It is common for the blogs, forums to face malicious web traffic on regular basis. This malicious traffic not only harmful by simply wasting server resources, slowing down the site but also can lead to ban by third party Advertisement networks, such as Google AdSense. Here is How To Set Up mod_security And fail2ban To Create Anti-Spam Filter For Web Software Auch as WordPress, Forum Software on Debian/Ubuntu Server. Method to setup on REHL/CentOS is slightly different. We are taking it granted that Apache is already installed and running in some method like our guide on installing Apache, in the same way fail2ban also installed and running in some method like our guide on installing fail2ban. We have a separate guide on WordPress Brute Force And Mod Security.
Steps To Set Up mod_security And fail2ban
In easy way, we have to do the following step :
|
1 2 3 4 5 6 7 8 9 10 11 12 |
apt update apt upgrade apt install apache2 -y sudo systemctl enable apache2.service sudo systemctl start apache2.service sudo a2enmod headers apt install libapache2-modsecurity # sudo a2enmod mod-security sudo a2enmod security2 apachectl -M | grep security # output ## security2_module (shared) |
We need to enable the mod_security rules. We will copy the mod_security configuration file, edit it and set the SecRuleEngine option to On:
---
|
1 2 |
sudo cp /etc/modsecurity/modsecurity.conf{-recommended,} sudo nano /etc/modsecurity/modsecurity.conf |
Change these settings :
|
1 2 3 4 5 |
... SecRuleEngine On ... SecResponseBodyAccess Off … |
mod_security rules are available in following directories:
|
1 2 3 |
/usr/share/modsecurity-crs/base_rules /usr/share/modsecurity-crs/optional_rules /usr/share/modsecurity-crs/experimental_rules |
To enable all CRS base rules, create symbolic links :
|
1 |
sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/ |
CRS optional and experimental rules needs separate symbolic links (not shown here).
We can configure and enable the Open Web Application Security Project (OWASP) core rule set:
|
1 2 3 4 5 |
apt install git git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak mv owasp-modsecurity-crs /usr/share/modsecurity-crs mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf |
Edit the /etc/apache2/mods-enabled/security2.conf file:
|
1 |
/etc/apache2/mods-enabled/security2.conf |
Add the lines at the end:
|
1 2 |
IncludeOptional "/usr/share/modsecurity-crs/*.conf IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf |
Restart Apache:
|
1 |
systemctl restart apache2 |
You need to read more information on how to configure and use mod_security from official documentation. Install the mod_evasive module using the following command:
|
1 2 |
apt-get install libapache2-mod-evasive sudo a2enmod evasive |
Open mod-evasive.conf file, configure mod_evasive module:
|
1 |
nano /etc/apache2/mods-available/mod-evasive.conf |
Change the values like this :
|
1 2 3 4 5 6 7 8 9 |
... DOSHashTableSize 3097 DOSPageCount 10 DOSSiteCount 30 DOSPageInterval 1 DOSSiteInterval 3 DOSBlockingPeriod 3600 DOSLogDir /var/log/apache2/mod_evasive.log ... |
Save that file. Create a log file for mod_evasive, give proper permission and restart Apache :
|
1 2 3 |
touch /var/log/apache2/mod_evasive.log sudo chown www-data:www-data /var/log/apache2/mod_evasive.log systemctl restart apache2 |
Read README file in the mod_evasive module for details on the various configuration parameters. We can configure fail2ban with mod security reading official guide :
|
1 |
http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_ModSecurity2.5 |
When configuring fail2ban, you can test a failregex and ignoreregex patterns, against the mod_security logfile before activating the fail2ban mod_security filter:
|
1 2 |
fail2ban-regex /var/log/apache2/modsec_audit.log "FAIL_REGEX" "IGNORE_REGEX" fail2ban-regex /var/log/apache2/modsec_audit.log "\[.*?\]\s[\w-]*\s<HOST>\s" "\[.*?\]\s[\w-]*\s<HOST>\s" |
Sometimes, we need to un-ban an IP address, we can list of all current rules and check blocked IPs:
|
1 |
iptables -L -n |
You can extract the IP address from this list :
|
1 |
iptables -L -n | grep DROP | sed 's/.*[^-]--\s\+\([0-9\.]\+\)\s\+.*$/\1/g' |
We can pass it to perform the unbanning :
|
1 |
iptables -L -n | grep DROP | sed 's/.*[^-]--\s\+\([0-9\.]\+\)\s\+.*$/\1/g' | xargs -i{} iptables -D fail2ban-ModSec -s {} -j DROP |
