure your scripts, parse the logs. But it is better to provide this apačevskomu mod_evasive.

Set mod_evasive, in write
DOSHashTableSize 3097
DOSPageCount 15
DOSSiteCount 15
DOSPageInterval 3
DOSSiteInterval 3
DOSBlockingPeriod 300
DOSSystemCommand “/usr/bin/sudo/usr/bin/fwban% s”
DOSPageInterval-interval for a specific page hits
DOSSiteInterval-interval for a particular vhost hits
DOSPageCount-the number of hits for a particular URI during the interval DOSPageInterval, the IP will be banned
DOSSiteCount-the number of hits for a particular vhost within the interval DOSSiteInterval, the IP will be banned

We need a script to the firewall “ban/usr/bin/fwban” (for Linux):
#!/bin/bash
If [“x $ 1” = “x”]; then
echo “USAGE: $ 0 IPADDR”
exit
fi
/sbin/iptables-A BAN-s $ 1-j DROP

He needs to put right 755.

So do we need sudo utility. It costs almost everywhere. In the “comment” option to visudo is:
#Defaults requiretty

And add the line
Apache ALL = NOPASSWD:/usr/bin/fwban

where the apache-user which Apache is running.

So do we want to BAN chain in iptables:
iptables-N BAN
iptables-I INPUT-j BAN

Keep the firewall rules
/etc/init.d/iptables save

Restartanem Apache. Now try to put your website (not from your IP!!!):
#ab-n 1000-c 20 http://yoursite.info/

The victim in the logs can be seen:
May 6 15:18:25 Server1 mod_evasive [26514]: Blacklisting address 1.2.3.4: possible DoS attack.

And in the firewall:
# iptables-save
——bukav the many
-A BAN-s 1.2.3.4-j DROP
——bukav the many

PS: and of course, Apache would better cover up outside nginx.

PS: and this method bans ajpišnegi permanently until it restartanet server, or chain to be reset of BAN. That’s such a brutal method)