Differences

This shows you the differences between two versions of the page.

--- apache:install_mod_security_and_mod_evasive [2016/10/12 22:18] – peter
+++ apache:install_mod_security_and_mod_evasive [2023/07/17 10:19] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Apache - Install mod_security and mod_evasive ======
-**ModSecurity** is a toolkit for real-time web application monitoring, logging, and access control.
-**mod_evasive** is an evasive manoeuvres module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.  It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.  mod_evasive presently reports abuses via email and syslog facilities.
-===== Install ModSecurity =====
-To install [[http://www.modsecurity.org/|ModSecurity]].
-Install the dependencies.  Execute the following commands:
-<code bash>
-sudo apt-get install libxml2 libxml2-dev libxml2-utils
-sudo apt-get install libaprutil1 libaprutil1-dev
-</code>
-**NOTE**:  64bit users please note - Because of [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670248|this bug]] you need to create a symbolic link to **libxml2.so.2** or the installation will report the file missing and fail.
-<code bash>
-ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
-</code>
-Install ModSecurity:
-<code bash>
-sudo apt-get install libapache-mod-security
-</code>
-===== Configure ModSecurity rules. =====
-Activate the recommended default rules to get things going.  Configure as required.  For complete information refer to the [[http://www.modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html|ModSecurity Reference Manual]].
-<code bash>
-sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
-</code>
-The default folder for ModSecurity rules is **/etc/modsecurity/**. All .conf files will be included and need to be configured as required.
-We need to activate all the **base rules** and make sure they also get loaded.
-You might want to edit the **SecRequestBodyLimit** option in the modsecurity.conf file.
-**SecRequestBodyLimit** limits the page request size and limits file uploads to **128 KB** by default.  Change this to the size of files you would accept uploaded to the server.
-This settings is very important as it limits the size of all files that can be uploaded to the server.  For CMS sites using Drupal or Wordpress this setting is the source of much pain.
-Execute the command:
-<code bash>
-sudo vi /etc/modsecurity/modsecurity.conf
-</code>
-First activate the rules by editing the **SecRuleEngine** option and set to On and modify your server signature.
-<file bash /etc/modsecurity/modsecurity.conf>
-SecRuleEngine On
-SecServerSignature FreeOSHTTP
-</file>
-Edit the following to option to increase the request limit to 16 MB and save the file:
-<file bash /etc/modsecurity/modsecurity.conf>
-SecRequestBodyLimit 16384000
-SecRequestBodyInMemoryLimit 16384000
-</file>
-===== Download and install the latest OWASP Core Rule Set =====
-The OWASP ModSecurity CRS Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application.
-Download and install the latest [[https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set]] from the project website.  See [[https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project|here]] for more information.
-We will also activate the default CRS config file **modsecurity_crs_10_setup.conf.example**.
-If you prefer not to use the latest rules, replace the wget for master below with the a specific version you would like to use e.g : **v2.2.5**.
-Execute the following commands:
-<code bash>
-cd /tmp
-sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
-sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
-sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
-sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz
-sudo rm -R SpiderLabs-owasp-modsecurity-crs-*
-sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
-</code>
-Create symbolic links to all activated base rules.  Execute the following commands:
-<code bash>
-cd /etc/modsecurity/base_rules
-for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
-cd /etc/modsecurity/optional_rules
-for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done
-</code>
-Add these rules to Apache2.  Execute the following command:
-<code bash>
-sudo vi /etc/apache2/mods-available/mod-security.conf
-</code>
-Add the following to towards the end of the file with other includes and save the file:
-<file bash /etc/apache2/mods-available/mod-security.conf>
-Include "/etc/modsecurity/activated_rules/*.conf"
-</file>
-===== Check if ModSecurity is enabled and restart Apache =====
-Before restarting Apache2 check if the modules has been loaded.
-Execute the following commands:
-<code bash>
-sudo a2enmod headers
-sudo a2enmod mod-security
-</code>
-Restart the Apache2 webserver:
-<code bash>
-sudo /etc/init.d apache2 restart
-</code>
-or
-<code bash>
-service apache2 restart
-</code>
-===== Test ModSecurity =====
-To test mod_security you can use curl to send HTTP requests to the Apache server.  One of the ModSecurity default rules is to reject requests that have a User Agent of "Nessus".  This is intended to deny information to attackers who use automated scanners.
-You can check mod_security by running the following command:
-<code bash>
-sudo curl -i http://192.168.1.42/ -A Nessus
-</code>
-You should see a 403 Forbidden response, as shown below on this page. ModSecurity has blocked the request, because the User Agent identifies it as a Nessus scan.
-<code>
-HTTP/1.1 403 Forbidden
-Date: Tue, 27 Oct 2015 11:08:39 GMT
-Server: Apache
-X-Frame-Options: SAMEORIGIN
-Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
-Accept-Ranges: bytes
-Content-Length: 4897
-X-XSS-Protection: 1; mode=block
-Content-Type: text/html; charset=UTF-8
-</code>
-===== Install ModEvasive =====
-Install [[http://www.zdziarski.com/blog/?page_id=442|ModEvasive]]
-Execute the following:
-<code bash>
-sudo apt-get install libapache2-mod-evasive
-</code>
-===== Create log file directory for mod_evasive =====
-Execute the following:
-<code bash>
-sudo mkdir /var/log/mod_evasive
-</code>
-Change the log folder permissions:
-<code bash>
-sudo chown www-data:www-data /var/log/mod_evasive/
-</code>
-===== Create mod-evasive.conf file and configure ModEvasive =====
-Execute the following:
-<code bash>
-sudo vi /etc/apache2/mods-available/mod-evasive.conf
-</code>
-Add the following, changing the email value, and other options below as required:
-<file bash /etc/apache2/mods-available/mod-evasive.conf>
-<ifmodule mod_evasive20.c>
-   DOSHashTableSize 3097
-   DOSPageCount  2
-   DOSSiteCount  50
-   DOSPageInterval 1
-   DOSSiteInterval  1
-   DOSBlockingPeriod  10
-   DOSLogDir   /var/log/mod_evasive
-   DOSEmailNotify  EMAIL@DOMAIN.com
-   DOSWhitelist   127.0.0.1
-</ifmodule>
-</file>
-===== Fix mod-evasive email bug =====
-Because of [[https://bugs.launchpad.net/ubuntu/+source/libapache-mod-evasive/+bug/605679|this bug]] mod-evasive does not send emails on Ubuntu 12.04.
-A temporary workaround is to create a symlink to the mail program.
-Execute the following:
-<code bash>
-sudo ln -s /etc/alternatives/mail /bin/mail/
-</code>
-===== Check if ModEvasive is enabled and restart Apache =====
-Before restarting Apache2 check if the module has been loaded.
-Execute the following:
-<code bash>
-sudo a2enmod mod-evasive
-</code>
-Restart the Apache2 webserver:
-<code bash>
-sudo /etc/init.d/apache2 restart
-</code>
-or
-<code bash>
-service apache2 restart
-</code>
-===== Test ModEvasive =====
-You can test mod_evasive by using the Perl **scripttest.pl** written by the Mod_Evasive developers.
-Before running this script, you need to make some changes:
-<code bash>
-sudo vi /usr/share/doc/mod_evasive-1.10.1/test.pl
-</code>
-Find the line **for(0..100) {** Replace **100** with **200**.  Find the line **PeerAddr=> "127.0.0.1:80");** Replace **127.0.0.1** with **yourserverip (192.168.1.42)**.
-<file perl /usr/share/doc/mod_evasive-1.10.1/test.pl>
-#!/usr/bin/perl
-# test.pl: small script to test mod_dosevasive's effectiveness
-use IO::Socket;
-use strict;
-for(0..200) {
-  my($response);
-  my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",
-                                  PeerAddr=> "192.168.1.42:80");
-  if (! defined $SOCKET) { die $!; }
-  print $SOCKET "GET /?$_ HTTP/1.0\n\n";
-  $response = <$SOCKET>;
-  print $response;
-  close($SOCKET);
-}`
-</file>
-Save and exit.
-Now, run the script:
-<code bash>
-sudo  /usr/share/doc/mod_evasive-1.10.1/test.pl
-</code>
-You should see the following output:
-<code>
-HTTP/1.1 403 Forbidden
-HTTP/1.1 403 Forbidden
-HTTP/1.1 403 Forbidden
-HTTP/1.1 403 Forbidden
-HTTP/1.1 403 Forbidden
-</code>
-ModEvasive also logs to syslog when the IP address is blocked.  You can check the log file using:
-<code bash>
-sudo tailf /var/log/messages
-</code>
-You should see the following output:
-<code>
-Oct 26 15:36:42 CentOS-7 mod_evasive[2732]: Blacklisting address 192.168.1.42: possible DoS attack.
-</code>