Sunday, February 3, 2013

HOWTO : Secure Apache on Ubuntu Server 12.04 LTS

Step 1 :

sudo apt-get update
sudo apt-get install apache2-utils libapache-mod-security libapache2-mod-evasive


Step 2 :

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

sudo nano /etc/apache2/conf.d/security

Set "ServerTokens" to "Full".

Step 3 :

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

sudo nano /etc/modsecurity/modsecurity.conf

Append the following line, where "SamiuxHTTP" is an example and you can change to your desire.

SecServerSignature SamiuxHTTP

Step 4 :

sudo mkdir /var/log/mod_evasive
sudo chown www-data:www-data /var/log/mod_evasive/


Step 5 :

sudo nano /etc/apache2/sites-enabled/000-default

Add the following right before "</VirtualHost>" :

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>


<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSLogDir /var/log/mod_evasive
DOSEmailNotify samiux@gmail.com
DOSWhitelist 127.0.0.1
</IfModule>


Step 6 :

sudo nano /etc/modsecurity/modsecurity.conf

Change the following from :

SecRuleEngine DetectionOnly

to :

SecRuleEngine On

cd /etc/modsecurity

sudo mkdir activated_rules

sudo wget http://downloads.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.5.tar.gz

sudo tar -zxvf modsecurity-crs_2.2.5.tar.gz

cd modsecurity-crs_2.2.5

sudo cp modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

cd /etc/modsecurity/modsecurity-crs_2.2.5/base_rules

for f in * ; do sudo ln -s /etc/modsecurity/modsecurity-crs_2.2.5/base_rules/$f /etc/modsecurity/activated_rules/$f ; done

cd /etc/modsecurity/modsecurity-crs_2.2.5/optional_rules

for f in * ; do sudo ln -s /etc/modsecurity/modsecurity-crs_2.2.5/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done

sudo nano /etc/apache2/mods-available/mod-security.conf

Add the following line before </IfModule> and save the file :

Include "/etc/modsecurity/activated_rules/*.conf"

Step 7 :

sudo a2enmod mod-security
sudo a2enmod mod-evasive
sudo a2enmod headers


sudo /etc/init.d/apache2 restart

Remark

Make sure your domain name is not an IP address; otherwise, the mod_security will block it.

That's all! See you.