I had DDoS attacks on my site and the admin at my hosting company applied mod_evasive to my server. My traffic has gone from 10K+ visits a day to between 1K-2K a day. Can mod_evasive be too aggressive and kill off good traffic?
Yes it can be but depends on the configuration. You have to make sure it's properly configured. There are four primary settings:
DOSPageCount
This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSSiteCount
This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
DOSPageInterval
The interval for the page count threshold; defaults to 1 second intervals.
DOSSiteInterval
The interval for the site count threshold; defaults to 1 second intervals.
While using it on our server initially we faced the same issue as you, then we checked logs and visitor activity and setup this, now we can say it's working well.
To prevent DDOS you can use cloudflare, ns1 or capsula service which works. Fail2Ban along with CSF and mod security will add more protection.
But whatever you setup you have to analyze your visitors activity otherwise you will end up by blocking real visitors.