Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security and Mod_evasive Modules

Step 3: Installing A Core Rule Set and Configuring Mod_Security

In few words, a Core Rule Set (aka CRS) provides the web server with instructions on how to behave under certain conditions. The developer firm of mod_security provide a free CRS called OWASP (Open Web Application Security Project) ModSecurity CRS that can be downloaded and installed as follows.

1. Download the OWASP CRS to a directory created for that purpose.

# mkdir /etc/httpd/crs-tecmint
# cd /etc/httpd/crs-tecmint
# wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
Download mod_security Core Rules

Download mod_security Core Rules

2. Untar the CRS file and change the name of the directory for one of our convenience.

# tar xzf master
# mv SpiderLabs-owasp-modsecurity-crs-ebe8790 owasp-modsecurity-crs
Extract mod_security Core Rules

Extract mod_security Core Rules

3. Now it’s time to configure mod_security. Copy the sample file with rules (owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example) into another file without the .example extension:

# cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

and tell Apache to use this file along with the module by inserting the following lines in the web server’s main configuration file /etc/httpd/conf/httpd.conf file. If you chose to unpack the tarball in another directory you will need to edit the paths following the Include directives:

<IfModule security2_module>
    Include crs-tecmint/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
    Include crs-tecmint/owasp-modsecurity-crs/base_rules/*.conf
</IfModule>

Finally, it is recommended that we create our own configuration file within the /etc/httpd/modsecurity.d directory where we will place our customized directives (we will name it tecmint.conf in the following example) instead of modifying the CRS files directly. Doing so will allow for easier upgrading the CRSs as new versions are released.

<IfModule mod_security2.c>
	SecRuleEngine On
	SecRequestBodyAccess On
	SecResponseBodyAccess On 
	SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
	SecDataDir /tmp
</IfModule>

You can refer to the SpiderLabs’ ModSecurity GitHub repository for a complete explanatory guide of mod_security configuration directives.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

133 Responses

  1. Malcolm Turnbull says:

    Gabriel,
    Thanks the mod_evasive stuff is really interesting – I might have a play with it…

    A true DDOS is pretty hard to handle but every little helps.

    We’ve noticed a big rise in brute force login attacks recently and made a blog about using ModSecurity to stop them: loadbalancer.org/blog/brute-force-login-modsecurity-waf

  2. helwi ahmad says:

    this tutorial for old version and you will found error if you use this version of tutorial.

  3. Sam says:

    Thank you for a perfect article.

    I did all the steps in tutorial but when I restart apache got the below error,

    AH00526: Syntax error on line 25 of /etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf:
    Error creating rule: Unknown variable: pk_ref)/

    so, what can i do!

  4. John says:

    Hi,

    I have a CentOS 7 / Plesk Onyx server with multiple PHP versions. How can I install these extensions on each PHP version (5.4, 5.6, 7.0, 7.1)?

    Thanks.

  5. Nguyen Hung says:

    I can’t do that. I can’t run below command, may be owsap update or upgrade. So can you fix some thing. Please!

    # wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
    
  6. EVGA says:

    I think it doesn’t work well with CloudFlare. Have you try install vDDoS Protection Reverse Proxy from https://sourceforge.net/p/vddos-protection Layer 7 Filter Mitigate DOS, DDOS, SYN Floods, or HTTP Floods attack?

Leave a Reply to Sam Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.