How to Secure Apache Web Server with ModEvasive on Ubuntu Server.
According to a July 2021 research published by w3techs, Apache has a market share of around 33.7 %. That being said, the Apache webserver is very well targeted by most hackers. The software is secure out-of-the-box but you can still harden it with some additional modules.
One of the most common methods of securing your Apache web server is installing ModEvasive. This is a highly smart Apache module that provides evasive actions against Distributed Denial of Service and Brute Force attacks.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. During the DDoS session, regular users cannot access your website or web application and this can mean loss of sales or even lead to a complete shutdown of your business.
A brute-force attack, on the other hand, is an automated break-in method that tries to gain access to resources on your web server. The attack uses millions of usernames and passwords in order to guess the login credentials of a secured web resource to obtain classified information.
In this tutorial, we will show you how to safeguard your Apache webserver against both DDoS and brute-force attacks.
Step 1: Installing ModEvasive
Run the command below to install ModEvasive:
$ sudo apt-get install libapache2-modevasive
Step 2: Checking the Status of ModEvasive
Check the status of ModEvasive by running the following command:
$ sudo apachectl -M | grep evasive
You should see the below output if the module is enabled on the server:
evasive20_module (shared)
Step 3: Configuring ModEvasive
In a Linux system, configuration files are mostly found in the /etc directory. Its configuration file is located at /etc/apache2/mods-enabled/evasive.conf.
We need to make a few changes:
$ sudo nano /etc/apache2/mods-enabled/evasive.conf
By default, the entries of this file are commented with a pound sign. We need to uncomment all those lines by removing the '#' sign. Then, enter the email address where you want to receive emails when ModEvasive intercepts an attack targeted to your web server.
You will enter the email address next to DOSEmailNotify (ie. monkey@example.com) directive:
In the end, it should look like the one below:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify monkey@example.com
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>Let's go over each of the above entries one by one in order to understand how ModEvasive settings work:
DOSHashTableSize
The value here specifies the size of the table that tracks the activities of users based on their past IP address visits. The default value will work well for most websites.
You should only increase this value to speed up lookups only if your website is busy because a large value can have an adverse effect on your server's memory.
DOSPageCount
This directive specifies genuine requests that a visitor can make to a specific resource in a given amount of time that is specified by the DOSPageInterval directive before triggering ModEvasive. If the threshold is exceeded, the visitor's IP address is blocked and added to a blacklist.
DOSSiteCount
This directive is similar to DOSPageCount but specifies the number of legitimate requests that can be made to an entire website over the period of time specified by the DOSSiteInterval directive.
DOSPageInterval
As indicated above, this value works hand in hand with DOSPageCount. The default value is 1 second and this means that the page count threshold specified with the DOSPageCount should not be exceeded within 1 second or as specified otherwise this will cause the IP address of the client to be blacklisted.
DOSSiteInterval
This interval works together with DOSSiteCount. It defaults to 1 second and if the DOSSiteCount threshold is reached within this time, ModEvasive will trigger an IP block.
DOSBlockingPeriod
This value represents the amount of time in seconds that a client remains blocked after being added to the blacklist.
The default value is 10 seconds. During this time, the client will get a forbidden error message when trying to access any resource on the server.
DOSEmailNotify
You can specify an address that will receive a message every time an IP address is blocked.
DOSSystemCommand
Apart from sending an email, you can invoke a system command every time an IP address gets blocked. The %s variable contains the IP address that is blocked during the interception.
For instance, you can run a command to add a firewall rule that blocks a specific IP address to avoid further attacks on your web server.
DOSLogDir
This directory logs any interceptions made by ModEvasive. You can use a different directory depending on your needs.
Step 4: Creating ModEvasive Log Directory
By default, the log directory specified on the configuration file is not created when ModEvasive is installed. We need to create this folder using the mkdir command:
$ sudo mkdir /var/log/mod_evasive
Since Apache runs under the www-data user, we should give full ownership of the directory to the web server using the chown command:
$ sudo chown -R www-data:www-data /var/log/mod_evasive
You can now restart Apache for the changes to take effect.
$ sudo systemctl restart apache2You may run the below command to see if ModEvasive was able to record the intrusion on the log directory:
$ sudo ls -a /var/log/mod_evasive
You should see the output below:
. .. dos-127.0.0.1
Also, you can check the content of the Apache error log file to confirm the same:
$ sudo tail /var/log/apache2/error.logYou will get the output as shown below:
...
...[evasive20:error] [pid 141980:tid 281472644649360] [client 127.0.0.1:41934] client denied by server configuration: /var/www/...
...
This will keep your website safe and ensure that your web server is not compromised by malicious hackers who might want to block access or steal information from your website or applications.
Cheers:~)