How to install mod_security and mod_evasive on an Ubuntu 14.04 VPS

Mod_security is an Apache module that helps to protect your website from various attacks such as cross-site scripting, SQL injection attacks, path traversal attacks etc. Mod_evasive is an Apache module that helps to prevent HTTP DoS (DDoS) attacks or server brute force attacks. If you have CentOS installed on your server, follow these instructions to install mod_security with the OWASP core rule set.
To install and configure mod_security and mod_evasive modules on an Ubuntu VPS in order to harden and secure your Apache web server, follow the steps described below:

Make sure that all OS packages are up to date:

sudo apt-get update
sudo apt-get upgrade

Install mod-security and mod-evasive using the following command:

sudo apt-get install libapache2-mod-security2 libapache2-modsecurity libapache2-mod-evasive

To enable the mod_security rules, copy the recommended mod_security configuration file, then edit it and set the ‘SecRuleEngine’ option to On:

sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}
sudo vi /etc/modsecurity/modsecurity.conf

SecRuleEngine On

Also, it is a good idea to increase the ‘SecRequestBodyLimit’ value to the maximum size of files you would accept uploaded to the server, for example set it to 32 MB and disallow mod_security to access response bodies to save some server resources:

SecRequestBodyLimit 32768000
SecRequestBodyInMemoryLimit 32768000
SecResponseBodyAccess Off

The mod_security rules are available in following directories:

/usr/share/modsecurity-crs/base_rules
/usr/share/modsecurity-crs/optional_rules
/usr/share/modsecurity-crs/experimental_rules

To enable all of the CRS base rules, create symbolic links using the following command:

sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/

To enable the CRS optional and experimental rules files you want to use, create symbolic links under the ‘activated_rules’ directory location accordingly.

It is recommended to download and configure OWASP (Open Web Application Security Project) core rule set:

sudo apt-get install git
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak
sudo mv owasp-modsecurity-crs /usr/share/modsecurity-crs
sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

Edit the following files:

sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_35_bad_robots.conf

comment lines 16, 21 and 28:

#SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \
#SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \
#SecRule REQUEST_HEADERS:User-Agent

sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_40_generic_attacks.conf

comment line 169:

#SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_40_generic_attacks.data" \

sudo vi /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_50_outbound.conf

comment line 101:

#SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \

Configure mod_evasive module:
<pre>sudo vi /etc/apache2/mods-available/mod-evasive.conf</pre>

<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  10
   DOSSiteCount  30
   DOSPageInterval 1
   DOSSiteInterval  3
   DOSBlockingPeriod  3600
   DOSLogDir   /var/log/apache2/mod_evasive.log
</ifmodule>

See the README file included with mod_evasive for details on the various config parameters.

Create log file for mod_evasive:

touch /var/log/apache2/mod_evasive.log
sudo chown www-data:www-data /var/log/apache2/mod_evasive.log

Run the following command to enable Apache modules:

sudo a2enmod headers
sudo a2enmod evasive
sudo a2enmod security2

Restart the Apache2 web server :

sudo service apache2 restart

Check if mod_security and mod_evasive modules are enabled on your server:

sudo apachectl -M | grep security2
security2_module (shared)

sudo apachectl -M | grep evasive
evasive20_module (shared)

If you have a WordPress based website hosted on your VPS, most likely you’ll need to disable some mod_security rules. To disable/exclude certain mod_security rules you can edit your domain’s virtual host defined in your domain’s Apache configuration file, for example:

<VirtualHost *:80>
   ServerName yourdomain.com
   ServerAlias www.yourdomain.com

      DocumentRoot /var/www/html/wordpress/
      <Directory />
         Options +FollowSymLinks
         AllowOverride FileInfo
      </Directory>

      <LocationMatch "/wp-admin/post.php">
         SecRuleRemoveById 300016
      </LocationMatch>

      <LocationMatch "/wp-admin/nav-menus.php">
         SecRuleRemoveById 300016
      </LocationMatch>

      <LocationMatch "(/wp-admin/|/wp-login.php)">
         SecRuleRemoveById 950117
         SecRuleRemoveById 950005
      </LocationMatch>
</VirtualHost>

Do not forget to restart Apache web server for the changes to take effect, so run the following command:

sudo service apache2 restart

Check the /var/log/apache2/modsec_audit.log log file to find the rules that are being triggered by mod_security on your web server.

That’s it. You have mod_security and mod_evasive installed on your Ubuntu VPS.

Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to install mod_security and mod_evasive for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.