How to Install mod_security and mod_evasive on Ubuntu 16.04

How to Install mod_security and mod_evasive on Ubuntu 16.04

Spread the love

Apache is a very popular web server, and with that popularity comes a need to ensure its security. In this tutorial, we will show you how to harden and secure the Apache web server by installing and configuring mod_security and mod_evasive Apache modules.

Mod_security is a free web application firewall (WAF) Apache module that helps to protect your website from various attacks such as PHP and SQL injection attacks, cross-site scripting, path traversal attacks etc. Also, it allows for real-time analysis and HTTP traffic monitoring with little or no changes of the existing Apache configuration. Mod_evasive is an Apache module that helps to prevent server brute force attacks and HTTP DoS (DDoS) attacks.

Login via SSH and update the system

To begin, log in to your Ubuntu 16.04 VPS via SSH as user root

ssh root@IP_Address -p Port_number

Make sure that all OS packages are up to date by running the following command-line commands:

apt-get update
apt-get upgrade

You can also enable automatic updates on your VPS.

Prerequisites

The mod_security and mod_evasive Apache modules have several requirements which we have to install on the server in order to run them. We need to have Apache server installed and running with enabled mod_headers module.
Install Apache, enable it to start on boot and start the Apache service:

sudo apt-get install apache2 -y
sudo systemctl enable apache2.service
sudo systemctl start apache2.service

Then, enable the mod_headers module using the following command:

sudo a2enmod headers

Install mod_security

Installation of the mod_security module is quite simple. Run the following command:

apt-get install libapache2-modsecurity

After installing, run the following command to enable the mod_security Apache module:

sudo a2enmod security2

We can check if mod_security module is active and enabled using the following command:

apachectl -M | grep security

If you see the following output:

security2_module (shared)

it means that mod_security module is enabled. There are no security rules configured by default, so we need to enable the mod_security rules. In order to do so, copy the recommended mod_security configuration file, then edit it and set the ‘SecRuleEngine’ option to On:

sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}
sudo vi /etc/modsecurity/modsecurity.conf
SecRuleEngine On

Also, locate the line ‘SecResponseBodyAccess On’ and change it to:

SecResponseBodyAccess Off

It will disable response body inspection and save server resources.
The mod_security rules are available in following directories:

/usr/share/modsecurity-crs/base_rules
/usr/share/modsecurity-crs/optional_rules
/usr/share/modsecurity-crs/experimental_rules

1. To enable all of the CRS base rules, create symbolic links using the following command:

sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/

To enable the CRS optional and experimental rules files you may want to use, create symbolic links under the ‘activated_rules’ directory location accordingly.

2. Alternatively, configure and enable the Open Web Application Security Project (OWASP) core rule set:

sudo apt-get install git
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak
sudo mv owasp-modsecurity-crs /usr/share/modsecurity-crs
sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

In both cases, we need to edit the /etc/apache2/mods-enabled/security2.conf file:

/etc/apache2/mods-enabled/security2.conf

Add these lines at the end:

IncludeOptional "/usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf

For the changes to take effect, restart Apache with the command:

systemctl restart apache2

Check the /var/log/apache2/modsec_audit.log log file to find the rules that are being triggered by mod_security on your Apache web server. The error log is the same log file that is used by Apache to write error messages, normally stored at /var/log/apache2/error.log.
Install mod_evasive

Install the mod_evasive module using the following command:

apt-get install libapache2-mod-evasive

After installing, run this command:

sudo a2enmod evasive

Edit the mod-evasive.conf file and configure mod_evasive module:

sudo vi /etc/apache2/mods-available/mod-evasive.conf

DOSHashTableSize 3097
DOSPageCount 10
DOSSiteCount 30
DOSPageInterval 1
DOSSiteInterval 3
DOSBlockingPeriod 3600
DOSLogDir /var/log/apache2/mod_evasive.log

Save and close that file.
For more details on the various configuration parameters, check the README file included with mod_evasive module.
Use the following command to check if mod_evasive module is active and enabled:

evasive20_module (shared)

Create a log file for mod_evasive:

touch /var/log/apache2/mod_evasive.log
sudo chown www-data:www-data /var/log/apache2/mod_evasive.log

Run the following command to restart Apache:

systemctl restart apache2

That is it. Mod_security and mod_evasive modules have been successfully installed on your Ubuntu VPS.

Conclusion

In order to harden and secure your Apache web server it is a good idea to install and configure mod_security and mod_evasive modules on a Linux VPS with Ubuntu 16.04 OS installed on it.


Of course you don’t have to install mod_security and mod_evasive on Ubuntu 16.04, if you use one of our server support services, in which case you can simply ask our expert Linux admins to setup this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on how to install mod_security and mod_evasive on Ubuntu 16.04, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *