Our VPS team wanted to improve the security on our Linux VPS VMs. We opted to use mod_security and fail2ban. Note that we use them independently. We do not ban visits that violate mod_security, we simply discard the visit.
mod_evasive doesn’t work with Apache 2.4.1 anymore.
It stores the violation counts PER CHILD. Attackers don’t hit the same child enough times in the time interval to trip the system.
If you have 100 child threads, then you are diluted 1/100 for the time interval
DO NOT USE mod_evasive.
Use mod_security instead
but it won’t ban IP addresses
yum install mod_security (install mod_security)
yum install mod-security_crs (install OWASP security rules for mod_security)
After installing mod_security, you may get a FAILED message at service httpd restart
You’ll find a similar message in /var/log/httpd/error_log
[alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of “myserver.mydomain.local”
BE CERTAIN that the HOSTNAME value in /etc/syscconfig/network is also a 127.0.0.1 record in /etc/hosts
yum install fail2ban
enabled = true
filter = apache-banhermes
logpath = /var/log/httpd/access_log
maxretry = 1
bantime = 60000
action = iptables-multiport[name=banhermes, port=”http,https”]
backend = polling
failregex = ^<HOST> -.*”(GET|POST) \/hermes\/
service start fail2ban