mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

Requesting the same page more than a few times per second
Making more than 50 concurrent requests on the same child per second
Making any requests while temporarily blacklisted (on a blocking list)

This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.

How to install mod_evasive on cpanel server?

# cd /usr/local/src/
# wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
# tar -xvzf mod_evasive_1.10.1.tar.gz
# cd mod_evasive/
# /usr/local/apache/bin/apxs -cia mod_evasive20.c

After install the following details display

chmod 755 /usr/local/apache/modules/mod_evasive20.so
[activating module `evasive20' in /usr/local/apache/conf/httpd.conf]

open your httpd.conf file and update mod_evasive20.so

vi /usr/local/apache/conf/httpd.conf

LoadModule evasive20_module   modules/mod_evasive20.so

<IfModule mod_evasive20.c>
DOSHashTableSize    3097
DOSPageCount        2
DOSSiteCount        50
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   10
</IfModule>

restart your apache configuration now.

/etc/init.d/httpd restart