Making your Apache more DoS resistant

Availability is one pillar of the Information Security; it defines itself as the capability of being accessed by legit users when needed. On the other hand, we have DoS attacks which attack an asset availability. A successful DoS attack is the one that will not let a user access an asset when needed.

Exposures to DoS attacks are not the easiest to discover; a vulnerability scan will not report them. A successful DoS attack does not always exploit a vulnerability. DoS attacks are discovered easily by seasoned security practitioners. For example, an attacker could send millions of HTTP request to a valid URL in a given website. The HTTP request could be totally valid and legit, but what it makes it an attack is the excess of it. The HTTP server cannot handle it, therefore when a legit user tries to access it, he will fail; the HTTP server is too busy.

There could be many kinds of DoS attacks. This article will prevent the following:

• When an attacker requests too many times the same URL
• When an attacker request too many times different URL's; each individual type of request may no be considered an attack, but the sum of them it is.

Software Requirements

You will need to install the following software:

• mod_evasive
• sudo
• fail2ban

All these are available in any CentOS 7 installation. I am pretty sure they are in other distributions as well.

Configuration

The first step is configuring fail2ban. The trick here is to configure a jail that will never hit. Edit or create the file filter.d/none.conf.

[Definition]
failregex = ^$
ignoreregex =

And add this to your jail.local.

[manual]
enabled = true
port = 443,80
protocol = tcp
filter = none
action = iptables-allports[name=manual, protocol=all]
backend = systemd
bantime = 3600

Next, configure your sudo. I did it by adding the following policy to sudo.

apache ALL = (root) NOPASSWD: /usr/bin/fail2ban-client

This policy tells sudo to allow fail2ban-client without asking a password.

The last step is configuring the mod_evasive. The mod_evasive.conf file is almost self-explained. Configure it to meet your needs, just add the following line:

DOSSystemCommand "/usr/bin/sudo /usr/bin/fail2ban-client set manual banip %s"

Does your Website use HTTP/2?

If your website supports HTTP/2, the default settings of mod_evasive may fire back. HTTP/2 allows the Apache server to return in one spot many documents. Depending on your website, this could be an HTTP flood and may be cataloged as a DoS.

For example, this blog uses HTTP/2 and with default settings, it bans very easily the access. I came with the following settings:

DOSPageCount 50
DOSSiteCount 100

You will need to play with these two to find a good value for your website.

What will this Config do?

The mod_evasive module from Apache will keep track of the HTTP requests. When a threshold is triggered, it will start answering with 403 error codes. The mod_evasive module will use sudo to put the offending IP in a quarantine. Without the sudo/fail2ban, the HTTP server will keep getting the requests and processing it. 

Beware of the parameters you put. Some HTTP applications may require you to relax the parameters.

Good luck!