Mod_security is an Apache module that helps to protect your website from various attacks such as cross-site scripting, SQL injection attacks, path traversal attacks etc. Mod_evasive is an Apache module that helps to prevent HTTP DoS (DDoS) attacks or server brute force attacks. If you have CentOS installed on your server, follow these instructions to install mod_security with the OWASP core rule set.
To install and configure mod_security and mod_evasive modules on an Ubuntu VPS in order to harden and secure your Apache web server, follow the steps described below:
Make sure that all OS packages are up to date:
sudo apt-get update sudo apt-get upgrade
Install mod-security and mod-evasive using the following command:
sudo apt-get install libapache2-mod-security2 libapache2-modsecurity libapache2-mod-evasive
To enable the mod_security rules, copy the recommended mod_security configuration file, then edit it and set the ‘SecRuleEngine’ option to On:
sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}
sudo vi /etc/modsecurity/modsecurity.confSecRuleEngine On
Also, it is a good idea to increase the ‘SecRequestBodyLimit’ value to the maximum size of files you would accept uploaded to the server, for example set it to 32 MB and disallow mod_security to access response bodies to save some server resources:
SecRequestBodyLimit 32768000 SecRequestBodyInMemoryLimit 32768000 SecResponseBodyAccess Off
The mod_security rules are available in following directories:
/usr/share/modsecurity-crs/base_rules /usr/share/modsecurity-crs/optional_rules /usr/share/modsecurity-crs/experimental_rules
To enable all of the CRS base rules, create symbolic links using the following command:
sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/
To enable the CRS optional and experimental rules files you want to use, create symbolic links under the ‘activated_rules’ directory location accordingly.
It is recommended to download and configure OWASP (Open Web Application Security Project) core rule set:
sudo apt-get install git sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak sudo mv owasp-modsecurity-crs /usr/share/modsecurity-crs sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
Edit the following files:
sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_35_bad_robots.conf
comment lines 16, 21 and 28:
#SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \ #SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \ #SecRule REQUEST_HEADERS:User-Agent
sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_40_generic_attacks.conf
comment line 169:
#SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_40_generic_attacks.data" \
sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_50_outbound.conf
comment line 101:
#SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \
Configure mod_evasive module:
<pre>sudo vi /etc/apache2/mods-available/mod-evasive.conf</pre>
<ifmodule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 10 DOSSiteCount 30 DOSPageInterval 1 DOSSiteInterval 3 DOSBlockingPeriod 3600 DOSLogDir /var/log/apache2/mod_evasive.log </ifmodule>
See the README file included with mod_evasive for details on the various config parameters.
Create log file for mod_evasive:
touch /var/log/apache2/mod_evasive.log sudo chown www-data:www-data /var/log/apache2/mod_evasive.log
Run the following command to enable Apache modules:
sudo a2enmod headers sudo a2enmod evasive sudo a2enmod security2
Restart the Apache2 web server :
sudo service apache2 restart
Check if mod_security and mod_evasive modules are enabled on your server:
sudo apachectl -M | grep security2 security2_module (shared) sudo apachectl -M | grep evasive evasive20_module (shared)
If you have a WordPress based website hosted on your VPS, most likely you’ll need to disable some mod_security rules. To disable/exclude certain mod_security rules you can edit your domain’s virtual host defined in your domain’s Apache configuration file, for example:
<VirtualHost *:80> ServerName yourdomain.com ServerAlias www.yourdomain.com DocumentRoot /var/www/html/wordpress/ <Directory /> Options +FollowSymLinks AllowOverride FileInfo </Directory> <LocationMatch "/wp-admin/post.php"> SecRuleRemoveById 300016 </LocationMatch> <LocationMatch "/wp-admin/nav-menus.php"> SecRuleRemoveById 300016 </LocationMatch> <LocationMatch "(/wp-admin/|/wp-login.php)"> SecRuleRemoveById 950117 SecRuleRemoveById 950005 </LocationMatch> </VirtualHost>
Do not forget to restart Apache web server for the changes to take effect, so run the following command:
sudo service apache2 restart
Check the /var/log/apache2/modsec_audit.log log file to find the rules that are being triggered by mod_security on your web server.
That’s it. You have mod_security and mod_evasive installed on your Ubuntu VPS.
Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to install mod_security and mod_evasive for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.
After searching long and hard to set up mod_security this post was a life saver! Everyone seems to have their own idea on how it works and it usually comes from 2009 onwards.
This setup completely worked and was so easy to use.
Thank you
Thanks for the guide!
It work
thanks for the guide
You forget this line after the OWASP rules:
cp /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/
If you follow the instructions closely you can see that the base rules are included using the following line:
Include modsecurity-crs/base_rules/*.conf
Hi! Thanks for the guide.
I am running LAMP stack with Ubuntu 16.04 +WP
But I have a problem with the OWASP. I am not sure if perhaps the command is outdated but:
sudo mv /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf.example /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
mv: cannot stat ‘/usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf.example’: No such file or directory
I don’t want to do proceed until I know if this is critical or not. I am experiencing XML-RPC attacks currently and hope this will help curb it (as opposed to me currently blocking all xmlrpc through the apahce config, given that these are wordpress sites).
Thank you!
Please use the following command: mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
We also updated the tutorial with the new command.
This is one of the best articles I have read. I’m using it, and will give you credit, on a website that combines several sites that all have part of what is needed to set up a person’s own secure site. It will go from Ubuntu secure to all of lamp secure. Thank you so much for all you have done here.
I have not set up my site and will not until late December or early January.
I have never touched mod_secure before, so maybe I am missing something. But you list directions to create symlinks for the base rules with:
sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/
Then only a few lines later you have us move the modsecurity-crs directory, wholesale, with the lines:
sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak
sudo mv owasp-modsecurity-crs /usr/share/modsecurity-crs
So, maybe before OWASP carried the same directory structure as the generic modsecurity-crs directory. But, now it does not. This disallows following the rest of the tutorial.
This post was published a log time ago. After enabling OWASP, try running the following command:
sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/rules/