I think that it is a great piece of software for poor webmasters.
Install mod_evasive
$sudo -s #apt-get install libapache2-mod-evasive
The mailer program is set to /bin/mail in source. This has not changed in the ubuntu sources. You can change the MAILER definition in the source and reinstall.
#grep MAILER mod_evasive20.c |grep define #define MAILER "/bin/mail %s"
or just make /bin/mail a symbolic link to sendmail.
#ln -s `which sendmail` /bin/mail
Create the tmp locking directory
#mkdir /var/lock/mod_evasive #chown www-data:www-data /var/lock/mod_evasive
Create my bad ip list directory
#mkdir /var/log/mod_evasive #chown www-data:www-data /var/log/mod_evasive
Now, let's change the default mod_evasive settings by adding the following at httpd.conf.
#cat /etc/apache2/httpd.conf <IfModule mod_evasive20.c> #g0# DOSHashTableSize 3097 #nodes/child --prime and can be only prime (values are tiered to the next prime), next 6151 DOSPageCount 2 #requests --threshold of requests for the same URI / DOSpageInterval DOSSiteCount 50 #requests --threshold of requests for any object by the same client on the same listener / DOSSiteInterval DOSPageInterval 1 #second DOSSiteInterval 1 #second DOSBlockingPeriod 60 #seconds --default is 10, it does not need to be large since in case of DoS is getting reset on every subsequent request. DOSEmailNotify root@localhost DOSSystemCommand "echo '%s' >> /var/log/mod_evasive/ip;" DOSLogDir "/var/lock/mod_evasive" #lock dir </IfModule>
restart apache
#/etc/init.d/apache2 restart
Cool, now each villain IP address gets 403s while is DoSing and it is logged once in /var/log/mod_evasive/ip and root gets one email from apache with the title "HTTP BLACKLIST 192.0.2.123"
mod evasive setup on debian or ubuntu