How to install mod_security and mod_evasive on an Ubuntu 14.04 VPS

mod_securityMod_security is an Apache module that helps to protect your website from various attacks such as cross-site scripting, SQL injection attacks, path traversal attacks etc. Mod_evasive is an Apache module that helps to prevent HTTP DoS (DDoS) attacks or server brute force attacks. If you have CentOS installed on your server, follow these instructions to install mod_security with the OWASP core rule set.
To install and configure mod_security and mod_evasive modules on an Ubuntu VPS in order to harden and secure your Apache web server, follow the steps described below:

Make sure that all OS packages are up to date:

sudo apt-get update
sudo apt-get upgrade

Install mod-security and mod-evasive using the following command:

sudo apt-get install libapache2-mod-security2 libapache2-modsecurity libapache2-mod-evasive

To enable the mod_security rules, copy the recommended mod_security configuration file, then edit it and set the ‘SecRuleEngine’ option to On:

sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}
sudo vi /etc/modsecurity/modsecurity.conf
SecRuleEngine On

Also, it is a good idea to increase the ‘SecRequestBodyLimit’ value to the maximum size of files you would accept uploaded to the server, for example set it to 32 MB and disallow mod_security to access response bodies to save some server resources:

SecRequestBodyLimit 32768000
SecRequestBodyInMemoryLimit 32768000
SecResponseBodyAccess Off

The mod_security rules are available in following directories:

/usr/share/modsecurity-crs/base_rules
/usr/share/modsecurity-crs/optional_rules
/usr/share/modsecurity-crs/experimental_rules

To enable all of the CRS base rules, create symbolic links using the following command:

sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/

To enable the CRS optional and experimental rules files you want to use, create symbolic links under the ‘activated_rules’ directory location accordingly.

It is recommended to download and configure OWASP (Open Web Application Security Project) core rule set:

sudo apt-get install git
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak
sudo mv owasp-modsecurity-crs /usr/share/modsecurity-crs
sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

Edit the following files:

sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_35_bad_robots.conf

comment lines 16, 21 and 28:

#SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \
#SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \
#SecRule REQUEST_HEADERS:User-Agent
sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_40_generic_attacks.conf

comment line 169:

#SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_40_generic_attacks.data" \
sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_50_outbound.conf

comment line 101:

#SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \

Configure mod_evasive module:
<pre>sudo vi /etc/apache2/mods-available/mod-evasive.conf</pre>

<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  10
   DOSSiteCount  30
   DOSPageInterval 1
   DOSSiteInterval  3
   DOSBlockingPeriod  3600
   DOSLogDir   /var/log/apache2/mod_evasive.log
</ifmodule>

See the README file included with mod_evasive for details on the various config parameters.

Create log file for mod_evasive:

touch /var/log/apache2/mod_evasive.log
sudo chown www-data:www-data /var/log/apache2/mod_evasive.log

Run the following command to enable Apache modules:

sudo a2enmod headers
sudo a2enmod evasive
sudo a2enmod security2

Restart the Apache2 web server :

sudo service apache2 restart

Check if mod_security and mod_evasive modules are enabled on your server:

sudo apachectl -M | grep security2
security2_module (shared)

sudo apachectl -M | grep evasive
evasive20_module (shared)

If you have a WordPress based website hosted on your VPS, most likely you’ll need to disable some mod_security rules. To disable/exclude certain mod_security rules you can edit your domain’s virtual host defined in your domain’s Apache configuration file, for example:

<VirtualHost *:80>
   ServerName yourdomain.com
   ServerAlias www.yourdomain.com

      DocumentRoot /var/www/html/wordpress/
      <Directory />
         Options +FollowSymLinks
         AllowOverride FileInfo
      </Directory>

      <LocationMatch "/wp-admin/post.php">
         SecRuleRemoveById 300016
      </LocationMatch>

      <LocationMatch "/wp-admin/nav-menus.php">
         SecRuleRemoveById 300016
      </LocationMatch>

      <LocationMatch "(/wp-admin/|/wp-login.php)">
         SecRuleRemoveById 950117
         SecRuleRemoveById 950005
      </LocationMatch>
</VirtualHost>

Do not forget to restart Apache web server for the changes to take effect, so run the following command:

sudo service apache2 restart

Check the /var/log/apache2/modsec_audit.log log file to find the rules that are being triggered by mod_security on your web server.

That’s it. You have mod_security and mod_evasive installed on your Ubuntu VPS.

Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to install mod_security and mod_evasive for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

 

 

11 thoughts on “How to install mod_security and mod_evasive on an Ubuntu 14.04 VPS”

  1. After searching long and hard to set up mod_security this post was a life saver! Everyone seems to have their own idea on how it works and it usually comes from 2009 onwards.

    This setup completely worked and was so easy to use.

    Thank you

    Reply
  2. You forget this line after the OWASP rules:
    cp /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/

    Reply
    • If you follow the instructions closely you can see that the base rules are included using the following line:
      Include modsecurity-crs/base_rules/*.conf

      Reply
  3. Hi! Thanks for the guide.
    I am running LAMP stack with Ubuntu 16.04 +WP
    But I have a problem with the OWASP. I am not sure if perhaps the command is outdated but:

    sudo mv /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf.example /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
    mv: cannot stat ‘/usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf.example’: No such file or directory

    I don’t want to do proceed until I know if this is critical or not. I am experiencing XML-RPC attacks currently and hope this will help curb it (as opposed to me currently blocking all xmlrpc through the apahce config, given that these are wordpress sites).

    Thank you!

    Reply
    • Please use the following command: mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

      We also updated the tutorial with the new command.

      Reply
  4. This is one of the best articles I have read. I’m using it, and will give you credit, on a website that combines several sites that all have part of what is needed to set up a person’s own secure site. It will go from Ubuntu secure to all of lamp secure. Thank you so much for all you have done here.
    I have not set up my site and will not until late December or early January.

    Reply
  5. I have never touched mod_secure before, so maybe I am missing something. But you list directions to create symlinks for the base rules with:

    sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/

    Then only a few lines later you have us move the modsecurity-crs directory, wholesale, with the lines:

    sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak
    sudo mv owasp-modsecurity-crs /usr/share/modsecurity-crs

    So, maybe before OWASP carried the same directory structure as the generic modsecurity-crs directory. But, now it does not. This disallows following the rest of the tutorial.

    Reply
    • This post was published a log time ago. After enabling OWASP, try running the following command:
      sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/rules/

      Reply
      • I think the right command should be:

        sudo ln -s /usr/share/modsecurity-crs.bak/base_rules/*.conf /usr/share/modsecurity-crs/rules/

        because you made a previous backup of the original “modsecurity-crs” directory.

        Reply

Leave a Comment