I recently had to deal with a guy whos VPS was constantly being hit by the same IPs over and over until the server crapped out and refused to do anything…it was royally a pain in the ass because I literally had about 10 seconds between starting up the server and having it crash again. Needless to say that those 10 seconds were spent stopping Apache to give me enough time to do a netstat -n and block the assholes who were flooding the server. I then decided to installed mod_evasive, which is a simple Apache module that monitors the amount of connections from one IP and blocks any that reach a set limit. Here’s how you do it via SSH:
tar -xvzf mod_evasive_1.10.1.tar.gz
/usr/local/apache/bin/apxs -cia mod_evasive.c
Once the module is compiled, restart Apache and add this to your httpd.conf:
DOSHashTableSize – Size of the hash table. The greater this setting, the more memory is required – faster
DOSPageCount – Max number of requests for the same page within the ‘DOSPageInterval’ interval
DOSSiteCount – Max number of requests for a given site, uses the ‘DOSSiteInterval’ interval.
DOSPageInterval - Interval for the ‘DOSPageCount’ threshold in second intervals.
DOSSiteInterval- Interval for the ‘DOSSiteCount’ threshold in second intervals.
DOSBlockingPeriod – Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.
A good supplementary script to mod_evasive is ddos, which will send you an email whenever an IP is blocked for too many connections. It also works as a backup in case Apache gets too hammered with connections. All you have to do is:
Now you just edit /usr/local/ddos/ddos.conf .