How to Secure Apache Web Server With ModEvasive on Ubuntu 16.04
How to Secure Apache Web Server With ModEvasive on Ubuntu 16.04
Make sure your Apache Web Server is secure with ModEvasive.
Join the DZone community and get the full member experience.Join For Free
Apache is the cornerstone of modern web servers and is a powerful software solution for a large percentage of today's internet economy.
According to a July 2018 research published by w3techs, Apache has a market share of around 45.9 percent. That being said, Apache web server is targeted by most hackers. The software is secure out-of-the-box, but you can still harden it with some additional modules.
One of the most common methods of securing your Apache web server hosted on Alibaba Cloud is installing ModEvasive. This is a highly intelligent Apache module that provides evasive actions against Distributed Denial of Service and Brute Force attacks.
If a DDoS attack targets your web server, it can be very stressful. The attack simply overwhelms your server with a lot of traffic from multiple sources. During the DDoS session, regular users cannot access your website or web application, and this can mean lost sales or even lead to a complete shutdown of your business.
A brute-force attack, on the other hand, is an automated break-in method that tries to gain access to resources on your web server. The attack uses millions of usernames and passwords in order to guess the login credentials of a secured web resource to obtain classified information.
In this guide, we will show you how to safeguard your Apache web server hosted on Alibaba Cloud Elastic Compute Service (ECS) against DDoS and brute-force attacks.
- A valid Alibaba Cloud account (sign up now for a free trial)
- An ECS instance running Ubuntu 16.04 Operating System
- A non-root user capable of performing sudo privileges
Step 1: Update Your System Package Information Index
The first step is to log in to your Alibaba ECS instance via a command line tool such as PuTTY or Linux/macOS built-in command line client.
Then, run the command below to update the package information on your system:
$ sudo apt-get update
Step 2: Set Up Apache Web Server
The next step is installing the Apache web server. You can skip this command if you have already installed the software on your system.
$ sudo apt-get install apache2
Press Y and hit Enter when prompted to confirm the installation.
You can always check if Apache is working by entering your server's public IP address on a web browser.
You should see the below default web page unless you have uploaded your website files to the server:
Step 3: Installing ModEvasive
ModEvasive is available on the Ubuntu software repository. So, we can install it using the apt-get utility. This is the default package management command line program that handles installations, removals, and upgrades of new software on Ubuntu.
Run the command below to install ModEvasive
$ sudo apt-get install libapache2-modsecurity
Step 4: Checking the Status of ModEvasive
You can check the status of ModEvasive by running the command below:
$ sudo apachectl -M | grep evasive
You should see the below output if the module is enabled on the server:
Step 4: Configuring ModEvasive
In a Linux system, configuration files are mostly found on the
/etcdirectory and this is not an exception with ModEvasive. Its configuration file is located at
Use the nano text editor to open the file. We need to make some few changes:
$ sudo nano /etc/apache2/mods-enabled/evasive.conf
By default, the entries of this file are commented with a pound-sign. We need to uncomment all those lines by removing the
# sign. Then, enter the email address where you want to receive emails when ModEvasive intercepts an attack targeted to your web server.
You will enter the email address next to
DOSEmailNotify (e.g. firstname.lastname@example.org) directive:
In the end, your complete file should be as follows:
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSEmailNotify email@example.com #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" DOSLogDir "/var/log/mod_evasive" </IfModule>
Press CTRL+X, Y, and Enter to save the file.
We will go over each of the above entries one by one in order for you to understand how ModEvasive settings work:
The value here specifies the size of the table that tracks activities of users based on their past IP addresses visits. The default value will work well for most websites.
You should only increase this value to speed up lookups only if your website is busy because a large value can have an adverse effect on your server's memory.
This directive specifies the genuine requests that a visitor can make to a resource in a time period specified by the directive
DOSPageInterval before triggering ModEvasive. If the threshold is exceeded, the visitor IP address is blocked and added to a blacklist.
This directive is similar to
DOSPageCount but specifies the number of legitimate requests that can be made to an entire website over the period of time specified by the DOSSiteInterval directive.
As indicated above, this value works hand in hand with
DOSPageCount . The default value is 1 second, and this means that the page count threshold specified with the
DOSPageCountshould not be exceeded within 1 second or as specified. Otherwise, this will cause the IP address of the client to be blacklisted.
This interval works together with
DOSSiteCount . It defaults to 1 second, and if the
DOSSiteCount threshold is reached within this time, ModEvasive will trigger an IP block.
This value represents the amount of time in seconds that a client remains blocked after being added to the blacklist.
The default value is 10 seconds. During this time, the client will get a forbidden error message when trying to access any resource on the server.
You can specify an address that will receive a message every time an IP address is blocked.
Apart from sending an email, you can invoke a system command every time an IP address gets blocked. The
%s variable contains the IP address that is blocked during the interception.
For instance, you can run a command to add a firewall rule that blocks a specific IP address to avoid any further attack to your web server.
This directory logs any interceptions made by ModEvasive. You can use a different directory depending on your needs.
Step 5: Creating ModEvasive Log Directory
By default, the log directory specified on the configuration file is not created when ModEvasive is installed. We need to create this folder using Linux
$ sudo mkdir /var/log/mod_evasive
Then, since Apache runs under the
www-data user, we should give full ownership of the directory to the web server using the
$ sudo chown -R www-data:www-data /var/log/mod_evasive
You can now restart Apache for the changes to take effect.
$ sudo systemctl restart apache2
Step 6: Testing ModEvasive
ModEvasive makes things easy because it comes with a built-in Perl script that you can run on your Alibaba Ubuntu 16.04 ECS instance to see if the module is working.
Locate the script from
For some reason, if you run the script without making any changes to it, you will get a bad request error. To rectify the problem, we need to edit the Perl script file using a nano editor;
$ sudo nano /usr/share/doc/libapache2-mod-evasive/examples/test.pl
Locate the line:
print $SOCKET "GET /?$_ HTTP/1.0\n\n";
And change it to:
print $SOCKET "GET /?$_ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n";
Press CTRL + X, Y, and Enter to save the file.
We can now run the Perl script by typing the command below:
$ sudo perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
If ModEvasive is working, you should see the below output:
... HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden ..
This means that ModEvasive allowed us to access the server 10 times before blocking our IP address (127.0.0.1).
You may run the below command to see if ModEvasive was able to record the intrusion on the log directory:
$ sudo ls -a /var/log/mod_evasive
You should see the output below:
. .. dos-127.0.0.1
Also, you can check the content of the Apache error log file to confirm the same:
$ sudo tail /var/log/apache2/error.log
You will get the output as shown below:
... [evasive20:error] [pid 31967] [client 127.0.0.1:43954] client denied by server configuration: /var/www/html/. ...
This means ModEvasive is working as expected.
In this guide, we covered the basic steps of securing your Apache web server against DDoS and brute-force attacks. This will keep your website safe and ensure that your Alibaba Cloud web server is not compromised by malicious hackers who might want to block access or steal information from your website or applications.
We believe you have implemented this guide and added another powerful layer of security to your server.
If you are new to cloud computing and you would like to test out Apache web server with ModEvasive, sign up with Alibaba Cloud and get up to $1200 worth of free trial credit.
To learn more about how you can defend your server against DDoS attacks, visit www.alibabacloud.com/product/anti-ddos
Published at DZone with permission of Francis Ndungu , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.