Mod evasive adjustment - per site?

I am trying to find a good baseline for mod_evasive settings.
I host 4-5 different high traffic sites (e-commerce), some has 5000 visitors daily with MANY page requests each visitor, while other have 20000 visitors but few request per page. Some are dynamic requests and some are static request. A mix.

Now my problem is even though i have set mod_evasive settings like this:

hash-table-size: 6151
page-count: 30
site-count: 300
page-interval: 2
site-interval: 2
blocking-period: 10
http-status: 429
canonicalize: ‘on’
enabled: true

… i still see legit IP address getting banned. Actually all 100% legit IPs… No abusers for now.

So my questions:

  1. What overall can i do better, without defeating the purpose of evasive.
  2. Can one set evasive settings per. account?
  3. Is there any method to use GEOIP to NOT ban if the IP is from XX country ? We are a small country and i rather exclude it or even better set much higher values if country matches than disabling or set too high values general.

Thanks in advance.

Before tweaking mod_evasive thresholds, ensure that caching is properly occurring of static assets. For example, add this to the .htaccess in your document root to set a 10-day cache on all static assets ending in .gif, .jpg, .png, .js, .css, .woff2, .eot, and .svg:

<FilesMatch "\.(gif|jpg|png|js|css|woff2|eot|svg)$">
    ExpiresActive On
    ExpiresDefault A8640000
    Header unset Set-Cookie
    Header unset Last-Modified
</FilesMatch>

If a site is rich in static resources or a typical disjoint WordPress hodgepodge of plugins, this’ll cut down on requests significantly. Use DevTools to verify the requests are properly cached (from memory cache).

Once that’s addressed, these can be overridden on a per-site basis by creating a file named custom in /etc/httpd/conf/siteXX.

# Raise the number of same-site URI requests to 350 within a 5s period
<IfModule evasive_module>
DOSSiteCount 350
DOSSiteInterval 5
</IfModule>

Then run htrebuild.

Is there any method to use GEOIP to NOT ban if the IP is from XX country

It’s an all-or-nothing compromise to whitelist access to all services. Here’s an example to blacklist specific countries. To make it a whitelist, replace rampart:blacklist with rampart:whitelist.

1 Like

This is called expert support. Appreciate your help!
Will test them out and update :slight_smile: