Mod_evasive does work relatively well for small to medium sized brute force or HTTP level DoS attacks. There is, however, an important limitation that mod_evasive has that you should be aware of. The mod_evasive module is not as good as it could be because it does not use shared memory in Apache to keep information about previous requests persistent. Instead, the information is kept with each child process or thread. Other Apache children that are then spawned know nothing about abuse against one of them. When a child serves the maximum number of requests and dies, the DoS information goes with it. So, what does this mean? This means that if an attacker sends their HTTP DoS requests and they do not use HTTP Keep-Alives, then Apache will spawn a new child process for every request and it will never trigger the mod_evasive thresholds. This is not good… It is for this reason that Ivan Ristic (ModSecurity creator) created the script called httpd-guardian. It essentially monitors the Apache access_log data through piped logging and therefore can see requests across all child processes. Here is a good article that Ivan wrote on the subject for Oreilly OnLamp - http://www.onlamp.com/pub/a/apache/2005/12/01/modsecurity.html?page=last. For more information, check out Ivan's site at - http://www.apachesecurity.net -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache »