# DOSHashTableSize # The hash table size defines the number of top-level nodes for each child's # hash table. Increasing this number will provide faster performance by # decreasing the number of iterations required to get to the record, but # consume more memory for table space. You should increase this if you have # a busy web server. The value you specify will automatically be tiered up to # the next prime number in the primes list (see mod_evasive.c for a list # of primes used). DOSHashTableSize 3097 # DOSPageCount # This is the threshhold for the number of requests for the same page (or URI) # per page interval. Once the threshhold for that interval has been exceeded, # the IP address 2f the client will be added to the blocking list. DOSPageCount 2 # DOSSiteCount # This is the threshhold for the total number of requests for any object by # the same client on the same listener per site interval. Once the threshhold # for that interval has been exceeded, the IP address of the client will be added # to the blocking list. DOSSiteCount 50 # DOSPageInterval # The interval for the page count threshhold; defaults to 1 second intervals. DOSPageInterval 1 # DOSSiteInterval # The interval for the site count threshhold; defaults to 1 second intervals. DOSSiteInterval 1 # DOSBlockingPeriod # The blocking period is the amount of time (in seconds) that a client will be # blocked for if they are added to the blocking list. During this time, all # subsequent requests from the client will result in a 403 (Forbidden) and # the timer being reset (e.g. another 10 seconds). Since the timer is reset # for every subsequent request, it is not necessary to have a long blocking # period; in the event of a DoS attack, this timer will keep getting reset. DOSBlockingPeriod 10 # DOSEmailNotify # If this value is set, an email will be sent to the address specified # whenever an IP address becomes blacklisted. A locking mechanism using /tmp # prevents continuous emails from being sent. # DOSEmailNotify you@yourdomain.com # DOSSystemCommand # If this value is set, the system command specified will be executed # whenever an IP address becomes blacklisted. This is designed to enable # system calls to ip filter or other tools. A locking mechanism using /tmp # prevents continuous system calls. Use %s to denote the IP address of the # blacklisted IP. # DOSSystemCommand "echo -e `date --iso-8601=seconds`"\t%s" > /var/log/apache2/evasive-blocked.log" # DOSLogDir # Choose an alternative temp directory # By default "/tmp" will be used for locking mechanism, which opens some # security issues if your system is open to shell users. # In the event you have nonprivileged shell users, you'll want to create a # directory writable only to the user Apache is running as (usually root), # then set this in your httpd.conf. # DOSLogDir "/var/spool/apache2/mod_evasive/" # WHITELISTING IP ADDRESSES # IP addresses of trusted clients can be whitelisted to insure they are never # denied. The purpose of whitelisting is to protect software, scripts, local # searchbots, or other automated tools from being denied for requesting large # amounts of data from the server. Whitelisting should *not* be used to add # customer lists or anything of the sort, as this will open the server to abuse. # This module is very difficult to trigger without performing some type of # malicious attack, and for that reason it is more appropriate to allow the # module to decide on its own whether or not an individual customer should be # blocked. # To whitelist an address (or range) add an entry to the Apache configuration # in the following fashion: DOSWhitelist 127.0.0.1