mod_evasive doesn’t work with current Apache

Starting with Apache 2.4.1, mod_evasive stores the violation counts PER CHILD. Attackers don’t hit the same child enough times in the time interval to trip the system.
If you have 100 child threads, then you are diluted 1/100 for the time interval

DO NOT USE mod_evasive.

You can slightly improve the performance by editing httpd.conf:
KeepAlive On
MaxRequestsPerChild 0
MinSpareServers somelowvalue
MaxSpareServer somelowvalue

You could use mod_security instead
but it won’t ban IP addresses
yum install mod_security (install mod_security)
yum install mod-security_crs (install OWASP security rules for mod_security)

After installing mod_security, you may get a FAILED message at service httpd restart
You’ll find a similar message in /var/log/httpd/error_log
[alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of “myserver.mydomain.local”
BE CERTAIN that the HOSTNAME value in /etc/syscconfig/network is also a 127.0.0.1 record in /etc/hosts

Use fail2ban
yum install fail2ban
vi /etc/fail2ban/jail.local
[apache-banhermes]
enabled = true
filter = apache-banhermes
logpath = /var/log/httpd/access_log
maxretry = 1
bantime = 60000
action = iptables-multiport[name=banhermes, port=”http,https”]
backend = polling

vi /etc/fail2ban/filter.d/apache-banhermes.conf
[Definition]

failregex = ^<HOST> -.*”(GET|POST) \/hermes\/
ignoreregex =

service start fail2ban

 

For information about how Acumen can service your business, visit our About page.

For more information on Apache, visit their Official Site by clicking the link below:

https://httpd.apache.org/