How to configure your own Apache web server to use mod_evasive
"mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera." Ref. https://github.com/jzdziarski/mod_evasive
Pre-requisite:
An official version of Apache web server is installed and configured to run NoMachine sessions on the web, see https://www.nomachine.com/DT03O00128
How to install mod_evasive
In order to install and enable the module on your Operating System, we strongly recommend to follow instructions sported by the mod_evasive module you're going to adopt.
Examples below have been tested on Ubuntu 19.10/Apache 2.4.41, Ubuntu 18.04/Apache 2.4.29 and Windows 10/Apache/2.4.41.
Configurations to make mod_evasive to work with NoMachine web sessions apply to all Operating System.
Step 1 - Install and enable mod_evasive
On Linux
retrieve mod_evasive from the repository and install it. Once installation is completed, the module should be already enabled.
For example, on Ubuntu 19.10 execute in a terminal:
apt install libapache2-mod-evasive
or on CentOS 7/RHEL 7:
sudo yum install mod_evasive
To verify that mod_evasive is enabled execute in a terminal:
apache2ctl -M | grep evasive
which should return for example:
evasive20_module (shared)
If the module is not enabled use the 'a2enmod'command to enable it, for example:
sudo a2enmod mod_evasive20
On Windows
Download the evasive_module from the Apache web site: https://www.apachelounge.com/download/ and follow instructions detailed in the ReadMe file, e.g.:
- Copy mod_evasive.so to your modules folder
- Add to your httpd.conf:
LoadModule evasive_module modules/mod_evasive.so
Step 2 - Verify that mod_evasive is enabled (on Linux)
On Linux, execute in a terminal:
apache2ctl -M | grep evasive
which should return for example:
evasive20_module (shared)
If the module is not enabled, use the 'a2enmod'command to load the module, for example:
sudo a2enmod mod_evasive20
Step 3 - Configure mod_evasive
Depending on the Operating System and Apache version, directives for mod_evasive are stored in a configuration file named evasive.conf or in the Apache configuration file. For example: /etc/apache2/mods-enabled/evasive.conf (Ubuntu/Debian) or /etc/httpd/conf.d/mod_evasive.conf (CentOS/RHEL).
On Windows, directives for mod_evasive have to be applied into the Apache configuration file.
The mod_evasive module checks how many requests arrive from a single IP in agiven time, by default 1 second.
Edit the directives according to your needs. To do that and for detailed explanation of eah directive, we recommend to refer to the official documentation of Apache and mod_evasive.
Some examples of configuration that we applied to make one NoMachine web session to work from one IP address are below. They take in account mainly the following parameters:
DOSPageCount
This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount
This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
1) Ubuntu 19.10
cat /etc/apache2/mods-available/evasive.conf
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 50
DOSSiteCount 250
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
#DOSEmailNotify you@yourdomain.com
#DOSSystemCommand "su - someuser -c '/sbin/... ...'"
#DOSLogDir "/var/log/mod_evasive"
</IfModule>
If the evasive.conf file doesn't exist, directives above have to be placed in the Apache configuration file.
2) Windows (the following directives are placed in the Apache configuration file):
DOSEnabled true
DOSHashTableSize 3097
DOSPageCount 50
DOSSiteCount 250
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
In order to allow more than one NoMachine web session at the same time for the same IP, it's necessary to increase values for DOSPageCount and DOSSiteCount. Tuning these setting to the most appropriate value requires to monitor Apache logs and proceed by attempts. Important: consider only requests coming from the known client IP when tuning DOSPageCount and DOSSiteCount.
For example, let's assume that client IP is "192.168.1.27" and Apache logs report an error similar to:
[Tue Feb 18 21:24:29.294702 2020] [evasive20:error] [pid 19450] [client 192.168.1.27:47516] client denied by server configuration: /usr/NX/bin/nxwebclient, referer: https://192.168.1.3/nxwebplayer
Increase DOSPageCount up to the minimum value that makes such log to disappear.
When Apache logs report an error similar to:
[Tue Feb 18 21:27:18.399514 2020] [evasive20:error] [pid 19450] [client 192.168.1.27:47672] client denied by server configuration: /usr/NX/share/htdocs/nxwebplayer/style/desktop/slider.css, referer: https://192.168.1.3/nxwebplayer
Increase DOSSiteCount up to the minimum value that makes such log to disappear.
Step 4 - Further configurations for NoMachine webplayer
A further configuration step is necessary since the implementation of https://www.nomachine.com/FR11Q03892, which relocates log files in the user's home/.nx directory.
The nxwebplayer processes are running as the 'nxhtd' user, its log files are therefore stored in the .nx directory of ithe nxhtd user:
/var/NX/nxhtd/ on Linux
%PROGRAMDATA%/NoMachine/nxhtd on Windows
/Library/Application Support/NoMachine/var/nxhtd/ on macOS
In order to make the webplayer working properly with the system Apache, it's necessary to create a .nx directory under the Apache home directory and set proper permissions. Important: DocumentRoot must be enabled in Apache configuration and the .nx directory must not be created under the Apache DocumentRoot!
1) On Linux
Identify the Apache home directory, e.g. /var/www and create there the .nx directory with proper permissions:
# mkdir /var/www/.nx/
# chown www-data:www-data /var/www/.nx/
# chmod 600 /var/www/.nx/
Ensure that DocumentRoot is enabled and doesn't include the .nx directory, for example it can be:
DocumentRoot /var/www/html
but not:
DocumentRoot /var/www/
NOTES from the official documentation of mod_evasive
1) "You'll want to have a MaxRequestsPerChild set to a non-zero value, as DosEvasive cleans up its internal hashes only on exit. The default MaxRequestsPerChild is usually 10000. This should suffice in only allowing a few requests per 10000 per child through in the event of an attack (although if you use DOSSystemCommand to firewall the IP address, a hole will no longer be open in between child cycles). "
Note that recent versions of Apache renamed MaxRequestsPerChild into MaxConnectionsPerChild.
2) "Whitelisting IP Addresses
IP addresses of trusted clients can be whitelisted to insure they are never denied."