Securing Web Servers from DoS attacks entirely is not possible. However, we can limit the Dos and DDos attacks on Apache.
As part of our Server Management Services, we assist our customers with several Apache queries.
Today, let us see the methods we can use to secure Web Servers from DoS attacks.
Securing Web Servers from DoS attacks
A DoS attack is an attempt to block a machine or network resource from accessing it by end-users.
In short, a temporary or indefinite interruption of the services of a host connected to the internet by attacking the network.
Moving ahead, let us see a few methods our Support Techs employ in order to prevent them.
A. Update the Apache Version
First things first, we must ensure that we update the Apache to its latest version.
It is necessary to prevent attacks from known exploits only because of being outdated.
B. Optimize the Apache
Then we need to optimize default apache configurations.
- Lower The Apache Timeout :
The “Timeout” directive value must be lower than the default value “300″ on the whole server or on the websites subjected to the Dos attack.
Since TimeOut is used for different operations, setting it to a low value can introduce problems with long running CGI scripts. So we should be careful about setting the Timeout value.
- Lower The Apache KeepAliveTime :
This directive is also set to be low on the sites that are subject to dos attack or on the whole server.
Some sites will go ahead and turn off the keepalives completely via KeepAlive. This results in other drawbacks on performance.
- Limit the Apache MaxClients:
If our server runs with low RAM and if the attackers consume most of the RAM, we can limit the number of Maxclients to a low value than the predefined value of 256.
- Limit RequestReadTimeout :
This directive allows us to limit the time a client may take to send the request.
C. Install a Firewall
We can install a firewall to limit the connections from an IP. By doing so, if a connection exceeds the predefined value, the firewall will automatically block that IP permanently or temporarily for a period of time.
The most common firewalls in Linux servers are CSF & LFD. We can enable the CT_Limit and set its value to the desired number to avoid DoS attacks.
D. Install Third-party modules
There are a number of third-party modules which can restrict DoS attacks.
- mod_dosevasive :
A module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack.
It is a web application firewall (WAF). It acts as a filter and analyzes HTTP requests before the webserver handles them.
In addition, it provides protection from a range of attacks and allows for HTTP traffic monitoring and real-time analysis.
[Finding it useful? Here’s a lot more]
To conclude, it is impossible to prevent DoS and DDoS attacks entirely. But we can limit them to a certain extend by implementing security actions mentioned here.