Apache2 mod_security and mod_evasive on Ubuntu server

This guide is intended as a relatively easy step by step guide to:

  • Install and configure Apache2 ModSecurity and mod_evasive modules on Ubuntu 12.04 LTS server.
  • Things have become much easier than before installing both these two excellent security modules for Apache2 in Ubuntu 12.04 LTS, as both modules are available in the standard Ubuntu 12.04 repositories.
  • This is only a starting point for getting mod_security and mod_evasive working. Refer to both projects documentation for the various configuration option  available and configure your security settings as required.

Source: http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

Requirements:

  • Ubuntu 12.04 LTS server, or later installed on your machine.
  • Apache2 webserver setup and configured.

1. Install ModSecurity on your server.

  • Install the dependencies. Open the Terminal Window and enter :
sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
  • 64bit users please note – Because of this bug you need to create a symbolic link to libxml2.so.2 or the installation will report the file missing and fail.
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
  • Now install ModSecurity
sudo apt-get install libapache-mod-security

2. Configure ModSecurity rules.

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
  • The default folder for ModSecurity rules is /etc/modsecurity/ . All .conf files will be included and need to be configured as required.
  • We need to activate all the base rules and make sure they also get loaded.
  • You might want to edit the SecRequestBodyLimit option in the modsecurity.conf file.
  • SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.
  • This settings is very important as it limits the size of all files that can be uploaded to the server. For CMS sites using Drupal or WordPress this setting is the source of much pain.
  • Open the Terminal Window and enter :
sudo vi /etc/modsecurity/modsecurity.conf
  • First activate the rules by editing the SecRuleEngine option and set to On.
SecRuleEngine On
  • Edit the following to option to increase the request limit to 16 MB and save the file :
SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000

3. Download and install the latest OWASP Core Rule Set.

cd /tmp
sudo wget http://downloads.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.5.tar.gz
sudo tar -zxvf modsecurity-crs_2.2.5.tar.gz
sudo cp -R modsecurity-crs_2.2.5/* /etc/modsecurity/
sudo rm modsecurity-crs_2.2.5.tar.gz
sudo rm -R modsecurity-crs_2.2.5
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example  /etc/modsecurity/modsecurity_crs_10_setup.conf
  • Now we create symbolic links to all activated base rules. Open a terminal window and enter :
cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done 
  • Now add these rules to Apache2. Open a terminal window and enter:
sudo vi /etc/apache2/mods-available/mod-security.conf
  • Add the following to towards the end of the file with other includes  and save the file :
Include "/etc/modsecurity/activated_rules/*.conf"

4. Check if ModSecurity is enabled and restart Apache.

  • Before restarting Apache2 check if the modules has been loaded.
  • Open the Terminal Window and enter :
sudo a2enmod headers
sudo a2enmod mod-security
  • Then restart the Apache2 webserver :
sudo /etc/init.d apache2 restart
  • OR
service apache2 restart

5. Install ModEvasive.

  • Open the Terminal Window and enter :
sudo apt-get install libapache2-mod-evasive

6. Create log file directory for mod_evasive.

  • Open the Terminal Window and enter :
sudo mkdir /var/log/mod_evasive
  • Change the log folder permissions :
sudo chown www-data:www-data /var/log/mod_evasive/

7. Create mod-evasive.conf file and configure ModEvasive.

  • Open the Terminal Window and enter :
sudo vi /etc/apache2/mods-available/mod-evasive.conf
  • and add the following, changing the email value, and other options below as required :
<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  2
   DOSSiteCount  50
   DOSPageInterval 1
   DOSSiteInterval  1
   DOSBlockingPeriod  10
   DOSLogDir   /var/log/mod_evasive
   DOSEmailNotify  EMAIL@DOMAIN.com
   DOSWhitelist   127.0.0.1
</ifmodule>

8. Check if ModEvasive is enabled and restart Apache.

  • Before restarting Apache2 check if the module has been loaded.
  • Open the Terminal Window and enter :
sudo a2enmod mod-evasive
  • Then restart the Apache2 webserver :
sudo /etc/init.d/apache2 restart
  • OR
service apache2 restart

DOSHashTableSize

The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_evasive.c for a list of primes used).


DOSPageCount

This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.


DOSSiteCount

This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.


DOSPageInterval

The interval for the page count threshhold; defaults to 1 second intervals.


DOSSiteInterval

The interval for the site count threshhold; defaults to 1 second intervals.


DOSBlockingPeriod

The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.


DOSEmailNotify

If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.

Note

Be sure MAILER is set correctly in mod_evasive.c (or mod_evasive20.c). The default is “/bin/mail -t %s” where %s is used to denote the destination email address set in the configuration. If you are running on linux or some other operating system with a different type of mailer, you’ll need to change this.


DOSSystemCommand

If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using /tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.


DOSLogDir

Choose an alternative temp directory

By default “/tmp” will be used for locking mechanism, which opens some security issues if your system is open to shell users. In the event you have nonprivileged shell users, you’ll want to create a directory writable only to the user Apache is running as (usually root), then set this in your httpd.conf.


Whitelisting IP Addresses

IP addresses of trusted clients can be whitelisted to insure they are never denied. The purpose of whitelisting is to protect software, scripts, local searchbots, or other automated tools from being denied for requesting large amounts of data from the server. Whitelisting should not be used to add customer lists or anything of the sort, as this will open the server to abuse. This module is very difficult to trigger without performing some type of malicious attack, and for that reason it is more appropriate to allow the module to decide on its own whether or not an individual customer should be blocked.

To whitelist an address (or range) add an entry to the Apache configuration in the following fashion:

File:/etc/apache2/apache2.conf (Debian / Ubuntu)

DOSWhitelist    127.0.0.1
DOSWhitelist    127.0.0.*

Wildcards can be used on up to the last 3 octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.


More Information


You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.