NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR02R01077
Applies to: NoMachine Server
Added on: 2020-02-20
Last update: 2020-03-06
How to configure your own Apache web server to use mod_evasive

"mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera." Ref. https://github.com/jzdziarski/mod_evasive

 

Pre-requisite:

An official version of Apache web server is installed and configured to run NoMachine sessions on the web, see https://www.nomachine.com/DT03O00128

 

How to install mod_evasive

In order to install and enable the module on your Operating System, we strongly recommend to follow instructions sported by the mod_evasive module you're going to adopt. 

Examples below have been tested on Ubuntu 19.10/Apache 2.4.41, Ubuntu 18.04/Apache 2.4.29  and Windows 10/Apache/2.4.41.

Configurations to make mod_evasive to work with NoMachine web sessions apply to all Operating System.
 

Step 1 - Install and enable mod_evasive

On Linux

retrieve mod_evasive from the repository and install it. Once installation is completed, the module should be already enabled.

For example, on Ubuntu 19.10  execute in a terminal:
apt install libapache2-mod-evasive

or on CentOS 7/RHEL 7:
sudo yum install mod_evasive

To verify that mod_evasive is enabled execute in a terminal:
apache2ctl -M | grep evasive

which should return for example:
evasive20_module (shared)

If the module is not enabled  use the 'a2enmod'command to enable it, for example:
sudo a2enmod mod_evasive20

 

On Windows

Download the evasive_module from the Apache web site: https://www.apachelounge.com/download/ and follow instructions detailed in the ReadMe file, e.g.:

- Copy mod_evasive.so to your modules folder

- Add to your httpd.conf:

LoadModule evasive_module modules/mod_evasive.so

 

Step 2 - Verify that mod_evasive is enabled  (on Linux)

On Linux, execute in a terminal:
apache2ctl -M | grep evasive

which should return for example:
evasive20_module (shared)

If the module is not enabled, use the 'a2enmod'command to load the module, for example:
sudo a2enmod mod_evasive20

 

Step 3 - Configure mod_evasive

Depending on the Operating System and Apache version, directives for mod_evasive are stored in a configuration file named evasive.conf or in the Apache configuration file. For example: /etc/apache2/mods-enabled/evasive.conf (Ubuntu/Debian) or /etc/httpd/conf.d/mod_evasive.conf (CentOS/RHEL).

On Windows, directives for mod_evasive have to be applied into the Apache configuration file.

The mod_evasive module checks how many requests arrive from a single IP in agiven time, by default 1 second.

Edit the directives according to your needs. To do that and for detailed explanation of eah directive, we recommend to refer to the official documentation of Apache and mod_evasive.

Some examples of configuration that we applied to make one NoMachine web session to work from one IP address are below. They take in account mainly the following parameters:

DOSPageCount
This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSSiteCount
This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

 

1) Ubuntu 19.10

cat /etc/apache2/mods-available/evasive.conf
<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        50
    DOSSiteCount        250
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10

    #DOSEmailNotify      you@yourdomain.com
    #DOSSystemCommand    "su - someuser -c '/sbin/... ...'"
    #DOSLogDir           "/var/log/mod_evasive"
</IfModule>

If the evasive.conf file doesn't exist, directives above have to be placed in the Apache configuration file.
 

2) Windows (the following directives are placed in the Apache configuration file):

    DOSEnabled          true
    DOSHashTableSize    3097
    DOSPageCount        50
    DOSSiteCount        250

    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10

In order to allow more than one NoMachine web session at the same time for the same IP, it's necessary to increase values for DOSPageCount and DOSSiteCount. Tuning these setting to the most appropriate value requires to monitor Apache logs and proceed by attempts. Important: consider only requests coming from the known client IP when tuning DOSPageCount and DOSSiteCount.

For example, let's assume that client IP is "192.168.1.27" and Apache logs report an error similar to:

[Tue Feb 18 21:24:29.294702 2020] [evasive20:error] [pid 19450] [client 192.168.1.27:47516] client denied by server configuration: /usr/NX/bin/nxwebclient, referer: https://192.168.1.3/nxwebplayer

Increase DOSPageCount up to the minimum value that makes such log to disappear.

When Apache logs report an error similar to:

[Tue Feb 18 21:27:18.399514 2020] [evasive20:error] [pid 19450] [client 192.168.1.27:47672] client denied by server configuration: /usr/NX/share/htdocs/nxwebplayer/style/desktop/slider.css, referer: https://192.168.1.3/nxwebplayer

Increase DOSSiteCount up to the minimum value that makes such log to disappear.

 

Step 4 - Further configurations for NoMachine webplayer

A further configuration step is necessary since the implementation of https://www.nomachine.com/FR11Q03892, which relocates log files in the user's home/.nx directory.

The nxwebplayer processes are running as the 'nxhtd' user, its log files are therefore stored in the .nx directory of ithe nxhtd user: 
/var/NX/nxhtd/ on Linux
%PROGRAMDATA%/NoMachine/nxhtd on Windows
/Library/Application Support/NoMachine/var/nxhtd/ on macOS

In order to make the webplayer working properly with the system Apache, it's necessary to create a .nx directory under the Apache home directory and set proper permissions. Important: DocumentRoot must be enabled in Apache configuration and the .nx directory must not be created under the Apache DocumentRoot!

1) On Linux

Identify the Apache home directory, e.g. /var/www and create there the .nx directory with proper permissions:

# mkdir /var/www/.nx/
# chown www-data:www-data /var/www/.nx/
# chmod 600 /var/www/.nx/

Ensure that DocumentRoot is enabled and doesn't include the .nx directory, for example it can be:
DocumentRoot /var/www/html
but not:
DocumentRoot /var/www/

 

 

NOTES from the official documentation of mod_evasive

1) "You'll want to have a MaxRequestsPerChild set to a non-zero value, as DosEvasive cleans up its internal hashes only on exit. The default MaxRequestsPerChild is usually 10000. This should suffice in only allowing a few requests per 10000 per child through in the event of an attack (although if you use DOSSystemCommand to firewall the IP address, a hole will no longer be open in between child cycles). "

Note that recent versions of Apache renamed MaxRequestsPerChild into MaxConnectionsPerChild.

2) "Whitelisting IP Addresses
IP addresses of trusted clients can be whitelisted to insure they are never denied."