How to Secure Apache Web Server with ModEvasive on Ubuntu 16.04
By Francis Ndungu, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.
Apache is the cornerstone of modern web servers and is a powerful software solution for a large percentage of today’s internet economy.
According to a July 2018 research published by w3techs, Apache has a market share of around 45.9%. That being said, Apache web server is targeted by most hackers. The software is secure out-of-the-box but you can still harden it with some additional modules.
One of the most common methods of securing your Apache web server hosted on Alibaba Cloud is installing ModEvasive. This is a highly intelligent Apache module that provides evasive actions against Distributed Denial of Service and Brute Force attacks.
If a DDoS attack targets your web server, it can be very stressful. The attack simply overwhelms your server with a lot of traffic from multiple sources. During the DDoS session, regular users cannot access your website or web application and this can mean loss of sales or even lead to a complete shutdown of your business.
Brute-force attack on the other hand, is an automated break-in method that tries to gain access to resources on your web server. The attack uses millions of usernames and passwords in order to guess the login credentials of a secured web resource to obtain classified information.
In this guide, we will show you how to safeguard your Apache web server hosted on Alibaba Cloud Elastic Compute Service (ECS) against DDoS and brute-force attacks.
Prerequisite
- A valid Alibaba Cloud account (sign up now for a free trial)
- An ECS instance running Ubuntu 16.04 Operating System
- A non-root user capable of performing sudo privileges
Step 1: Update Your System Package Information Index
The first step is to log in to your Alibaba ECS instance via a command line tool such as PuTTY or Linux/macOS built in command line client.
Then, run the command below to update the package information on your system:
$ sudo apt-get update
Step 2: Setup Apache Web Server
The next step is installing Apache web server. You can skip this command if you have already installed the software on your system.
$ sudo apt-get install apache2
Press Y and hit Enter when prompted to confirm the installation.
You can always check if Apache is working by entering your server’s public IP address on a web browser.
http://ip_address
You should see the below default web page unless you have uploaded your website files to the server:
Step 3: Installing ModEvasive
ModEvasive is available on the Ubuntu software repository. So we can install it using the apt-get utility. This is the default package management command line program that handles installations, removals and upgrades of new software on Ubuntu.
Run the command below to install ModEvasive
$ sudo apt-get install libapache2-modsecurity
Step 4: Checking the Status of ModEvasive
You can check the status of ModEvasive by running the command below:
$ sudo apachectl -M | grep evasive
You should see the below output if the module is enabled on the server:
evasive20_module (shared)
Step 4: Configuring ModEvasive
In a Linux system, configuration files are mostly found on the /etc
directory and this is not an exception with ModEvasive. Its configuration file is located at /etc/apache2/mods-enabled/evasive.conf
.
Use nano text editor to open the file. We need to make some few changes:
$ sudo nano /etc/apache2/mods-enabled/evasive.conf
By default the entries of this file are commented with a pound-sign. We need to uncomment all those lines by removing the ‘#’ sign. Then, enter the email address where you want to receive emails when ModEvasive intercepts an attack targeted to your web server.
You will enter the email address next to DOSEmailNotify (e.g. james@example.com) directive:
At the end, your complete file should be as follows:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify john@example.com
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>
Press CTRL+X, Y and Enter to save the file.
We will go over each of the above entries one by one in order for you to understand how ModEvasive settings work:
DOSHashTableSize
The value here specifies the size of the table that tracks activities of users based on their past IP addresses visits. The default value will work well for most websites.
You should only increase this value to speed up lookups only if your website is busy because a large value can have an adverse effect on your server’s memory.
DOSPageCount
This directive specifies genuine requests that a visitor can make to a specific resource in a given number of time that is specified by the DOSPageInterval directive before triggering ModEvasive. If the threshold is exceeded, the visitor IP address is blocked and added to a blacklist.
DOSSiteCount
This directive is similar to DOSPageCount but specifies number of legitimate requests that can be made to an entire website over the period of time specified by the DOSSiteInterval directive.
DOSPageInterval
As indicated above, this value works hand in hand with DOSPageCount. The default value is 1 second and this means that the page count threshold specified with the DOSPageCount should not be exceeded within 1 second or as specified otherwise this will cause the IP address of the client to be blacklisted.
DOSSiteInterval
This interval works together with DOSSiteCount. It defaults to 1 second and if the DOSSiteCount threshold is reached within this time, ModEvasive will trigger an IP block.
DOSBlockingPeriod
This value represents the amount of time in seconds that a client remains blocked after being added to the blacklist.
The default value is 10 seconds. During this time, the client will get a forbidden error message when trying to access any resource on the server.
DOSEmailNotify
You can specify an address that will receive a message every time an IP address is blocked.
DOSSystemCommand
Apart from sending an email, you can invoke a system command every time an IP address gets blocked. The %s variable contains the IP address that is blocked during the interception.
For instance, you can run a command to add firewall rule that blocks a specific IP address to avoid further attack to your web server.
DOSLogDir
This directory logs any interceptions made by ModEvasive. You can use a different directory depending on your needs.
Step 5: Creating ModEvasive Log Directory
By default, the log directory specified on the configuration file is not created when ModEvasive is installed. We need to create this folder using Linux mkdir command:
$ sudo mkdir /var/log/mod_evasive
Then, since Apache runs under the www-data user, we should give full ownership of the directory to the web server using the chown command:
$ sudo chown -R www-data:www-data /var/log/mod_evasive
You can now restart Apache for the changes to take effect.
$ sudo systemctl restart apache2
Step 6: Testing ModEvasive
ModEvasive makes things easy because it comes with a built-in Perl script that you can run on your Alibaba Ubuntu 16.04 ECS instance to see if the module is working.
The script is located on the path /usr/share/doc/libapache2-mod-evasive/examples/test.pl
.
For some reason, if you run the script without making any changes to it, you will get a bad request error. To rectify the problem, we need to edit the Perl script file using a nano editor;
$ sudo nano /usr/share/doc/libapache2-mod-evasive/examples/test.pl
Locate the line:
print $SOCKET "GET /?$_ HTTP/1.0\n\n";
And change it to:
print $SOCKET "GET /?$_ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n";
Press CTRL + X, Y and Enter to save the file.
We can now run the Perl script by typing the command below:
$ sudo perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
If ModEvasive is working, you should see the below output:
...
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
..
This means that ModEvasive allowed us to access the server 10 times before blocking our IP address (127.0.0.1)
You may run the below command to see if ModEvasive was able to record the intrusion on the log directory:
$ sudo ls -a /var/log/mod_evasive
You should see the output below:
. .. dos-127.0.0.1
Also you can check the content of Apache error log file to confirm the same:
$ sudo tail /var/log/apache2/error.log
You will get the output as shown below:
...
[evasive20:error] [pid 31967] [client 127.0.0.1:43954] client denied by server configuration: /var/www/html/.
...
This means ModEvasive is working as expected.
Conclusion
In this guide we covered the basic steps of securing your Apache web server against DDoS and brute-force attacks. This will keep your website safe and ensure that your Alibaba Cloud web server is not compromised by malicious hackers who might want to block access or steal information from your website or applications. We believe you have implemented this guide and added another powerful layer of security to your server.
To learn more about how you can defend your server against DDoS attacks, visit www.alibabacloud.com/product/anti-ddos