How to Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security

Installing mod_security
Mod security is a free Web Application Firewall (WAF) that works with Apache, Nginx and IIS. It supports a flexible rule engine to perform simple and complex operations and comes with a Core Rule Set (CRS) which has rules for SQL injection, cross site scripting, Trojans, bad user agents, session hijacking and a lot of other exploits. For Apache, it is an additional module which makes it easy to install and configure.
Modsecurity is available in the Debian/Ubuntu repository:
1
sudo apt-get install libapache2-modsecurity
Verify if the mod_security module was loaded.
1
sudo apachectl -M | grep --color security
You should see a module named security2_module (shared) which indicates that the module was loaded.
Modsecurity's installation includes a recommended configuration file which has to be renamed:
1
sudo mv /etc/modsecurity/modsecurity.conf{-recommended,}
Reload Apache
1
sudo service apache2 reload
You'll find a new log file for mod_security in the Apache log directory:
1
2
$ ls -l /var/log/apache2/modsec_audit.log
-rw-r----- 1 root root 0 Oct 19 08:08 /var/log/apache2/modsec_audit.log
Configuring mod_security
Out of the box, modsecurity doesn't do anything as it needs rules to work. The default configuration file is set to DetectionOnly which logs requests according to rule matches and doesn't block anything. This can be changed by editing the modsecurity.conf file:
1
sudo vim /etc/modsecurity/modsecurity.conf
Find this line
1
SecRuleEngine DetectionOnly
and change it to:
1
SecRuleEngine On
If you're trying this out on a production server, change this directive only after testing all your rules.
Another directive to modify is SecResponseBodyAccess. This configures whether response bodies are buffered (i.e. read by modsecurity). This is only neccessary if data leakage detection and protection is required. Therefore, leaving it On will use up droplet resources and also increase the logfile size.
Find this
1
SecResponseBodyAccess On
and change it to:
1
SecResponseBodyAccess Off
Now we'll limit the maximum data that can be posted to your web application. Two directives configure these:
1
2
SecRequestBodyLimit
SecRequestBodyNoFilesLimit
The SecRequestBodyLimit directive specifies the maximum POST data size. If anything larger is sent by a client the server will respond with a 413 Request Entity Too Large error. If your web application doesn't have any file uploads this value can be greatly reduced.
The value mentioned in the configuration file is
1
SecRequestBodyLimit 13107200
which is 12.5MB.
Similar to this is the SecRequestBodyNoFilesLimit directive. The only difference is that this directive limits the size of POST data minus file uploads-- this value should be "as low as practical."
The value in the configuration file is
1
SecRequestBodyNoFilesLimit 131072
which is 128KB.
Along the lines of these directives is another one which affects server performance:SecRequestBodyInMemoryLimit. This directive is pretty much self-explanatory; it specifies how much of "request body" data (POSTed data) should be kept in the memory (RAM), anything more will be placed in the hard disk (just like swapping). Since droplets use SSDs, this is not much of an issue; however, this can be set a decent value if you have RAM to spare.
1
SecRequestBodyInMemoryLimit 131072
This is the value (128KB) specified in the configuration file.
Excluding Hosts and Directories
Sometimes it makes sense to exclude a particular directory or a domain name if it is running an application like phpMyAdmin as modsecurity and will block SQL queries. It is also better to exclude admin backends of CMS applications like WordPress.
To disable modsecurity for a complete VirtualHost place the following
1
2
3
<IfModule security2_module>
    SecRuleEngine Off
</IfModule>
inside the <VirtualHost> section.
For a particular directory:
1
2
3
4
5
<Directory "/var/www/wp-admin">
    <IfModule security2_module>
        SecRuleEngine Off
    </IfModule>
</Directory>
SHARE

Ibrar Ansari

  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment