How to install mod_security and mod_evasive on an Ubuntu 14.04 VPS

mod_securityMod_security is an Apache module that helps to protect your website from various attacks such as cross-site scripting, SQL injection attacks, path traversal attacks etc. Mod_evasive is an Apache module that helps to prevent HTTP DoS (DDoS) attacks or server brute force attacks. If you have CentOS installed on your server, follow these instructions to install mod_security with the OWASP core rule set.
To install and configure mod_security and mod_evasive modules on an Ubuntu VPS in order to harden and secure your Apache web server, follow the steps described below:

Make sure that all OS packages are up to date:

sudo apt-get update
sudo apt-get upgrade

Install mod-security and mod-evasive using the following command:

sudo apt-get install libapache2-mod-security2 libapache2-modsecurity libapache2-mod-evasive

To enable the mod_security rules, copy the recommended mod_security configuration file, then edit it and set the ‘SecRuleEngine’ option to On:

sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}
sudo vi /etc/modsecurity/modsecurity.conf
SecRuleEngine On

Also, it is a good idea to increase the ‘SecRequestBodyLimit’ value to the maximum size of files you would accept uploaded to the server, for example set it to 32 MB and disallow mod_security to access response bodies to save some server resources:

SecRequestBodyLimit 32768000
SecRequestBodyInMemoryLimit 32768000
SecResponseBodyAccess Off

The mod_security rules are available in following directories:


To enable all of the CRS base rules, create symbolic links using the following command:

sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/

To enable the CRS optional and experimental rules files you want to use, create symbolic links under the ‘activated_rules’ directory location accordingly.

It is recommended to download and configure OWASP (Open Web Application Security Project) core rule set:

sudo apt-get install git
sudo git clone
sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak
sudo mv owasp-modsecurity-crs /usr/share/modsecurity-crs
sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

Edit the following files:

sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_35_bad_robots.conf

comment lines 16, 21 and 28:

#SecRule REQUEST_HEADERS:User-Agent "@pmFromFile" \
#SecRule REQUEST_HEADERS:User-Agent "@pmFromFile" \
sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_40_generic_attacks.conf

comment line 169:

sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_50_outbound.conf

comment line 101:

#SecRule RESPONSE_BODY "!@pmFromFile" \

Configure mod_evasive module:
<pre>sudo vi /etc/apache2/mods-available/mod-evasive.conf</pre>

<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  10
   DOSSiteCount  30
   DOSPageInterval 1
   DOSSiteInterval  3
   DOSBlockingPeriod  3600
   DOSLogDir   /var/log/apache2/mod_evasive.log

See the README file included with mod_evasive for details on the various config parameters.

Create log file for mod_evasive:

touch /var/log/apache2/mod_evasive.log
sudo chown www-data:www-data /var/log/apache2/mod_evasive.log

Run the following command to enable Apache modules:

sudo a2enmod headers
sudo a2enmod evasive
sudo a2enmod security2

Restart the Apache2 web server :

sudo service apache2 restart

Check if mod_security and mod_evasive modules are enabled on your server:

sudo apachectl -M | grep security2
security2_module (shared)

sudo apachectl -M | grep evasive
evasive20_module (shared)

If you have a WordPress based website hosted on your VPS, most likely you’ll need to disable some mod_security rules. To disable/exclude certain mod_security rules you can edit your domain’s virtual host defined in your domain’s Apache configuration file, for example:

<VirtualHost *:80>

      DocumentRoot /var/www/html/wordpress/
      <Directory />
         Options +FollowSymLinks
         AllowOverride FileInfo

      <LocationMatch "/wp-admin/post.php">
         SecRuleRemoveById 300016

      <LocationMatch "/wp-admin/nav-menus.php">
         SecRuleRemoveById 300016

      <LocationMatch "(/wp-admin/|/wp-login.php)">
         SecRuleRemoveById 950117
         SecRuleRemoveById 950005

Do not forget to restart Apache web server for the changes to take effect, so run the following command:

sudo service apache2 restart

Check the /var/log/apache2/modsec_audit.log log file to find the rules that are being triggered by mod_security on your web server.

That’s it. You have mod_security and mod_evasive installed on your Ubuntu VPS.

Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to install mod_security and mod_evasive for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.



How to change the default SSH port on a Linux VPS
Install Phorum forum sotware on a CentOS VPS
Install and run DokuWiki the most versatile Wiki on a CentOS 7 VPS
  • Mark


    Author Reply

    After searching long and hard to set up mod_security this post was a life saver! Everyone seems to have their own idea on how it works and it usually comes from 2009 onwards.

    This setup completely worked and was so easy to use.

    Thank you

  • Lin De

    Lin DeLin De

    Author Reply

    Thanks for the guide!

  • ontet


    Author Reply

    It work
    thanks for the guide

  • Elias


    Author Reply

    You forget this line after the OWASP rules:
    cp /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/

    • admin


      Author Reply

      If you follow the instructions closely you can see that the base rules are included using the following line:
      Include modsecurity-crs/base_rules/*.conf

  • Kim


    Author Reply

    Hi! Thanks for the guide.
    I am running LAMP stack with Ubuntu 16.04 +WP
    But I have a problem with the OWASP. I am not sure if perhaps the command is outdated but:

    sudo mv /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf.example /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
    mv: cannot stat ‘/usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf.example’: No such file or directory

    I don’t want to do proceed until I know if this is critical or not. I am experiencing XML-RPC attacks currently and hope this will help curb it (as opposed to me currently blocking all xmlrpc through the apahce config, given that these are wordpress sites).

    Thank you!

    • admin


      Author Reply

      Please use the following command: mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

      We also updated the tutorial with the new command.