Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Locking Down Apache

Well I though I would write another tutorial :) this time on apache on making it more secure

and defending against DOS attacks this tutorial is for Apache version 2.


The two packages I am going to use are the following:


mod_security which is available from [/url]

mod_dosevasive which is available from


I would like to give credit to (Jorge A Gallegos) as I stumbled into mod_security



Once you have downloaded the two packages unpack the as shown below.


tar zvxf modsecurity-1.8.7.tar.gz
tar zvxf mod_dosevasive_1.10.tar.gz


This will create two directory's which will contain the source code. Before we install these modules

you should get the apxs which will build the module into apache for you, this tool can be downloaded

via yum as shown below.


yum install httpd-devel


Once that is installed go into mod_security decompressed directory and type the following as



apxs -cia mod_security.c


This should produce the following out put:


/bin/sh /usr/lib/apr/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -march=i386 -mcpu=i686 -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apr-0 -I/usr/include/httpd  -c -o mod_security.lo mod_security.c && touch mod_security.slo
/bin/sh /usr/lib/apr/build/libtool --silent --mode=link gcc -o -rpath /usr/lib/httpd/modules -module -avoid-version    mod_security.lo
/usr/lib/httpd/build/ SH_LIBTOOL='/bin/sh /usr/lib/apr/build/libtool' /usr/lib/httpd/modules
/bin/sh /usr/lib/apr/build/libtool --mode=install cp /usr/lib/httpd/modules/
cp .libs/ /usr/lib/httpd/modules/
cp .libs/mod_security.lai /usr/lib/httpd/modules/
cp .libs/mod_security.a /usr/lib/httpd/modules/mod_security.a
ranlib /usr/lib/httpd/modules/mod_security.a
chmod 644 /usr/lib/httpd/modules/mod_security.a
PATH="$PATH:/sbin" ldconfig -n /usr/lib/httpd/modules
Libraries have been installed in:

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
  - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
    during execution
  - add LIBDIR to the `LD_RUN_PATH' environment variable
    during linking
  - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
  - have your system administrator add LIBDIR to `/etc/'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and manual pages.
chmod 755 /usr/lib/httpd/modules/
[activating module `security' in /etc/httpd/conf/httpd.conf]


Once that has been done go to the /etc/httpd/conf.d/ directory and create a file

called: "mod_security.conf". Once this file is created paste the following into the config



<IfModule mod_security.c>

   # Turn the filtering engine On or Off
   SecFilterEngine On

   # Make sure that URL encoding is valid
   SecFilterCheckURLEncoding On

   # Make sure that Unicode encoding is valid
   SecFilterCheckUnicodeEncoding On

   # Turn of server token
   SecServerResponseToken On

   # Only allow bytes from this range
   SecFilterForceByteRange 32 126

   # The audit engine works independently and
   # can be turned On of Off on the per-server or
   # on the per-directory basis
   SecAuditEngine RelevantOnly

   # The name of the audit log file
   SecAuditLog /var/log/httpd/audit_log

   SecFilterDebugLog /var/log/httpd/modsec_debug_log
   SecFilterDebugLevel 0

   # Should mod_security inspect POST payloads
   SecFilterScanPOST On

   # Action to take by default
   SecFilterDefaultAction "deny,log,status:406"

   # Simple filter
   SecFilter /bin/bash
   SecFilter /var
   SecFilter /etc
   SecFilter /home
   SecFilter hidden

   # Prevent OS specific keywords
   SecFilter /etc/password

   # Prevent path traversal (..) attacks
   SecFilter "\.\./"

   # Weaker XSS protection but allows common HTML tags
   SecFilter "<( |\n)*script"

   # Prevent XSS atacks (HTML/Javascript injection)
   SecFilter "<(.|\n)+>"

   # Very crude filters to prevent SQL injection attacks
   SecFilter "delete[[:space:]]+from"
   SecFilter "insert[[:space:]]+into"
   SecFilter "select.+from"

   # Require HTTP_USER_AGENT and HTTP_HOST headers
   SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"



That is the config file I use, you can also visit mod_security web site to view all the rules

that can be applied into this config file.


Once the config file has been setup restart apache as shown below.


services httpd restart


Once thats restarted open your web browser and type this should say in you

web browser:


Not Acceptable

An appropriate representation of the requested resource /etc could not be found on this server.
Apache/2.0.54 (Fedora) Server at Port 80


Now goto /var/log/httpd and you should see a file called audit_log the content will display something

similar to:


Request: - - [04/Jul/2005:18:45:53 +0100] "GET /etc HTTP/1.1" 406 329
Handler: (null)
GET /etc HTTP/1.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
mod_security-message: Access denied with code 406. Pattern match "/etc" at THE_REQUEST
mod_security-action: 406

HTTP/1.1 406 Not Acceptable
Content-Length: 329
Connection: close
Content-Type: text/html; charset=iso-8859-1


As you may have noticed it has filtered out /etc and displayed the attackers details.


Now that we have mod_security setup its now time to setup mod_dosevasive, first step is

to change into mod_dosevasive decompressed directory and issue the following command.


apxs -i -a -c mod_dosevasive20.c


This will produce the output similar to mod_security once that has installed you can delete

both decompressed directorys and their comrpess version.


Open the httpd.conf file and add the following entry:


<IfModule mod_dosevasive20.c>
   DOSHashTableSize    3097
   DOSPageCount        2
   DOSSiteCount        50
   DOSPageInterval     1
   DOSSiteInterval     1
   DOSBlockingPeriod   60


The following values are as stated from the mod_dosevasive.





The hash table size defines the number of top-level nodes for each child's

hash table. Increasing this number will provide faster performance by

decreasing the number of iterations required to get to the record, but

consume more memory for table space. You should increase this if you have

a busy web server. The value you specify will automatically be tiered up to

the next prime number in the primes list (see mod_dosevasive.c for a list

of primes used).





This is the threshhold for the number of requests for the same page (or URI)

per page interval. Once the threshhold for that interval has been exceeded,

the IP address of the client will be added to the blocking list.





This is the threshhold for the total number of requests for any object by

the same client on the same listener per site interval. Once the threshhold

for that interval has been exceeded, the IP address of the client will be added

to the blocking list.





The interval for the page count threshhold; defaults to 1 second intervals.





The interval for the site count threshhold; defaults to 1 second intervals.





The blocking period is the amount of time (in seconds) that a client will be

blocked for if they are added to the blocking list. During this time, all

subsequent requests from the client will result in a 403 (Forbidden) and

the timer being reset (e.g. another 10 seconds). Since the timer is reset

for every subsequent request, it is not necessary to have a long blocking

period; in the event of a DoS attack, this timer will keep getting reset.





If this value is set, an email will be sent to the address specified

whenever an IP address becomes blacklisted. A locking mechanism using /tmp

prevents continuous emails from being sent.


NOTE: Be sure MAILER is set correctly in mod_dosevasive.c

(or mod_dosevasive20.c). The default is "/bin/mail -t %s" where %s is

used to denote the destination email address set in the configuration.

If you are running on linux or some other operating system with a

different type of mailer, you'll need to change this.





If this value is set, the system command specified will be executed

whenever an IP address becomes blacklisted. This is designed to enable

system calls to ip filter or other tools. A locking mechanism using /tmp

prevents continuous system calls. Use %s to denote the IP address of the

blacklisted IP.





Choose an alternative temp directory


By default "/tmp" will be used for locking mechanism, which opens some

security issues if your system is open to shell users.




In the event you have nonprivileged shell users, you'll want to create a

directory writable only to the user Apache is running as (usually root),

then set this in your httpd.conf.


Once all that is setup restart your apache server and enjoy the know fact that you have

locked it down :)note that mod_dosevasive provide a file to check the mod_dosevasive

is functioning correctly.


service httpd restart


fantastic post, and moved to apache with a link here to it







\o\ sweet knew about mod_security.. but mod_doevasive!! woot cheers xDamox

Forum Jump:

Users browsing this thread: 1 Guest(s)