Table of Contents

Apache - Modules - Install mod_security and mod_evasive

ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.

mod_evasive is an evasive manoeuvres module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.


Install ModSecurity

To install ModSecurity.

Install the dependencies. Execute the following commands:

sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev

NOTE: 64bit users:

  • Because of this bug you need to create a symbolic link to libxml2.so.2 or the installation will report the file missing and fail.
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2

Install ModSecurity

sudo apt-get install libapache-mod-security

Configure ModSecurity rules.

Activate the recommended default rules to get things going.

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

NOTE: The default folder for ModSecurity rules is /etc/modsecurity/.

  • All .conf files will be included and need to be configured as required.

Activate all the base rules and make sure they also get loaded

Optionally edit the SecRequestBodyLimit option in the modsecurity.conf file.

NOTE: This settings is very important as it limits the size of all files that can be uploaded to the server.

  • For CMS sites using Drupal or Wordpress this setting is the source of much pain.

Execute the command:

sudo vi /etc/modsecurity/modsecurity.conf

First activate the rules by editing the SecRuleEngine option and set to On and modify your server signature.

/etc/modsecurity/modsecurity.conf
SecRuleEngine On
SecServerSignature FreeOSHTTP

Edit the following to option to increase the request limit to 16 MB and save the file:

/etc/modsecurity/modsecurity.conf
SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000

Download and install the latest OWASP Core Rule Set

The goal of the OWASP ModSecurity CRS Project is to provide an easily “pluggable” set of generic attack detection rules that provide a base level of protection for any web application.

Download and install the latest OWASP ModSecurity Core Rule Set from the project website.

Also activate the default CRS config file modsecurity_crs_10_setup.conf.example.

If you prefer not to use the latest rules, replace the wget for master below with the a specific version you would like to use e.g : v2.2.5.

Execute the following commands:

cd /tmp
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo rm -R SpiderLabs-owasp-modsecurity-crs-*
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

Create symbolic links to all activated base rules. Execute the following commands:

cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
 
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done 

Add these rules to Apache2. Execute the following command:

sudo vi /etc/apache2/mods-available/mod-security.conf

Add the following to towards the end of the file with other includes and save the file:

/etc/apache2/mods-available/mod-security.conf
Include "/etc/modsecurity/activated_rules/*.conf"

Check if ModSecurity is enabled and restart Apache

Before restarting Apache2 check if the modules has been loaded.

Execute the following commands:

sudo a2enmod headers
sudo a2enmod mod-security

Restart the Apache2 webserver:

sudo /etc/init.d apache2 restart

or

service apache2 restart

Test ModSecurity

To test mod_security you can use curl to send HTTP requests to the Apache server. One of the ModSecurity default rules is to reject requests that have a User Agent of “Nessus”. This is intended to deny information to attackers who use automated scanners.

You can check mod_security by running the following command:

sudo curl -i http://192.168.1.42/ -A Nessus

You should see a 403 Forbidden response, as shown below on this page. ModSecurity has blocked the request, because the User Agent identifies it as a Nessus scan.

HTTP/1.1 403 Forbidden
Date: Tue, 27 Oct 2015 11:08:39 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
Accept-Ranges: bytes
Content-Length: 4897
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=UTF-8

Install ModEvasive

Install ModEvasive

Execute the following:

sudo apt-get install libapache2-mod-evasive

Create log file directory for mod_evasive

Execute the following:

sudo mkdir /var/log/mod_evasive

Change the log folder permissions:

sudo chown www-data:www-data /var/log/mod_evasive/

Create mod-evasive.conf file and configure ModEvasive

Execute the following:

sudo vi /etc/apache2/mods-available/mod-evasive.conf

Add the following, changing the email value, and other options below as required:

/etc/apache2/mods-available/mod-evasive.conf
<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  2
   DOSSiteCount  50
   DOSPageInterval 1
   DOSSiteInterval  1
   DOSBlockingPeriod  10
   DOSLogDir   /var/log/mod_evasive
   DOSEmailNotify  EMAIL@DOMAIN.com
   DOSWhitelist   127.0.0.1
</ifmodule>

Fix mod-evasive email bug

Because of this bug mod-evasive does not send emails on Ubuntu 12.04.

A temporary workaround is to create a symlink to the mail program.

Execute the following:

sudo ln -s /etc/alternatives/mail /bin/mail/

Check if ModEvasive is enabled and restart Apache

Before restarting Apache2 check if the module has been loaded.

Execute the following:

sudo a2enmod mod-evasive

Restart the Apache2 webserver:

sudo /etc/init.d/apache2 restart

or

service apache2 restart

Test ModEvasive

You can test mod_evasive by using the Perl scripttest.pl written by the Mod_Evasive developers.

Before running this script, you need to make some changes:

sudo vi /usr/share/doc/mod_evasive-1.10.1/test.pl

Find the line for(0..100) { Replace 100 with 200. Find the line PeerAddr⇒ “127.0.0.1:80”); Replace 127.0.0.1 with yourserverip (192.168.1.42).

/usr/share/doc/mod_evasive-1.10.1/test.pl
#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive's effectiveness
 
use IO::Socket;
use strict;
 
for(0..200) {
  my($response);
  my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",
                                  PeerAddr=> "192.168.1.42:80");
  if (! defined $SOCKET) { die $!; }
  print $SOCKET "GET /?$_ HTTP/1.0\n\n";
  $response = <$SOCKET>;
  print $response;
  close($SOCKET);
}`

Save and exit.

Now, run the script:

sudo  /usr/share/doc/mod_evasive-1.10.1/test.pl

You should see the following output:

HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

ModEvasive also logs to syslog when the IP address is blocked. You can check the log file using:

sudo tailf /var/log/messages

You should see the following output:

Oct 26 15:36:42 CentOS-7 mod_evasive[2732]: Blacklisting address 192.168.1.42: possible DoS attack.