(There’s also mod_security. It’s way more complex than I need right now, but would be worth looking at for a busier server.)
Initially I was skeptical, since mod_evasive doesn’t seem to be a very actively maintained project. But it looked so simple I decided to give it a try. Installing via FreeBSD ports was, as usual, nearly instantaneous. Configuration looks like this (I’ve omitted a few settings for simplicity’s sake, and these are not the actual numbers I’m using):
DOSPageCount 2
DOSPageInterval 1
DOSSiteCount 50
DOSSiteInterval 1
DOSBlockingPeriod 10
Simply put: “If any client makes more than two requests for a single URL per second, blacklist them for 10 seconds; if any client makes more than 50 requests total per second, blacklist them for 10 seconds.”
Additional requests during the blacklist period add another 10 seconds. DOSSiteCount is higher to accommodate media files; loading this single page has caused your browser to make seven separate requests to my server, for example, and many pages are more complex than that. But nobody has a legitimate reason to make multiple requests for the same resource more than once per second. Not with my sites, anyway.
When blacklisting is triggered, mod_evasive can send a notification email, write to a logfile, and/or pass the IP to a script for further processing (e.g adding the IP to firewall rules).
In the past four days, mod_evasive has blocked 42 IPs. Using my elite Unix shell skills I got the hostnames:
cat ips.txt | sort | xargs -L 1 host
The main thing I was looking for, and thankfully didn’t find, was search engine spiders — the last thing I want to do is block Google from crawling my sites. Otherwise, no really interesting patterns emerged. About half of the addresses were broadband connections, likely zombies.
One thing I like about having this measure in place is that it doesn’t privilege one form of stupidity over another: badly-written web crawlers, hyperactive blogspam scripts, and actual deliberate DOS attacks all get the same treatment.
