mod_evasive is a nice Apache module that helps to protect your server against DoS attacks.
However, when a client is blocked, it will keep on using resources on your server. Even if the request will result in a 403 error, it’s still a connection that needs to be handled. In some cases, it might require spawning a new process for no good reason.
It’s quite easy to configure mod_evasive so that the evil IPs are blocked via the machine firewall, though:
# ...your other settings...
DOSSystemCommand "sudo /root/scripts/ban_ip.sh %s"
You could put an iptables command there, but I prefer to use a small script because it’s easier to maintain. Also I don’t want to block the IP until the end of time 🙂 So, I use this:
$IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP
echo "$IPTABLES -D banned -s $IP -p TCP --dport 80 -j DROP" | at now + 2 hours
Don’t forget to grant the permission to run the script to the account used by apache. My sudoers config contains:
And here’s the result, on a busy server victim of some abuse:
Red means “system time”, blue is “user time”. The green arrow marks the time when I configured it to use iptables.