How to Secure Apache Web Server with ModEvasive on Ubuntu 16.04

Alibaba Cloud
7 min readOct 17, 2018

--

By Francis Ndungu, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Apache is the cornerstone of modern web servers and is a powerful software solution for a large percentage of today’s internet economy.

According to a July 2018 research published by w3techs, Apache has a market share of around 45.9%. That being said, Apache web server is targeted by most hackers. The software is secure out-of-the-box but you can still harden it with some additional modules.

One of the most common methods of securing your Apache web server hosted on Alibaba Cloud is installing ModEvasive. This is a highly intelligent Apache module that provides evasive actions against Distributed Denial of Service and Brute Force attacks.

If a DDoS attack targets your web server, it can be very stressful. The attack simply overwhelms your server with a lot of traffic from multiple sources. During the DDoS session, regular users cannot access your website or web application and this can mean loss of sales or even lead to a complete shutdown of your business.

Brute-force attack on the other hand, is an automated break-in method that tries to gain access to resources on your web server. The attack uses millions of usernames and passwords in order to guess the login credentials of a secured web resource to obtain classified information.

In this guide, we will show you how to safeguard your Apache web server hosted on Alibaba Cloud Elastic Compute Service (ECS) against DDoS and brute-force attacks.

Prerequisite

  1. A valid Alibaba Cloud account (sign up now for a free trial)
  2. An ECS instance running Ubuntu 16.04 Operating System
  3. A non-root user capable of performing sudo privileges

Step 1: Update Your System Package Information Index

The first step is to log in to your Alibaba ECS instance via a command line tool such as PuTTY or Linux/macOS built in command line client.

Then, run the command below to update the package information on your system:

$ sudo apt-get update

Step 2: Setup Apache Web Server

The next step is installing Apache web server. You can skip this command if you have already installed the software on your system.

$ sudo apt-get install apache2

Press Y and hit Enter when prompted to confirm the installation.

You can always check if Apache is working by entering your server’s public IP address on a web browser.

http://ip_address

You should see the below default web page unless you have uploaded your website files to the server:

Step 3: Installing ModEvasive

ModEvasive is available on the Ubuntu software repository. So we can install it using the apt-get utility. This is the default package management command line program that handles installations, removals and upgrades of new software on Ubuntu.

Run the command below to install ModEvasive

$ sudo apt-get install libapache2-modsecurity

Step 4: Checking the Status of ModEvasive

You can check the status of ModEvasive by running the command below:

$ sudo apachectl -M | grep evasive

You should see the below output if the module is enabled on the server:

evasive20_module (shared)

Step 4: Configuring ModEvasive

In a Linux system, configuration files are mostly found on the /etc directory and this is not an exception with ModEvasive. Its configuration file is located at /etc/apache2/mods-enabled/evasive.conf.

Use nano text editor to open the file. We need to make some few changes:

$ sudo nano /etc/apache2/mods-enabled/evasive.conf

By default the entries of this file are commented with a pound-sign. We need to uncomment all those lines by removing the ‘#’ sign. Then, enter the email address where you want to receive emails when ModEvasive intercepts an attack targeted to your web server.

You will enter the email address next to DOSEmailNotify (e.g. james@example.com) directive:

At the end, your complete file should be as follows:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify john@example.com
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>

Press CTRL+X, Y and Enter to save the file.

We will go over each of the above entries one by one in order for you to understand how ModEvasive settings work:

DOSHashTableSize

The value here specifies the size of the table that tracks activities of users based on their past IP addresses visits. The default value will work well for most websites.

You should only increase this value to speed up lookups only if your website is busy because a large value can have an adverse effect on your server’s memory.

DOSPageCount

This directive specifies genuine requests that a visitor can make to a specific resource in a given number of time that is specified by the DOSPageInterval directive before triggering ModEvasive. If the threshold is exceeded, the visitor IP address is blocked and added to a blacklist.

DOSSiteCount

This directive is similar to DOSPageCount but specifies number of legitimate requests that can be made to an entire website over the period of time specified by the DOSSiteInterval directive.

DOSPageInterval

As indicated above, this value works hand in hand with DOSPageCount. The default value is 1 second and this means that the page count threshold specified with the DOSPageCount should not be exceeded within 1 second or as specified otherwise this will cause the IP address of the client to be blacklisted.

DOSSiteInterval

This interval works together with DOSSiteCount. It defaults to 1 second and if the DOSSiteCount threshold is reached within this time, ModEvasive will trigger an IP block.

DOSBlockingPeriod

This value represents the amount of time in seconds that a client remains blocked after being added to the blacklist.

The default value is 10 seconds. During this time, the client will get a forbidden error message when trying to access any resource on the server.

DOSEmailNotify

You can specify an address that will receive a message every time an IP address is blocked.

DOSSystemCommand

Apart from sending an email, you can invoke a system command every time an IP address gets blocked. The %s variable contains the IP address that is blocked during the interception.

For instance, you can run a command to add firewall rule that blocks a specific IP address to avoid further attack to your web server.

DOSLogDir

This directory logs any interceptions made by ModEvasive. You can use a different directory depending on your needs.

Step 5: Creating ModEvasive Log Directory

By default, the log directory specified on the configuration file is not created when ModEvasive is installed. We need to create this folder using Linux mkdir command:

$ sudo mkdir /var/log/mod_evasive

Then, since Apache runs under the www-data user, we should give full ownership of the directory to the web server using the chown command:

$ sudo chown -R www-data:www-data /var/log/mod_evasive

You can now restart Apache for the changes to take effect.

$ sudo systemctl restart apache2

Step 6: Testing ModEvasive

ModEvasive makes things easy because it comes with a built-in Perl script that you can run on your Alibaba Ubuntu 16.04 ECS instance to see if the module is working.

The script is located on the path /usr/share/doc/libapache2-mod-evasive/examples/test.pl.

For some reason, if you run the script without making any changes to it, you will get a bad request error. To rectify the problem, we need to edit the Perl script file using a nano editor;

$ sudo nano /usr/share/doc/libapache2-mod-evasive/examples/test.pl

Locate the line:

print $SOCKET "GET /?$_ HTTP/1.0\n\n";

And change it to:

print $SOCKET "GET /?$_ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n";

Press CTRL + X, Y and Enter to save the file.

We can now run the Perl script by typing the command below:

$ sudo perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

If ModEvasive is working, you should see the below output:

...
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
..

This means that ModEvasive allowed us to access the server 10 times before blocking our IP address (127.0.0.1)

You may run the below command to see if ModEvasive was able to record the intrusion on the log directory:

$ sudo ls -a /var/log/mod_evasive

You should see the output below:

.  ..  dos-127.0.0.1

Also you can check the content of Apache error log file to confirm the same:

$ sudo tail /var/log/apache2/error.log

You will get the output as shown below:

...
[evasive20:error] [pid 31967] [client 127.0.0.1:43954] client denied by server configuration: /var/www/html/.
...

This means ModEvasive is working as expected.

Conclusion

In this guide we covered the basic steps of securing your Apache web server against DDoS and brute-force attacks. This will keep your website safe and ensure that your Alibaba Cloud web server is not compromised by malicious hackers who might want to block access or steal information from your website or applications. We believe you have implemented this guide and added another powerful layer of security to your server.

To learn more about how you can defend your server against DDoS attacks, visit www.alibabacloud.com/product/anti-ddos

Reference:https://www.alibabacloud.com/blog/how-to-secure-apache-web-server-with-modevasive-on-ubuntu-16-04_594051?spm=a2c41.12125189.0.0

--

--

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com