This is an old revision of the document!
Table of Contents
Apache - Install mod_security and mod_evasive
ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.
Install ModSecurity
To install ModSecurity.
Install the dependencies. Execute the following commands:
sudo apt-get install libxml2 libxml2-dev libxml2-utils sudo apt-get install libaprutil1 libaprutil1-dev
NOTE: 64bit users please note - Because of this bug you need to create a symbolic link to libxml2.so.2 or the installation will report the file missing and fail.
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
Install ModSecurity:
sudo apt-get install libapache-mod-security
Configure ModSecurity rules.
Activate the recommended default rules to get things going. Configure as required. For complete information refer to the ModSecurity Reference Manual.
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
The default folder for ModSecurity rules is /etc/modsecurity/. All .conf files will be included and need to be configured as required.
We need to activate all the base rules and make sure they also get loaded.
You might want to edit the SecRequestBodyLimit option in the modsecurity.conf file.
SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.
This settings is very important as it limits the size of all files that can be uploaded to the server. For CMS sites using Drupal or Wordpress this setting is the source of much pain.
Execute the command:
sudo vi /etc/modsecurity/modsecurity.conf
First activate the rules by editing the SecRuleEngine option and set to On and modify your server signature.
- /etc/modsecurity/modsecurity.conf
SecRuleEngine On SecServerSignature FreeOSHTTP
Edit the following to option to increase the request limit to 16 MB and save the file:
- /etc/modsecurity/modsecurity.conf
SecRequestBodyLimit 16384000 SecRequestBodyInMemoryLimit 16384000
Download and install the latest OWASP Core Rule Set
Download and install the latest OWASP ModSecurity Core Rule Set from the project website. See here for more information.
We will also activate the default CRS config file modsecurity_crs_10_setup.conf.example.
If you prefer not to use the latest rules, replace the wget for master below with the a specific version you would like to use e.g : v2.2.5.
Execute the following commands:
cd /tmp sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/ sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz sudo rm -R SpiderLabs-owasp-modsecurity-crs-* sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
Create symbolic links to all activated base rules. Execute the following commands:
cd /etc/modsecurity/base_rules for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done cd /etc/modsecurity/optional_rules for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done
Add these rules to Apache2. Execute the following command:
sudo vi /etc/apache2/mods-available/mod-security.conf
Add the following to towards the end of the file with other includes and save the file:
- /etc/apache2/mods-available/mod-security.conf
Include "/etc/modsecurity/activated_rules/*.conf"
Check if ModSecurity is enabled and restart Apache
Before restarting Apache2 check if the modules has been loaded.
Execute the following commands:
sudo a2enmod headers sudo a2enmod mod-security
Restart the Apache2 webserver:
sudo /etc/init.d apache2 restart
or
service apache2 restart
Install ModEvasive
Create log file directory for mod_evasive
Execute the following:
sudo mkdir /var/log/mod_evasive
Change the log folder permissions:
sudo chown www-data:www-data /var/log/mod_evasive/
Create mod-evasive.conf file and configure ModEvasive
Execute the following:
sudo vi /etc/apache2/mods-available/mod-evasive.conf
Add the following, changing the email value, and other options below as required:
- /etc/apache2/mods-available/mod-evasive.conf
<ifmodule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSLogDir /var/log/mod_evasive DOSEmailNotify EMAIL@DOMAIN.com DOSWhitelist 127.0.0.1 </ifmodule>
Fix mod-evasive email bug
Because of this bug mod-evasive does not send emails on Ubuntu 12.04.
A temporary workaround is to create a symlink to the mail program.
Execute the following:
sudo ln -s /etc/alternatives/mail /bin/mail/
Check if ModEvasive is enabled and restart Apache
Before restarting Apache2 check if the module has been loaded.
Execute the following:
sudo a2enmod mod-evasive
Restart the Apache2 webserver:
sudo /etc/init.d/apache2 restart
or
service apache2 restart