How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server

Submitted by The Fan Club on

Last Update : August 2013

This guide is based on various community forum posts, and hours of frustration. 

This guide is intended as a relatively easy step by step guide to:

  • Install and configure Apache2 ModSecurity and mod_evasive modules on Ubuntu 12.04 LTS server.
  • Things have become much easier than before installing both these two excellent security modules for Apache2 in Ubuntu 12.04 LTS, as both modules are available in the standard Ubuntu 12.04 repositories.
  • This is only a starting point for getting mod_security and mod_evasive working. Refer to both projects documentation for the various configuration option  available and configure your security settings as required.

Requirements:

  • Ubuntu 12.04 LTS server, or later installed on your machine. 
  • Apache2 webserver setup and configured.

1. Install ModSecurity on your server.

  • Install the dependencies. Open the Terminal Window and enter :
sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
  • 64bit users please note - Because of this bug you need to create a symbolic link to libxml2.so.2 or the installation will report the file missing and fail.
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
  • Now install ModSecurity
sudo apt-get install libapache-mod-security

2. Configure ModSecurity rules.

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
  • The default folder for ModSecurity rules is /etc/modsecurity/ . All .conf files will be included and need to be configured as required.
  • We need to activate all the base rules and make sure they also get loaded. 
  • You might want to edit the SecRequestBodyLimit option in the modsecurity.conf file.
  • SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.
  • This settings is very important as it limits the size of all files that can be uploaded to the server. For CMS sites using Drupal or Wordpress this setting is the source of much pain. 
  • Open the Terminal Window and enter :
sudo vi /etc/modsecurity/modsecurity.conf
  • First activate the rules by editing the SecRuleEngine option and set to On and modify your server signature.
SecRuleEngine On
SecServerSignature FreeOSHTTP
  • Edit the following to option to increase the request limit to 16 MB and save the file :
SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000

3. Download and install the latest OWASP Core Rule Set.

  • We need to download and install the latest OWASP ModSecurity Core Rule Set from the project website. Click here for more information.
  • We will also activate the default CRS config file modsecurity_crs_10_setup.conf.example
  • If you prefer not to use the latest rules, replace master below with the a specific version you would like to use e.g :  v2.2.5  
  • Open the Terminal Window and enter :
cd /tmp
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo rm -R SpiderLabs-owasp-modsecurity-crs-*
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
  • Now we create symbolic links to all activated base rules. Open a terminal window and enter :
cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done 
  • Now add these rules to Apache2. Open a terminal window and enter:
sudo vi /etc/apache2/mods-available/mod-security.conf
  • Add the following to towards the end of the file with other includes  and save the file :
Include "/etc/modsecurity/activated_rules/*.conf"

4. Check if ModSecurity is enabled and restart Apache.

  • Before restarting Apache2 check if the modules has been loaded.
  • Open the Terminal Window and enter :
sudo a2enmod headers
sudo a2enmod mod-security
  • Then restart the Apache2 webserver :
sudo /etc/init.d apache2 restart
  • OR
service apache2 restart

5. Install ModEvasive.

  • Open the Terminal Window and enter :
sudo apt-get install libapache2-mod-evasive

6. Create log file directory for mod_evasive.

  • Open the Terminal Window and enter :
sudo mkdir /var/log/mod_evasive
  • Change the log folder permissions :
sudo chown www-data:www-data /var/log/mod_evasive/

7. Create mod-evasive.conf file and configure ModEvasive.

  • Open the Terminal Window and enter :
sudo vi /etc/apache2/mods-available/mod-evasive.conf
  • and add the following, changing the email value, and other options below as required :
<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  2
   DOSSiteCount  50
   DOSPageInterval 1
   DOSSiteInterval  1
   DOSBlockingPeriod  10
   DOSLogDir   /var/log/mod_evasive
   DOSEmailNotify  EMAIL@DOMAIN.com
   DOSWhitelist   127.0.0.1
</ifmodule>

8. Fix mod-evasive email bug

  • Because of this bug mod-evasive does not send emails on Ubuntu 12.04.
  • A temporary workaround is to create symlink to the mail program.
  • Open the Terminal Window and enter :
sudo ln -s /etc/alternatives/mail /bin/mail/

9. Check if ModEvasive is enabled and restart Apache.

  • Before restarting Apache2 check if the module has been loaded.
  • Open the Terminal Window and enter :
sudo a2enmod mod-evasive
  • Then restart the Apache2 webserver :
sudo /etc/init.d/apache2 restart
  • OR
service apache2 restart

Tags: 

Comments

Thank you very much!!!

Submitted by Harry (not verified) on

Thank you very much!!! Your Guide works perfect... Harry

Thank you very much!!!

Submitted by alfredou (not verified) on

Thank you very much!!!

Thank you very much!!!

Submitted by Iván Meléndez (not verified) on

Thank you very much!!!

Just great, exactly what I

Submitted by Scotty (not verified) on

Just great, exactly what I was looking for minus the headache :) thanks a lot !!!!

One of the best and most

Submitted by ScottS (not verified) on

One of the best and most accurate deployment guides encountered on the web. Thank you!

Seems like to download owasp

Submitted by Lanodd (not verified) on

Seems like to download owasp-modsecurity-crs you need to clone it from github with this command: $ sudo git clone git://github.com/SpiderLabs/owasp-modsecurity-crs.git Maybe it's just me, but I could not find it on SourceForge anymore. Thank you for the great guides!

Hey thanks for your guides,

Submitted by Anonymous (not verified) on

Hey thanks for your guides, have been of great support. In the guide there is a broken link to download the modsecurity-crs, we find the updated link here: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/v2.2.5, also this is not the latest version, the latest is 2.2.7, but when used we are unable to start the service, so as in other forums, they recommend to keep using v.2.2.5. After that everything worked for us smoothly! Thanks!

This link works for the

Submitted by bpbp (not verified) on

This link works for the version of ModSecurity in Ubuntu 12.04LTS https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/v2.2.5

Thanks man! Also thanks for

Submitted by beta (not verified) on

Thanks man! Also thanks for the comments, you still need v2.2.5

SUPER, it works, only thing I

Submitted by john (not verified) on

SUPER, it works, only thing I needed to downgrade owasp to version 2.2.5 (ubuntu 10.04) Thnx!!

First of all, thanks for the

Submitted by Aaron W. (not verified) on

First of all, thanks for the awesome guide! The commands all seem to have worked, but is there something I can do to test that it is actually doing something?

You can see mod_security in

Submitted by The Fan Club on

You can see mod_security in action via the log file : /var/log/apache2/modsec_audit.log . For mod evasive see entries in the /var/log/mod_evasive/ directory. You can test mod evasive by running : perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

Thanks. Worked on 2nd attempt

Submitted by Matt (not verified) on

Thanks. Worked on 2nd attempt becuase OWASP rules have updated for latest mod_security, but older version in repository so had to specify use of 2.2.5 ruleset rather than latest - hopefully that helps someone else who keeps seeing "unknown command ver" error message

Thanks a lot for all your

Submitted by Natsu (not verified) on

Thanks a lot for all your hard work writing these amazing write-ups. To the point and getting it done. Thanks!

Great walkthrough

Submitted by Rob Mellor (not verified) on

Best walk through I've seen yet. Awesome job

Thank you!

Submitted by Victor (not verified) on

Thanks buddy, however if people end up with troubles regarding modsecurity -> Error parsing actions: Unknown action: ver Please read this: http://www.spotch.com/wp/?p=16 Best regards // Victor

Thank you

Submitted by Danny Hoang (not verified) on

Thank you for your clear and simple tutorial.

Thank you very much!!!

Submitted by Anonymous (not verified) on

Thank you very much!!!

Great TutoriaL

Submitted by Alex (not verified) on

thanks for sharing this great tutorial !!! really appreciated !

Thx a lot !

Submitted by fred (not verified) on

Thx a lot !

Thank you

Submitted by Ashley Babajee (not verified) on

Thanks for the wonderful tuts, for those who cant find mod-security.conf , in recent releases i think its security2.conf