I think that it is a great piece of software for poor webmasters.
Install mod_evasive
$sudo -s #apt-get install libapache2-mod-evasive
The mailer program is set to /bin/mail in source. This has not changed in the ubuntu sources. You can change the MAILER definition in the source and reinstall.
#grep MAILER mod_evasive20.c |grep define #define MAILER "/bin/mail %s"
or just make /bin/mail a symbolic link to sendmail.
#ln -s `which sendmail` /bin/mail
Create the tmp locking directory
#mkdir /var/lock/mod_evasive #chown www-data:www-data /var/lock/mod_evasive
Create my bad ip list directory
#mkdir /var/log/mod_evasive #chown www-data:www-data /var/log/mod_evasive
Now, let's change the default mod_evasive settings by adding the following at httpd.conf.
#cat /etc/apache2/httpd.conf
<IfModule mod_evasive20.c>
#g0#
DOSHashTableSize 3097
#nodes/child --prime and can be only prime (values are tiered to the next prime), next 6151
DOSPageCount 2
#requests --threshold of requests for the same URI / DOSpageInterval
DOSSiteCount 50
#requests --threshold of requests for any object by the same client on the same listener / DOSSiteInterval
DOSPageInterval 1
#second
DOSSiteInterval 1
#second
DOSBlockingPeriod 60
#seconds --default is 10, it does not need to be large since in case of DoS is getting reset on every subsequent request.
DOSEmailNotify root@localhost
DOSSystemCommand "echo '%s' >> /var/log/mod_evasive/ip;"
DOSLogDir "/var/lock/mod_evasive"
#lock dir
</IfModule>
restart apache
#/etc/init.d/apache2 restart
Cool, now each villain IP address gets 403s while is DoSing and it is logged once in /var/log/mod_evasive/ip and root gets one email from apache with the title "HTTP BLACKLIST 192.0.2.123"
mod evasive setup on debian or ubuntu
