Linux VPS Security with mod_security and...

    Linux VPS Security with mod_security and fail2ban

    Posted by Robert Wagnon in Security on October 22, 2014 with No Comments

    Our VPS team wanted to improve the security on our Linux VPS VMs.  We opted to use mod_security and fail2ban.  Note that we use them independently.  We do not ban visits that violate mod_security, we simply discard the visit.

    NOTE:

    mod_evasive doesn’t work with Apache 2.4.1 anymore.

    It stores the violation counts PER CHILD.  Attackers don’t hit the same child enough times in the time interval to trip the system.
    If you have 100 child threads, then you are diluted 1/100 for the time interval

    DO NOT USE mod_evasive.

    Use mod_security instead
    but it won’t ban IP addresses
    yum install mod_security (install mod_security)
    yum install mod-security_crs (install OWASP security rules for mod_security)

    After installing mod_security, you may get a FAILED message at service httpd restart
    You’ll find a similar message in /var/log/httpd/error_log
    [alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of “myserver.mydomain.local”
    BE CERTAIN that the HOSTNAME value in /etc/syscconfig/network is also a 127.0.0.1 record in /etc/hosts

    Use fail2ban

    yum install fail2ban
    vi /etc/fail2ban/jail.local
    [apache-banhermes]
    enabled = true
    filter = apache-banhermes
    logpath = /var/log/httpd/access_log
    maxretry = 1
    bantime = 60000
    action = iptables-multiport[name=banhermes, port=”http,https”]
    backend = polling

    vi /etc/fail2ban/filter.d/apache-banhermes.conf
    [Definition]

    failregex = ^<HOST> -.*”(GET|POST) \/hermes\/
    ignoreregex =

    service start fail2ban

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Support Navigation

      Back to Top

      Follow us on Twitter to receive updates regarding network issues, discounts and more.
      2019 © CSx1. .