Tuesday 27 February 2018

Quickstart: mod_evasive and mod_security for httpd / apache

ModSecurity provides protection against common attacks on websites.

To install we should issue:

sudo yum install mod_security mod_security_crs

and then before production we should set 'SecRuleEngine On' to 'SecRuleEngine On'

vi /etc/httpd/conf.d/mod_security.conf

By default events will be logged to:

/var/log/httpd/modsec_audit.log

and rules (from mod_security_crs) can be found in:

/etc/httpd/modsecurity.d/activated_rules

while if you wish to create your own custom rules - these should be placed in:

/etc/httpd/modsecurity.d/local_rules

ModEvasive attempts to help with mitigating DoS/DDoS attacks.

Note: At this time I do not believe the mod_evasive module supports Event driven MPM (mpm_event_module) out of the box. However it should still work in prefork and worker modes.

You can verify which mode you are running it under with:

cat /etc/httpd/conf.modules.d/00-mpm.conf | grep LoadModule

To install we should issue:

sudo yum install mod_evasive

and then at the end of your httpd.conf file define your settings:

<IfModule mod_evasive20.c>
  DOSHashTableSize 3097
  DOSPageCount 2
  DOSSiteCount 50
  DOSPageInterval 1
  DOSSiteInterval 1
  DOSBlockingPeriod 60
  DOSEmailNotify email@example.com
</IfModule>

For changes to take effect we should ensure httpd is reloaded:

sudo service httpd reload

0 comments:

Post a Comment