"mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera." Ref. https://github.com/jzdziarski/mod_evasive

NoMachine provides a built-in minimal version of Apache web server (nxhtd), pre-configured to serve web sessions. Since the implementation of https://www.nomachine.com/FR02R03938, nxhtd includes the mod_evasive module. The loading of this module is disabled by default.

In order to enable it, edit the nxhtd configuration file, htd.cfg:

/usr/NX/etc/htd.cfg on Linux

installationDirectory/etc/htd.cfg on Windows (e.g. C:\Program files (x86)\NoMachine\etc\htd.cfg)

/Applications/NoMachine.app/Contents/Frameworks/etc/htd.cfg on macOS

Step 1 - Enable the module

Look for the  'DOSEnabled' directive and set it to true:

DOSEnabled          true

Step 2 - restart nxhtd

To make change effective, restart nxhtd.
You can do that via the server interface: click on the !M icon in the system tray -> 'Show the service status' -> 'Server preferences' -> 'Services' to open the panel, or from command line.

On Linux and macOS, open a terminal and execute:

$ sudo /etc/NX/nxserver --restart nxhtd

On Windows, open a CMD console as administrator, move to the 'bin' directory under the NoMachine installation and execute the --restart command, e.g:

> cd C:\Program files (x86)\NoMachine\etc\
> nxserver --restart nxhtd

Configure mod_evasive (optional)

The default configuration for mod_evasive provided by nxhtd is:

    DOSEnabled          true
    DOSHashTableSize    3097
    DOSPageCount        50
    DOSSiteCount        250
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
 

This configuration is provided as-it-is and according to tests performed in our labs to allow only one NoMachine web session per-IP at the same time. Administrators may re-configure directives according to their specific needs and environments. Restarting nxhtd is necessary to make changes effective.

We strongly advice to consult the official documentation of mod_evasive for configuring it.

The nxhtd web server for Linux includes libapache-mod-evasive from https://packages.ubuntu.com/source/eoan/libapache-mod-evasive, while nxhtd for Windows includes the mod_evasive2 module from https://www.apachehaus.net/modules/mod_evasive2.

 
TROUBLESHOOTING

1) If one of these two limits, DOSPageCount or DOSSiteCount, is reached, the IP will be blocked.
In this case the nxhtd-error.log reports a message similar to:

[Wed Feb 26 18:48:51.118379 2020] [evasive:error] [pid 8506:tid 139873688200960] [client 192.168.1.3:52904] client denied by server configuration: /usr/NX/bin/nxwebclient, referer: https://192.168.1.27:4443/nxwebplayer

Path to the nxhtd log file is:
/usr/NX/log/nxhtd-error.log on Linux
%PROGRAMDATA%\NoMachine\var\log\nxhtd-error.log on Windows
/Library/Application Support/NoMachine/var/log/nxhtd-error.log on Mac.

In order to tweak the limits, administrator may proceed in this way.

1) Enable debug log level in htd.cfg, set:

LogLevel warn mod_evasive.c:debug

or:

LogLevel debug

and restart nxhtd.

2) Look for string Reached 'DOSSiteCount' limit  or Reached 'DOSPageCount' limit  in nxhtd-error.log, for example:

[Wed Feb 26 18:49:38.499061 2020] [evasive:debug] [pid 8506:tid 139873688200960] mod_evasive.c(265): [client 192.168.1.3:52904] Reached 'DOSSiteCount' limit of 250 for site: 192.168.1.3_SITE., referer: https://192.168.1.27:4443/nxwebplayer

[Wed Feb 26 18:52:53.883606 2020] [evasive:debug] [pid 9225:tid 140313994299136] mod_evasive.c(216): [client 192.168.1.3:52994] Reached 'DOSPageCount' limit of 50 for page: [192.168.1.3_/nxwebplayer]., referer: https://192.168.1.27:4443/nxwebplayer

Note that such information is logged only when debug is set in htd.cfg as explaine at point 1).

When 'DOSSiteCount' limit is reached, increase value of DOSSiteCount in htd.cfg and restart nxhtd to make this change effective. Similarly, when 'DOSPageCount' limit is reached, increase value of DOSPageCount and restart nxhtd.

3) Repeat the procedure, by increasing DOSSiteCount or DOSPageCount up to the minimum value that makes such log to disappear.
 

NOTES

a) You'll want to have a MaxRequestsPerChild set to a non-zero value, as DosEvasive cleans up its internal hashes only on exit. The default MaxRequestsPerChild is usually 10000. This should suffice in only allowing a few requests per 10000 per child through in the event of an attack (although if you use DOSSystemCommand to firewall the IP address, a hole will no longer be open in between child cycles). Ref. https://github.com/jzdziarski/mod_evasive/blob/master/README

Note that recent versions of Apache renamed MaxRequestsPerChild into MaxConnectionsPerChild.

b) Whitelisting IP Addresses
IP addresses of trusted clients can be whitelisted to insure they are never denied. Ref. https://github.com/jzdziarski/mod_evasive/blob/master/README