Search our site for answers
Help Docs Security Overview Using mod_qos and mod_reqtimeout to mitigate Slowloris attacks

Using mod_qos and mod_reqtimeout to mitigate Slowloris attacks

LAMP Stack Security Troubleshooting
4 min read

mod_qos and mod_reqtimeout are two Apache modules that help mitigate Slowloris-style attacks (a type of Denial of Service (DoS) attack that targets web servers by opening many simultaneous connections and keeping them alive as long as possible, thereby exhausting the server’s resources) by controlling how long and how much data clients are allowed to send. Unlike the older and unmaintained mod_evasive, mod_qos is still actively developed and provides advanced traffic handling features.

This guide explains how to install and configure mod_qos, outlines the compatibility requirements, and demonstrates how to integrate it with CSF for enhanced protection.

What Is mod_qos?

mod_qos is a quality of service module for Apache that implements control mechanisms providing different priority levels to HTTP requests.”

In practical terms, it lets you manage how many connections a client can open, how fast they need to send data, and much more. This makes it especially useful for mitigating denial-of-service attacks like Slowloris.

Before You Begin

Make sure your system meets the following prerequisites:

  • Apache 2.2 or 2.4
  • MPM worker or MPM event (preferred)
  • Root shell access
  • apxs installed (httpd-devel package)
Note

While mod_qos works on Apache 2.4, some directives like QS_MinSrvDataRate and QS_Srv* may not function as expected. The developer recommends Apache 2.2 with MPM worker for best results.

Installation

Download and Compile mod_qos

For EA3 (EasyApache 3)

mkdir -p /usr/local/apache/custom-modules
cd /usr/local/apache/custom-modules
curl -L https://sourceforge.net/projects/mod-qos/files/mod_qos-11.56.tar.gz/download -o mod_qos-11.56.tar.gz
tar -xzf mod_qos-11.56.tar.gz
/usr/local/apache/bin/apxs -aic mod_qos-11.56/apache2/mod_qos.c
/usr/local/cpanel/bin/apache_conf_distiller --update
/scripts/rebuildhttpdconf
service httpd restart

To ensure persistence across EasyApache runs:

echo "/usr/local/apache/bin/apxs -aic /usr/local/apache/custom-modules/mod_qos-11.56/apache2/mod_qos.c && /usr/local/cpanel/bin/apache_conf_distiller --update" >> /scripts/after_apache_make_install

For EA4 (EasyApache 4)

cd /usr/local/src/
curl -L https://sourceforge.net/projects/mod-qos/files/mod_qos-11.56.tar.gz/download -o mod_qos-11.56.tar.gz
tar -xzf mod_qos-11.56.tar.gz
/usr/local/apache/bin/apxs -aic mod_qos-11.56/apache2/mod_qos.c

After installation, the module should be loaded in:

/etc/apache2/conf.modules.d/mod_qos.conf

Optional: Enable GeoIP Support

mod_qos supports geographic prioritization using GeoIP. To set it up:

cd /usr/local/apache/conf
mkdir geoIP
cd geoIP
funzip <(curl http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip) > GeoIPCountryWhois.csv

This file can be referenced in advanced mod_qos rules for geo-based control.

Integrate mod_qos with CSF

CSF (ConfigServer Security & Firewall) can work with mod_qos to block repeated offenders.

Edit /etc/csf/csf.conf:

LF_QOS = "5"
LF_QOS_PERM = "1"
  • LF_QOS = “5” allows 5 violations before blocking.
  • LF_QOS_PERM = “1” blocks the IP permanently.
    To set a temporary block (e.g., 1 hour), use:
LF_QOS_PERM = "3600"

Restart CSF and LFD to apply changes:

/etc/init.d/csf restart
/etc/init.d/lfd restart

Where to configure mod_qos

All mod_qos rules should be wrapped in an <IfModule mod_qos.c>...</IfModule> block and ideally placed inside:

/usr/local/apache/conf/includes/pre_virtualhost_global.conf

After editing this file, rebuild and restart Apache:

/scripts/rebuildhttpdconf
service httpd restart

Example mod_qos configuration template

Here’s a basic configuration template to get started:

<IfModule mod_qos.c>
  QS_ClientEntries 100
  QS_SrvMaxConn 100
  QS_SrvMaxConnClose 5
  QS_LocRequestLimitMatch "^/login" 5
  QS_LocRequestPerSecLimitMatch "^/api/" 10
  QS_SrvRequestRate 300
</IfModule>

This example limits:

  • Concurrent clients and connections
  • Requests per second to /api/
  • Access to /login to avoid brute-force

Final Notes

  • Avoid installing mod_qos without a specific use case. This powerful module can also interfere with legitimate traffic if misconfigured.
  • For full documentation, see the mod_qos main page on SourceForge.

Summary

mod_qos is a modern, flexible alternative to mod_evasive for mitigating Slowloris and similar attacks on Apache servers. Combined with CSF and optional GeoIP support, it offers advanced traffic control features. Installation involves compiling the module manually, adding configurations, and integrating with your firewall. Always test changes in a controlled environment before deploying to production.

Was this article helpful?