edin.no-ip.com

Besides mod_evasive, there exists another spam deference module for Apache2 in Debian unstable - libapach2-mod-spamhaus.

Again mod-spamhaus is a configuration-free package. Just install it with apt-get:

Double check the installation with:

Also remember to restart Apache in order to get it active:

P.S. Note that this package is now only available in Debian unstable.

DDoS attack (http://en.wikipedia.org/wiki/Denial-of-service_attack) is all around the Internet and no one can escape from it. What we can do is trying to protect ourself whenever happened. On the other hand, DDoS attack to Apache is also very common so what can we do for it? Let's try mod_evasive (http://www.zdziarski.com/projects/mod_evasive/).

The installation of mod_evasive under Debian is very simple:

After install try this command and you will find that Debian have already active mod_evasive for us by default:

So what we only need to do is restart the Apache and let mod_evasive active:

For testing the effect of mod_evasive, you can try this command (you will have HTTP/1.1 302 Found at beginning but soon become HTTP/1.1 403 Forbidden):

Since a long days before I keep on using Apache's mod_access for spam or bad robot filtering (http://edin.no-ip.com/content/block-apache-visiting-abnormal-user-agent). It is quite handy and simple; BTW, you need to configure it manually. The benefit of the model is you only need to have a functional Apache installed then you can set it up without any special difficult and dependence; and the drawback is simple that it is not flexible.

As Debian's Fail2ban already come with apache-badbots.conf, why not utilize it? As it will function in firewall level, rather than application level (Apache), using this model would be more secure and stable, too.

Setting this up is very simple. In case of Debian, install Fail2ban with:

Then check /etc/fail2ban/filter.d/apache-badbots.conf and you will find a well pre-defined blocking list, which fetched from http://www.user-agents.org. What you need to do is active this filtering rule within your Fail2ban configuration. As mentioned in the header section of /etc/fail2ban/jail.conf, we should create a file called as /etc/fail2ban/jail.local which contain our changes for override, e.g.:

After restart Fail2ban with /etc/init.d/fail2ban restart, check your iptables with iptables -nvL and you should have similar result:

In order to check for ban/unban record, try cat /var/log/fail2ban.log | grep WARNING. E.g. soon after I have install Fail2ban it catch 1 IP for ban, due to rule of apache-overflows:

My site is being attack by some abnormal client, with some invalid user-agent. They keep on scanning my server, and just keep on pushing up the server loading.

There is a lot of different defense method, and here is one of the simple solution (http://httpd.apache.org/docs/2.0/mod/mod_access.html). Just add the following lines (I just list those are required):

And so Apache will happily block those unfriendly user agents ;-)