Skip to main content

Securing Webservers - Apache and NGINX

Central, Hong Kong

Apache on CentOS

mod_security (open-source intrusion detection and prevention engine for web applications that integrates seamlessly with the webserver) and mod_evasive are two very important tools that can be used to protect a web server against brute force or (D)DoS attacks.

Installing Mod_Security and Mod_evasive

--------------- CentOS/RHEL 7 --------------- 
yum update && yum install mod_security mod_evasive

--------------- CentOS/RHEL 8 ---------------
dnf install https://pkgs.dyn.su/el8/base/x86_64/raven-release-1.0-1.el8.noarch.rpm
dnf --enablerepo=raven-extras install mod_evasive

When the installation is complete, you will find the configuration files for both tools in /etc/httpd/conf.d. In order to integrate these two modules with Apache and have it load them when it starts, make sure the following lines appear in the top-level section of mod_evasive.conf and mod_security.conf, respectively:

LoadModule evasive20_module modules/mod_evasive24.so
LoadModule security2_module modules/mod_security2.so

Then restart Apache and verify that it loads mod_evasive and mod_security:

systemctl restart httpd

Dump a list of loaded Static and Shared Modules.

httpd -M | grep -Ei '(evasive|security)'

Configuring Mod_Security

A Core Rule Set provides the web server with instructions on how to behave under certain conditions. The developer firm of mod_security provides a free set called OWASP (Open Web Application Security Project) ModSecurity CRS:

mkdir /etc/httpd/crs && cd /etc/httpd/crs
wget -c https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz -O master

tar xzf master
mv owasp-modsecurity-crs-3.2.0 owasp

cd owasp/
cp crs-setup.conf.example crs-setup.conf

tell Apache to use this file along with the module by inserting the following lines in the web server’s main configuration file /etc/httpd/conf/httpd.conf file:

<IfModule security2_module>
Include crs/owasp/crs-setup.conf
Include crs/owasp/rules/*.conf
</IfModule>

Create your own configuration file within the /etc/httpd/modsecurity.d directory where you can place customized directives instead of modifying the CRS files directly nano /etc/httpd/modsecurity.d/instar.conf:

<IfModule mod_security2.c>
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream
SecDataDir /tmp
</IfModule>

Configuring Mod_Evasive

mod_evasive is configured using directives in /etc/httpd/conf.d/mod_evasive.conf. The default mod_evasive.conf file has the following directives enabled:

<IfModule mod_evasive24.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
  • DOSHashTableSize: This directive specifies the size of the hash table that is used to keep track of activity on a per-IP address basis. Increasing this number will provide a faster lookup of the sites that the client has visited in the past, but may impact overall performance if it is set too high.
  • DOSPageCount: Legitimate number of identical requests to a specific URI (for example, any file that is being served by Apache) that can be made by a visitor over the DOSPageInterval interval.
  • DOSSiteCount: Similar to DOSPageCount, but refers to how many overall requests can be made to the entire site over the DOSSiteInterval interval.
  • DOSBlockingPeriod: If a visitor exceeds the limits set by DOSSPageCount or DOSSiteCount, his source IP address will be blacklisted during the DOSBlockingPeriod amount of time. During DOSBlockingPeriod, any requests coming from that IP address will encounter a 403 Forbidden error.

Apache on Debian

https://www.yourhowto.net/installing-mod_security-and-mod_evasive-on-debian/

NGINX

https://nginx.org/en/docs/http/ngx_http_limit_req_module.html