How to use Apache's evasive module to rate limit requests

Guide to rate-limit access of website.

mod_evasive is an Apache module that limits access by rate‑limiting requests per IP and blocking clients that exceed configured thresholds, mainly to mitigate DoS/DDoS and brute‑force attacks. Below is a practical setup you can adapt for your site. docs.cpanel

1. Install and enable mod_evasive

On Debian/Ubuntu:

sudo apt install libapache2-mod-evasive
sudo a2enmod evasive
sudo systemctl reload apache2

On RHEL/CentOS (older versions):

sudo yum install mod_evasive
# Then enable it in Apache (e.g., add LoadModule line or via conf.d).
sudo systemctl reload httpd

2. Basic configuration (global)

Edit the module config (common paths):

  • Debian/Ubuntu: /etc/apache2/mods-available/evasive.conf
  • RHEL/CentOS: /etc/httpd/conf.d/mod_evasive.conf

stackoverflow

Example minimal config:

<IfModule mod_evasive24.c>
    DOSHashTableSize    3097
    DOSPageCount        4
    DOSPageInterval     2
    DOSSiteCount        100
    DOSSiteInterval     2
    DOSBlockingPeriod   10
    DOSLogDir           /var/log/apache2/mod_evasive
</IfModule>

Meaning:

  • DOSPageCount 4 → no more than 4 requests to the same URI per DOSPageInterval seconds from one IP. linode
  • DOSSiteCount 100 → no more than 100 requests to any resource on the site per DOSSiteInterval seconds from one IP. docs.cpanel
  • DOSBlockingPeriod 10 → block offending IPs for 10 seconds; further requests during the block extend the timer. digitalocean

3. Whitelist trusted IPs

To avoid blocking your own network, monitoring tools, or load balancer:

DOSWhiteList 192.168.1.0/24
DOSWhiteList 10.0.0.1

Place these inside the <IfModule mod_evasive24.c> block.

4. Optional: notifications and firewall integration

You can tell mod_evasive to run a command or send mail when an IP is blocked:

DOSEmailNotify   admin@example.com
DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
  • %s is replaced with the offending IP.
  • Adjust the command to your firewall (e.g., ufw, firewalld, etc.). digitalocean

5. Apply only to a specific virtual host (optional)

If you want limits only for one site, put the directives inside that <VirtualHost>:

<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/example

    <IfModule mod_evasive24.c>
        DOSPageCount        5
        DOSSiteCount        80
        DOSBlockingPeriod   60
    </IfModule>
</VirtualHost>

This lets you be stricter on one site while leaving others less restricted.

6. Testing and tuning

  • Use a simple script or ab/wrk from a non‑whitelisted IP to trigger a few rapid requests; you should get 403 Forbidden once the limits are exceeded. docs.cpanel
  • Monitor /var/log/apache2/mod_evasive (or your configured DOSLogDir) to see blocked IPs. docs.cpanel

If legitimate users get blocked, increase DOSPageCount, DOSSiteCount, or DOSBlockingPeriod gradually. linode

Proverb

A journey of a thousand miles begins with a single step

Copyright

Copyright © Prabin Dahal 2022. This website is made using TYPO3. Visit http://typo3.org for more details.

Disclaimer

Please see the disclaimer page.

Mastodon @prabin