My system works! :)

Requeriments:

• sudo
• at
• OPTIONAL: heirloom-mailx (in my case)

NOTE: You can use other mail agent and modify the script.

Now my configs:

mod_evasive (/etc/apache2/mods-enabled/mod-evasive.conf)

<IfModule mod_evasive20.c>
 DOSHashTableSize    3097
 DOSPageCount        10
 DOSSiteCount        150
 DOSPageInterval     2
 DOSSiteInterval     2
 DOSBlockingPeriod   10
 DOSSystemCommand "sudo /usr/local/bin/ddos_system.sh %s"
 DOSLogDir           "/tmp"
</IfModule>

sudoers

www-data ALL=NOPASSWD: /sbin/iptables *, /usr/bin/at *

ddos_system.sh (copy to /usr/local/bin)

#!/bin/bash
#set -x
[ -z $1 ] && (echo "Usage: $0 <sourceip>"; exit 1)
[ -x /usr/bin/at ] || (echo "Please, install 'at'"; exit 1)

#############
## OPTIONS
#

SOURCEIP="$1"
HOSTNAME=$(/bin/hostname -f)
BODYMAIL="/tmp/bodymailddos"
MODEVASIVE_DOSLogDir="/tmp"

FROM="Anti DDOS System <[email protected]>"

# Multiple accounts separated by commas
TO="[email protected] [email protected]"

# Time-units can be minutes, hours, days, or weeks
BANNEDTIME="1 minute"

#
##
############

# Custom mail message
{
echo "Massive connections has been detected from this source IP: $SOURCEIP

The system has blocked the IP in the firewall for $BANNEDTIME. If the problem persist you should block that IP permanently.

- Anti DDOS System -"
} > $BODYMAIL

/sbin/iptables -I INPUT -s $SOURCEIP -j DROP
echo "/sbin/iptables -D INPUT -s $SOURCEIP -j DROP" | at now + $BANNEDTIME
cat $BODYMAIL | /usr/bin/mail -r "$FROM" -s "DDOS Attack Detected - $HOSTNAME" $TO
rm -f "$MODEVASIVE_DOSLogDir/dos-$SOURCEIP"

MINI FAQ

Q: What about the last line? (rm -f ...)

A: When mod_evasive detect some attacks It create file (lock file) in "DOSLogDir" with the name "dos-[sourceip]" (ex. dos-8.8.8.8) and execute the "DOSSystemCommand" once until that file disappear. So when you execute "iptables" you should remove the lock file for the next check.

Tested in Debian 7.

Good luck, regards.

I tried the approach from Beast response (thanks!!) and had to change this fragment to make it work:

/sbin/iptables -I INPUT -s $SOURCEIP -j DROP
echo "/sbin/iptables -D INPUT -s $SOURCEIP -j DROP" | at now + $BANNEDTIME

Basically I had to add sudo to the commands /sbin/iptables and at inside the script:

sudo /sbin/iptables -I INPUT -s $SOURCEIP -j DROP
echo "sudo /sbin/iptables -D INPUT -s $SOURCEIP -j DROP" | sudo at now + $BANNEDTIME

It took me a while to notice this so I hope posting here can help others trying this solution.

I managed to use the above answer by Beast to get it to work, but some tweaks were needed.

The sudoers file (/etc/sudoers) should have this line added, otherwise the script was not running:

www-data ALL=NOPASSWD: /usr/local/bin/ddos_system.sh *

These commands are needed as well to give proper permissions and safeguard the script.

mkdir /var/log/mod_evasive
chown www-data /var/log/mod_evasive

chown root /usr/local/bin/ddos_system.sh 
chmod 700 /usr/local/bin/ddos_system.sh

and I did not have to modify the script to add any sudo command.

I used

DOSLogDir           "/var/log/mod_evasive"

And also updated the script to use this path.

I was working on a project recently when I came upon this question about mod_evasive. While the most voted answer was the one I needed which partially solved my problem, I wouldn't recommend it to anybody as it has a serious security loophole. While it is not recommended to allow www-data user to run sudo, no user should be allowed to run the at command with sudo privileges with NOPASSWD! The at command can be used to escalate privileges to root with just a simple command if it is allowed to run with sudo without password. For e.g, take a look at this image:- privilege escalation with at command

┌──(root?Phoenix)-[~/Documents]
└─# su - www-data --shell=/bin/bash
www-data@Phoenix:~$ 
www-data@Phoenix:~$ sudo -l
Matching Defaults entries for www-data on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on localhost:
    (root) NOPASSWD: /sbin/iptables *, /usr/bin/at *
www-data@Phoenix:~$ 
www-data@Phoenix:~$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | sudo at now; tail -f /dev/null
warning: commands will be executed using /bin/sh
job 2 at Fri Feb 25 20:16:00 2022
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# 
# whoami
root
# 

Yes, its as simple and dangerous as that! So, how to solve the problem without using the at command? This is how I did it.

/etc/sudoers

www-data ALL=NOPASSWD: /sbin/iptables *

anti-ddos.sh

#!/bin/bash


IP=$1

sudo /sbin/iptables -t nat -I PREROUTING -p tcp -s $IP --dport 443 -j DNAT --to-destination 127.0.0.1:8080

sleep 60

sudo /sbin/iptables -t nat -D PREROUTING -p tcp -s $IP --dport 443 -j DNAT --to-destination 127.0.0.1:8080

rm -f "/var/log/mod_evasive/dos-$IP"

Here, I used the sleep command to delete the iptables IP block rule after 60 seconds which has the same effect as running at now + 1 minute. For sake of brevity I'm not giving all my configs. You can refer other answers as they have made a pretty good explanation of it. Stay secure, stay safe.

Note:- I don't have enough privileges to post images. Also, I don't like posting online like this but I couldn't withstand the serious security issue here and so, I created an account. :)