I recently decided to switch away from CloudFlare and put my VPS directly on the internet.

In doing that, I lost DDoS protection, and in this post I will explain what I use instead and how you can configure it.


Apache actually has a bunch of modules you can install to prevent a DDoS attack and a slowloris attack. All you need to do is install them, which on Debian can be done with:

sudo apt install libapache2-mod-evasive libapache2-mod-qos

and now all that’s left is to configure a few config files. You can find these in


so, to edit mod_evasive, edit

 sudo nano /etc/apache2/mods-available/evasive.conf

and you can now edit the config. Here are my settings:

    DOSHashTableSize    2048
    DOSPageCount        10
    DOSSiteCount        300
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   1800

    #DOSEmailNotify      nerdoflinux@ofthenerds.com
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    #Ban IP
    DOSSystemCommand    "sudo /usr/bin/evasiveblock.sh %s"
    DOSLogDir           "/var/log/mod_evasive"
    DOSWhiteList        myIPaddress

and in


, I have:


if [[ $IP =~ .*:.* ]]
   echo "IPv6 detected"
  echo "IPv4 detected"

if ! $IPTABLES-save | grep -i "$IP" | grep "\-j DROP" >/dev/null 2>&1
        $IPTABLES -I INPUT -s $IP -j DROP
        echo "$IPTABLES -D INPUT -s $IP -j DROP" | at now + 2 hours
        printf "Dear Admin,\n$IP has tried to take down your VPS with a DoS attack, but mod_evasive was able to ban them.\nRegards,\nYour VPS" | mail -s "DoS attack from $IP" "$email"
        echo "$IP already banned"

All this basically does is when a DDoS attack is detected, it blocks the IP with iptables, and notifies me of the IP addresses. Also, you’ll want to make sure the


user can write to the log folder, so use

 sudo chown -R www-data /var/log/mod_evasive

or whatever folder you decide to use. You’ll also need to allow


to run iptables, so in the


file, have:

 www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/evasiveblock.sh

Rate Limiting

I also use rate limiting with iptables. I use UFW to block ports, so at the bottom of my


I have:

 -A INPUT -p tcp --syn -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

which limits each IP to 15 connections(as far as I understand, it was copied from somewhere on the internet). All ports that I don’t need are blocked, so that takes care of any DoS attack not on the five ports I have open. You’ll also want to put that in


for IPv6.

Fail2Ban and PSAD

I also have Fail2Ban and PSAD installed and configured. To install,

 sudo apt install fail2ban psad

and the config files are in


you need to make that file with

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and the PSAD config is in


and both config files have pretty good comments in them, so you’ll know what you’re doing. If you need help with setting up PSAD, check out NerdOfCode’s post.