Sunday, February 3, 2013

HOWTO : Secure Apache on Ubuntu Server 12.04 LTS

Step 1 :

sudo apt-get update
sudo apt-get install apache2-utils libapache-mod-security libapache2-mod-evasive

Step 2 :

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

sudo nano /etc/apache2/conf.d/security

Set "ServerTokens" to "Full".

Step 3 :

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

sudo nano /etc/modsecurity/modsecurity.conf

Append the following line, where "SamiuxHTTP" is an example and you can change to your desire.

SecServerSignature SamiuxHTTP

Step 4 :

sudo mkdir /var/log/mod_evasive
sudo chown www-data:www-data /var/log/mod_evasive/

Step 5 :

sudo nano /etc/apache2/sites-enabled/000-default

Add the following right before "</VirtualHost>" :

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [F]

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSLogDir /var/log/mod_evasive

Step 6 :

sudo nano /etc/modsecurity/modsecurity.conf

Change the following from :

SecRuleEngine DetectionOnly

to :

SecRuleEngine On

cd /etc/modsecurity

sudo mkdir activated_rules

sudo wget

sudo tar -zxvf modsecurity-crs_2.2.5.tar.gz

cd modsecurity-crs_2.2.5

sudo cp modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

cd /etc/modsecurity/modsecurity-crs_2.2.5/base_rules

for f in * ; do sudo ln -s /etc/modsecurity/modsecurity-crs_2.2.5/base_rules/$f /etc/modsecurity/activated_rules/$f ; done

cd /etc/modsecurity/modsecurity-crs_2.2.5/optional_rules

for f in * ; do sudo ln -s /etc/modsecurity/modsecurity-crs_2.2.5/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done

sudo nano /etc/apache2/mods-available/mod-security.conf

Add the following line before </IfModule> and save the file :

Include "/etc/modsecurity/activated_rules/*.conf"

Step 7 :

sudo a2enmod mod-security
sudo a2enmod mod-evasive
sudo a2enmod headers

sudo /etc/init.d/apache2 restart


Make sure your domain name is not an IP address; otherwise, the mod_security will block it.

That's all! See you.