Identifying and fixing mod_evasive "client denied by server configuration" errors

I recently migrated a Drupal 6 site to Drupal 7 using the migrate and migrate_d2d modules. While testing the new site on my client’s server, every now and again ajax requests were failing, and page resources like images were not loading. The apache error log showed a number of “client denied by server configuration” errors. 

Apache mod_evasive client denied by server configuration errors

 I was also getting “Network error: 403 Forbidden” for ajax requests when viewing firebugs network pane.

The first hits in google pointed to having the correct access control directives set up in the virtual host configurations. But I checked, and my virtualhost entry was correct for the webroot of this site. I also thought it could be that varnish was not configured correctly, but disabling varnish did not stop the errors. I then came across mention of apache’s mod_evasive module.

What is Mod_Evasive?

Mod_Evasive is an open source evasive maneuvers system for Apache server to provide evasive action in the event of an HTTP brute force, Dos or DDos attack (https://client.connectindo.com/knowledgebase.php?action=displayarticle&id=2).

In essence, mod_evasive automatically blocks requests from an ip address if that ip address is making abnormally high requests over a fixed time period. That ip address is blocked for a predefined amount of time.

These blocked ip addresses should be logged which will let you know that mod_evasive blocking is in effect. It can also be configured to send email notifications.

Unfortunately, the person who set up the logging on this server hadn’t set it up correctly and it was not logging the blocking. Also, a bug in ubuntu prevented mod evasive from sending off the notification emails, so I had no idea that this was the source of the issue.

After fixing the logging, I immediately started seeing ip addresses appear in the logging folder.

mod evasive log

The mod_evasive module allows you to configure the criteria it uses for blocking:

DOSPageCount: This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSSiteCount: This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSPageInterval: The interval for the page count threshold; defaults to 1 second intervals.

DOSSiteInterval The interval for the site count threshold; defaults to 1 second intervals.

DOSBlockingPeriod: The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.

In my case, the configuration file was found at /etc/apache2/conf.d/mod-evasive.

The default settings looked like this:

<ifmodule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/mod_evasive
#DOSWhitelist 127.0.0.1
</ifmodule>

I adjusted the above settings so that it wasn’t so aggressive, restarted apache (sudo service apache2 restart) and my problem was solved. Note that you can also add in a list of whitelisted IP Addresses which will never be blocked.

My new settings look like this

<ifmodule mod_evasive20.c>
 DOSHashTableSize 3097
 DOSPageCount 20
 DOSSiteCount 100
 DOSPageInterval 1
 DOSSiteInterval 1
 DOSBlockingPeriod 10
 DOSLogDir /var/log/mod_evasive
 #DOSWhitelist 127.0.0.1
</ifmodule>

For more information on the configuration, see:
https://www.linode.com/docs/websites/apache-tips-and-tricks/modevasive-on-apache

For a simple tutorial on setting up mod_evasive and logging of it see https://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server (step 5 is the mod_evasive stuff).