Skip to content

Instantly share code, notes, and snippets.

@babywyrm

babywyrm/centos7_mod_evasive_mod_security__

Created March 1, 2020 00:48
Show Gist options
  • Save babywyrm/283055b30318bd44436c47393a965d8f to your computer and use it in GitHub Desktop.
Save babywyrm/283055b30318bd44436c47393a965d8f to your computer and use it in GitHub Desktop.
Download ZIP
_basic_reminder_to_overhal_this_for_2020__
Raw
centos7_mod_evasive_mod_security__
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
~~( March/April, 2019 )~~
The mod_evasive Apache module takes evasive action at the time of a DDoS attack or a BruteForce attack and protect Apache from these types of attacks. It gives reports by email or logging facility. This module restrict the concurrent connections from an IP and blacklist if necessary. To configure mod_evasive on centos 7 server, Please follow the below steps.
1. Install EPEL yum repository packages. EPEL (Extra Packages for Enterprise Linux) is an open source and free community based repository project from Fedora team which provides 100% high quality add-on software packages for Linux distribution including RHEL (Red Hat Enterprise Linux), CentOS and Scientific Linux. To activate EPEL on server, execute the below commands in the terminal.
#wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -ivh epel-release-latest-7.noarch.rpm
2. Install mod_evasive module using below command
#yum install mod_evasive -y
3. Verify the installation is completed by opening the configuration file of the module
# cat /etc/httpd/conf.d/mod_evasive.conf
4. Next step is to ensure the module is properly loaded. Open the config files and ensure the below line appear on the top of the config file.
LoadModule evasive20_module modules/mod_evasive24.so
Then restart the httpd service and enter the below command.
# httpd -M | grep -Ei '(evasive)'
If the module is loaded, you will see the below output.
evasive20_module (shared)
Mod_evasive config options
The module will be already configured with default values and if you want to alter the mod_evasive configuration, open the configuration file mentioned below using any editor and make sure httpd service is restarted if the config file is altered
# vim /etc/httpd/conf.d/mod_evasive.conf
Mod_evasive config options
Email alert: To enable email alert system , go to line number 48 and uncomment the below line and enter your email id in the required field. So, The events will be automatically alerted via emails.
#DOSEmailNotify you@yourdomain.com
DOSHashTableSize: The next option we are interested is the hash table size. The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations
required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server.
DOSPageCount: This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
#DOSPageCount 2
DOSSiteCount: This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.
#DOSSiteCount 50
DOSPageInterval: The interval for the site count threshold; defaults to 1 second intervals.
#DOSPageInterval 1
DOSSiteInterval: The interval for the site count threshold; defaults to 1 second intervals.
#DOSSiteInterval 1
DOSBlockingPeriod: The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.
#DOSBlockingPeriod 10
DOSSystemCommand: If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using /tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir: Choose an alternative temp directory, By default “/tmp” will be used for locking mechanism, which opens some security issues if your system is open to shell users. In the event you have nonprivileged shell users, you’ll want to create a directory writable only to the user Apache is running as (usually root), then set this in your httpd.conf.
#DOSLogDir "/var/lock/mod_evasive"
Whitelist IP Addresses : This option is to whitelist certain IP addresses from blocking. You can also use wildcards up to the last 3 octets if necessary.
#DOSWhitelist 127.0.0.1
#DOSWhitelist 192.168.0.*
NB: The httpd service must be restarted after tweaking the configurations
Install mod_evasive in centos 7 with cpanel
The latest cpanel version(v68.0.29) yum repository already have the packages for mod_evasive. The only difference when installing the mod_evasive in a cpanel server is in the yum install command. The easyapache package for mod_evasive should be installed in the server. Please use the below command for installing mod_evasive in latest cpanel server. All other steps remain the same.
yum install ea-apache24-mod_evasive.x86_64
That’s it. Secure servers are not a myth, it’s how a seasoned team configure it!
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Install Mod_Security Apache on CentOS 7
Step 1. First, let’s start by ensuring your system is up-to-date.
yum <span id="IL_AD10" class="IL_AD">clean all</span>
yum -y update
Step 2. Installing Mod_Security Apache on CentOS
Install Dependencies for mod_security:
yum install gcc make httpd-devel libxml2 pcre-devel libxml2-devel curl-devel git
Next, download **latest stable release of mod_security source code from their official website to your server:
wget <span id="IL_AD6" class="IL_AD">https</span>://www.modsecurity.org/tarball/2.9.3/modsecurity-2.9.3.tar.gz
tar xzf modsecurity-apache_2.9.3.tar.gz
cd modsecurity-apache_2.9.3
./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
cp unicode.mapping /etc/httpd/conf.d/
Step 3.
Configuring Mod_Security.
( consider VIM )
###########################################
# nano /etc/httpd/conf/httpd.conf
LoadModule security2_module modules/mod_security2.so
Now set the basic rule set in your httpd.conf file. Add the following lines of code at the end of the file:
<IfModule security2_module>
Include conf.d/modsecurity.conf
</IfModule>
Save the changes and restart Apache:
systemctl restart httpd
Step 4. Download and configure OWASP (Open Web Application Security Project) core rule set for a base configuration.
cd /etc/httpd
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
mv owasp-modsecurity-crs modsecurity-crs
cd modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
Open the Apache configuration file again, and add the following lines at the end of the file:
( VIM pls, LOL )
# nano /etc/httpd/conf/httpd.conf
Include modsecurity-crs/modsecurity_crs_10_config.conf
Include modsecurity-crs/base_rules/*.conf
Next, restart the Apache service to enable mod_security module:
systemctl restart httpd
Congratulations!
You have successfully installed Mod_Security.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment