Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security and Mod_evasive Modules

For those of you in the hosting business, or if you’re hosting your own servers and exposing them to the Internet, securing your systems against attackers must be a high priority.

mod_security (an open source intrusion detection and prevention engine for web applications that integrates seamlessly with the web server) and mod_evasive are two very important tools that can be used to protect a web server against brute force or (D)DoS attacks.

Read Also : How to Install Linux Malware Detect with ClamAV as Antivirus Engine

mod_evasive, as its name suggests, provides evasive capabilities while under attack, acting as an umbrella that shields web servers from such threats.

Install Mod_Security Mod_Evasive in CentOS

Install Mod_Security and Mod_Evasive to Protect Apache

In this article we will discuss how to install, configure, and put them into play along with Apache on RHEL/CentOS 6 and 7 as well as Fedora 21-15. In addition, we will simulate attacks in order to verify that the server reacts accordingly.

This assumes that you have a LAMP server installed on your system. If not, please check this article before proceeding further.

  1. Install LAMP stack in RHEL/CentOS 7

You will also need to setup iptables as the default firewall front-end instead of firewalld if you’re running RHEL/CentOS 7 or Fedora 21. We do this in order to use the same tool in both RHEL/CentOS 7/6 and Fedora 21.

Step 1: Installing Iptables Firewall on RHEL/CentOS 7 and Fedora 21

To begin, stop and disable firewalld:

# systemctl stop firewalld
# systemctl disable firewalld
Disable Firewalld Service in CentOS 7

Disable Firewalld Service

Then install the iptables-services package before enabling iptables:

# yum update && yum install iptables-services
# systemctl enable iptables
# systemctl start iptables
# systemctl status iptables
Install Iptables Firewall in CentOs 7

Install Iptables Firewall

Step 2: Installing Mod_Security and Mod_evasive

In addition to having a LAMP setup already in place, you will also have to enable the EPEL repository in RHEL/CentOS 7/6 in order to install both packages. Fedora users don’t need to enable any repo, because epel is a already part of Fedora project.

# yum update && yum install mod_security mod_evasive

When the installation is complete, you will find the configuration files for both tools in /etc/httpd/conf.d.

# ls -l /etc/httpd/conf.d
mod_security + mod_evasive Configurations

mod_security + mod_evasive Configurations

Now, in order to integrate these two modules with Apache and have it load them when it starts, make sure the following lines appear in the top level section of mod_evasive.conf and mod_security.conf, respectively:

LoadModule evasive20_module modules/mod_evasive24.so
LoadModule security2_module modules/mod_security2.so

Note that modules/mod_security2.so and modules/mod_evasive24.so are the relative paths, from the /etc/httpd directory to the source file of the module. You can verify this (and change it, if needed) by listing the contents of the /etc/httpd/modules directory:

# cd /etc/httpd/modules
# pwd
# ls -l | grep -Ei '(evasive|security)'
Verify mod_security + mod_evasive Modules

Verify mod_security + mod_evasive Modules

Then restart Apache and verify that it loads mod_evasive and mod_security:

# service httpd restart 		[On RHEL/CentOS 6 and Fedora 20-18]
# systemctl restart httpd 		[On RHEL/CentOS 7 and Fedora 21]
[Dump a list of loaded Static and Shared Modules]

# httpd -M | grep -Ei '(evasive|security)'				
Check mod_security + mod_evasive Modules Loaded

Check mod_security + mod_evasive Modules Loaded

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

133 Responses

  1. Nguyen Hung says:

    Please help me. I was setup mod_security and mod_evasive. I used WordPress, its working good, but when I login, I type account and password. It notify is “You don’t have permission to access /wp-login.php on this server.”.

    • Ravi Saive says:

      @Nguyen,

      Try to add these following lines to .htaccess file and see..

      <IfModule mod_security.c>
      SecFilterEngine Off
      SecFilterScanPOST Off
      </IfModule>
  2. Ehphan says:

    Hi, thanks for the article it was great, only I faced a problem with google recaptcha values that contains suspicious values, I had to override a rule with
    SecRuleUpdateTargetById 981319 !ARGS:’g-recaptcha-response’
    but when I add it to tecmint.conf file httpd wont restart…. is there somewhere else that I have to add this custom rule?

    • Gabriel A. Cánepa says:

      @Ehphan,
      What errors are you getting while trying to restart Apache? What distribution / version are you using? Assuming CentOS 7, what is the output of systemctl -l status httpd and journalctl -xe immediately after failing to restart httpd?

  3. tashfeen says:

    is it possible to use firewalld instead of iptables as on my server i am using firewalld.

    • Gabriel A. Cánepa says:

      @tashfeen,
      It’s perfectly possible, but you will have to dig around a little. We may consider this as a topic for a future article.

  4. Tom Sweeney says:

    Nathan,
    I also had an issue with “modsecurity_crs_41_sql_injection_attacks.conf” when using WordPress. My issue was that the wp-admin panel would fail to load. I checked my error log and my issue was due to line 159. It has something to do with the number of special characters in a single parameter. In my case, changing the number at the end of the regex from “{5,}” to “{6,}” fixed the issue for me.

  5. Nathan Parks says:

    Extra note: I also had to disable “modsecurity_crs_20_protocol_violations.conf”. With it enabled non of the streaming audio on sites work under WordPress.

  6. Nathan Parks says:

    Thanks for the great writeup! This helped drastically with constant brute force attacks. I however had to disable “modsecurity_crs_41_sql_injection_attacks.conf”. When it was enabled it always took me to the welcome page when trying to access any of the WordPress pages on my server. This might be what Christian was running into a few months ago. I’m thinking it’s just an incompatibility between the two but I’m subscribing in case anyone smarter than me takes a look at it. Either way with all other modules enabled I’m far better off than before.

  1. May 20, 2016

    […] 114 […]

  2. November 8, 2016

    […] Nmap has the ability to do a much more aggressive scan that will often yield much of the same information but in one command instead of several. Let’s take a look at the output of an aggressive scan (Do note – an aggressive scan can set off intrusion detection/prevention systems!). […]

  3. November 9, 2016

    […] Nmap has the ability to do a much more aggressive scan that will often yield much of the same information but in one command instead of several. Let’s take a look at the output of an aggressive scan (Do note – an aggressive scan can set off intrusion detection/prevention systems!). […]

  4. November 15, 2016

    […] mod_security – which offers you to protect Apache against Brute Force or DDoS attacks. […]

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.