How to defend against brute-force and DDos attacks in Apache

Source: Internet
Author: User
Tags 403 forbidden error modsecurity

How to defend against brute-force and DDos attacks in Apache

For those who need to provide services or host over the Internet, it is important to ensure the security of your system in the face of attacks.

Mod_security (an open-source engine for Web application intrusion detection and protection, which can be seamlessly integrated into Web servers) and mod_evasive are two server-side brute-force cracking attacks and (D) A very important tool for Dos attacks.

Mod_evasive, like its name, provides a function to protect Web servers from threats like an umbrella when being attacked.

Install mod_security and mod_evasive to protect Apache

In this article, we will discuss how to install, configure, and integrate them into Apache on RHEL/CentOS6, 7, and Fedora 21-15. In addition, we simulate attacks to verify that the server has responded correctly.

The above is based on the LAMP server installed in your system. Therefore, if you have not installed LAMP, read the following link before reading this article.

  • Build a LAMP platform environment in CentOS 7
  • CentOS 6.5 system installation and configuration LAMP (Apache + PHP5 + MySQL) server environment

This article has been modified. In the original article, to use the same tool in RHEL/CentOS 7 or Fedora 21, firewalld was removed and the old iptables were used. The translator thinks this is not appropriate. Therefore, the translation deletes the corresponding section and adds the corresponding script of firewalld .)

 

Step 1: Install mod_security and mod_evasive

After installing LAMP, you need to enable the EPEL repository in RHEL/CentOS 7/6 to install the two packages. The ora user does not need to open this repository because epel is already part of the Fedora Project.

  1. # yum update && yum install mod_security mod_evasive

After the installation is complete, you will find the configuration files for the two tools under/etc/httpd/conf. d.

  1. # ls -l /etc/httpd/conf.d

Mod_security + mod_evasive configuration file

Now, to integrate these two modules into Apache and load them at startup. Make sure the following lines appear at the top layer of mod_evasive.conf and mod_security.conf. They are:

  1. LoadModule evasive20_module modules/mod_evasive24.so
  2. LoadModule security2_module modules/mod_security2.so

Please note that both modules/mod_security2.so and modules/mod_evasive24.so are relative paths from/etc/httpd to the module source file. You can verify by listing/etc/httpd/modules (modify it if necessary ):

  1. # cd /etc/httpd/modules
  2. # pwd
  3. # ls -l | grep -Ei '(evasive|security)'

Verify mod_security + mod_evasive Module

Restart Apache and verify that it has loaded mod_evasive and mod_security:

  1. # Service httpd restart [on rhel/CentOS 6 and Fedora 20-18]
  2. # Systemctl restart httpd [on rhel/CentOS 7 and Fedora 21]
  1. # Httpd-M | grep-Ei '(evasive | security)' [list of loaded static and dynamic modules]

Check whether the mod_security + mod_evasive module has been loaded.

 

Step 2: Install a core rule set and configure mod_security

Simply put, a core rule set (CRS) provides the web server with instructions on how to respond under specific conditions. Mod_security developers provide a free CRS called OWASP ([Open Web Application Security Project]) ModSecurity CRS, which can be downloaded and installed from the address below.

 

Download owasp crs to the Created directory
  1. # mkdir /etc/httpd/crs-tecmint
  2. # cd /etc/httpd/crs-tecmint
  3. # wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

Download mod_security core rules

 

Decompress the CRS file and modify the folder name.
  1. # tar xzf master
  2. # mv SpiderLabs-owasp-modsecurity-crs-ebe8790 owasp-modsecurity-crs

Decompress mod_security core rules

 

Now, it's time to configure mod_security.

Add the example rule file (owasp-modsecurity-crs/modsecurityCrs10_setup.conf.example) copy the configuration file with the same name.

  1. # cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

Insert the following lines into the main configuration file/etc/httpd/conf/httpd. conf of the web server to tell Apache to put the file and the module together. If you choose to decompress the package file to another folder, you need to modify the Include path:

  1. <IfModulesecurity2_module>
  2. Include crs-tecmint/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
  3. Include crs-tecmint/owasp-modsecurity-crs/base_rules/*.conf
  4. </IfModule>

Finally, we recommend that you go to/etc/httpd/modsecurity. create your own configuration file under the d directory, where we can use our custom folder (in the following example, we will name it tecmint. conf) without modifying the CRS file directory. This will make it easier to upgrade the new version of CRS.

  1. <IfModulemod_security2.c>
  2. SecRuleEngine On
  3. SecRequestBodyAccess On
  4. SecResponseBodyAccess On
  5. SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream
  6. SecDataDir /tmp
  7. </IfModule>

For more information about the mod_security directory, see the ModSecurity GitHub repository of SpiderLabs.

 

Step 3: Configure mod_evasive

Mod_evasive is configured to use commands in/etc/httpd/conf. d/mod_evasive.conf. Unlike mod_security, because there are no rules for update during package upgrade, we do not need to add custom commands in independent files.

The default mod_evasive.conf Directory Enables the following directories (note that this file has been commented out in detail, so we have removed the annotations to focus on the configuration instructions ):

  1. <IfModulemod_evasive24.c>
  2. DOSHashTableSize 3097
  3. DOSPageCount 2
  4. DOSSiteCount 50
  5. DOSPageInterval 1
  6. DOSSiteInterval 1
  7. DOSBlockingPeriod 10
  8. </IfModule>

Explanation of these commands:

  • DOSHashTableSize: Specifies the size of the hash table, which is used to track IP address-based activities. Adding this number will make the query of the Website access history faster, but if it is set too large, it will affect the overall performance.
  • DOSPageCount: the number of requests initiated by a user for a specific URI (for example, an Apache service file) within the DOSPageInterval interval.
  • DOSSiteCount: similar to DOSPageCount, but the total number of requests involving the entire site can be initiated within the DOSSiteInterval interval.
  • DOSBlockingPeriod: if a user exceeds the DOSSPageCount limit or DOSSiteCount, the source IP address will be blacklisted during the DOSBlockingPeriod period. During DOSBlockingPeriod, any request initiated from this IP address will encounter a 403 Forbidden error.

Test these values as much as possible so that your web server can handle loads of a specific size.

A small warning: if these values are not set properly, you may be at risk of blocking legal users.

You may also use the following useful commands:

 

DOSEmailNotify

If you have an email server running, you can send a warning message through Apache. NOTE: If SELinux is enabled, you must grant the apache user SELinux permission to send emails. You can use the following command to grant permissions:

  1. # setsebool -P httpd_can_sendmail 1

Next, add the command and other commands to the mod_evasive.conf file.

  1. DOSEmailNotify you@yourdomain.com

If an appropriate value is set for this command and your email server is running properly, an email is sent to the corresponding address when an IP address is added to the blacklist.

 

DOSSystemCommand

It requires a valid system command as a parameter,

  1. DOSSystemCommand</command>

This command specifies the command to be executed when an IP address is blacklisted. It is usually used in combination with shell scripts, such as adding a firewall rule to the script to block further connections from an IP address.

 

Write a shell script to process the IP blacklist in the firewall stage

When an IP address is blacklisted, We need to block it for further connection. We need the following shell script to execute this task. Create a folder named scripts-tecmint (or another name) and a file named ban_ip.sh under/usr/local/bin.

For iptables Firewall

  1. #!/bin/sh
  2. # The IP address that will be blocked is detected by mod_evasive
  3. IP=$1
  4. # Complete iptables path
  5. IPTABLES="/sbin/iptables"
  6. # Mod_evasive lock folder
  7. mod_evasive_LOGDIR=/var/log/mod_evasive
  8. # Add the following firewall rules to prevent all inbound traffic from the $ IP address)
  9. $IPTABLES -I INPUT -s $IP -j DROP
  10. # Remove lock files for future Detection
  11. rm -f "$mod_evasive_LOGDIR"/dos-"$IP"

Used for firewalld Firewall

  1. #!/bin/sh
  2. # The IP address that will be blocked is detected by mod_evasive
  3. IP=$1
  4. # Complete firewalld-cmd path
  5. FIREWALL_CMD="/usr/bin/firewall-cmd"
  6. # Mod_evasive lock folder
  7. mod_evasive_LOGDIR=/var/log/mod_evasive
  8. # Add the following firewall rules to prevent all inbound traffic from the $ IP address)
  9. $FIREWALL_CMD --zone=drop --add-source $IP
  10. # Remove lock files for future Detection
  11. rm -f "$mod_evasive_LOGDIR"/dos-"$IP"

Our DOSSystemCommand command should be like this:

  1. DOSSystemCommand"sudo /usr/local/bin/scripts-tecmint/ban_ip.sh %s"

The % s in the preceding line represents the attack IP address detected by mod_evasive.

 

Add an apache user to the sudoers file

Note that this does not work if you do not grant apache users the permission to run our script (the key is this script) without a terminal or password. Generally, you only need to enter mongodo as the root permission to access the/etc/sudoers file. Then add the following two lines:

  1. apache ALL=NOPASSWD:/usr/local/bin/scripts-tecmint/ban_ip.sh
  2. Defaults:apache !requiretty

Add Apache users to Sudoers

Important: Under the default security policy, you can only run sudo on the terminal. Because we need to run sudo without tty at this time, we must comment out the following line as in:

  1. #Defaults requiretty

Disable tty for Sudo

Finally, restart the web Server:

  1. # Service httpd restart [on rhel/CentOS 6 and Fedora 20-18]
  2. # Systemctl restart httpd [on rhel/CentOS 7 and Fedora 21]

 

Step 4: Simulate DDos attacks on Apache

Many tools can simulate external attacks on your server. You can google "tools for simulating ddos attacks" to find related tools.

Note that you (and only you) will be responsible for the results of your simulation. Do not initiate a simulated attack to a server that is not on your network.

If you want to do this for a VPS hosted by someone else, you need to send an appropriate warning to your vendor or get the permission for that traffic through their network. Tecmint.com is not responsible for your actions!

In addition, the simulation that only initiates a Dos attack from one host cannot represent a real attack. To simulate real attacks, you need to use many clients to target your servers at the same time.

Our test environment consists of a CentOS 7 server [IP 192.168.0.17] And a Windows server. In Windows [IP 192.168.0.103], we initiate an attack:

Confirm Host IP Address

Please play the video below (YT video, please bring your own ladder: https://www.youtube.com/-U_mdet06Jk) and follow the steps listed to simulate a Dos attack:

Then the attacker's IP address will be blocked by the firewall:

Block attacker IP addresses

 

Conclusion

When mod_security and mod_evasive are enabled, simulated attacks may cause usage of CPU and RAM to peak for several seconds before the source IP address is added to the blacklist. Without these modules, the simulated attack will quickly defeat the server and make the server unable to provide services during the attack.

We are glad to hear that you intend to use (or have already used) these tools. We hope to receive your feedback. Therefore, please leave your comments and questions in the message. Thank you!

 

Reference
  • Https://www.modsecurity.org/
  • Http://www.zdziarski.com/blog? Page_id = 442

Via: Signature/

Author: Gabriel cánepa Translator: wwy-hust Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.