Tutorials

Step by step guide to secure an Ubuntu 16.04 LTS server – part 2 of 2

Part 2 of this guide is based on various community forum posts, and hours of frustrations. Is only a starting point for getting mod_security, mod_evasive and PSAD working. Refer to both projects documentation for the various configuration option  available and configure your security settings as required.

1. Install ModSecurity on your server.

  • Install the dependencies. Open the Terminal Window and enter :

sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev

  • 64bit users please note – Because of this bug you need to create a symbolic link to libxml2.so.2 or the installation will report the file missing and fail.

ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2

  • Now install ModSecurity

sudo apt-get install libapache-mod-security

2. Configure ModSecurity rules.

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

  • The default folder for ModSecurity rules is /etc/modsecurity/ . All .conf files will be included and need to be configured as required.
  • We need to activate all the base rules and make sure they also get loaded.
  • You might want to edit the SecRequestBodyLimit option in the modsecurity.conf file.
  • SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.
  • This settings is very important as it limits the size of all files that can be uploaded to the server.
  • Open the Terminal Window and enter :

sudo vi /etc/modsecurity/modsecurity.conf

  • First activate the rules by editing the SecRuleEngine option and set to On and modify your server signature:

SecRuleEngine On
SecServerSignature FreeOSHTTP

  • Edit the following to option to increase the request limit to 16 MB and save the file :

SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000

3. Download and install the latest OWASP Core Rule Set.

  • We need to download and install the latest OWASP ModSecurity Core Rule Set from the project website. Click here for more information.
  • We will also activate the default CRS config file modsecurity_crs_10_setup.conf.example
  • If you prefer not to use the latest rules, replace master below with the a specific version you would like to use e.g :  v2.2.5
  • Open the Terminal Window and enter :

cd /tmp
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo rm -R SpiderLabs-owasp-modsecurity-crs-*
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

  • Now we create symbolic links to all activated base rules. Open a terminal window and enter :

cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done

  • Now add these rules to Apache2. Open a terminal window and enter:

sudo vi /etc/apache2/mods-available/mod-security.conf

  • Add the following to towards the end of the file with other includes  and save the file :

Include "/etc/modsecurity/activated_rules/*.conf"

4. Check if ModSecurity is enabled and restart Apache.

  • Before restarting Apache2 check if the modules has been loaded.
  • Open the Terminal Window and enter :

sudo a2enmod headers
sudo a2enmod mod-security

  • Then restart the Apache2 webserver :

sudo /etc/init.d apache2 restart

  • OR

service apache2 restart

5. Install ModEvasive.

  • Open the Terminal Window and enter :

sudo mkdir /var/log/mod_evasive

  • Change the log folder permissions :

sudo chown www-data:www-data /var/log/mod_evasive/

7. Create mod-evasive.conf file and configure ModEvasive.

  • Open the Terminal Window and enter :

sudo vi /etc/apache2/mods-available/mod-evasive.conf

  • and add the following, changing the email value, and other options below as required :


DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/mod_evasive
DOSEmailNotify [email protected]
DOSWhitelist 127.0.0.1

  • Visit this website to see more options on how to configure your mod-evasive.

8. Fix mod-evasive email bug – not needed if you run 16.04

  • Because of this bug mod-evasive does not send emails on Ubuntu 12.04.
  • A temporary workaround is to create symlink to the mail program.
  • Open the Terminal Window and enter :

sudo ln -s /etc/alternatives/mail /bin/mail/

9. Check if ModEvasive is enabled and restart Apache.

  • Before restarting Apache2 check if the module has been loaded.
  • Open the Terminal Window and enter :

sudo a2enmod mod-evasive

  • Then restart the Apache2 webserver :

sudo /etc/init.d/apache2 restart

  • OR

service apache2 restart

10. Download and install the latest version of PSAD.

  • Download and install the latest version from the Cipherdyne website.
  • Visit the CipherDyne PSAD download page and select the latest source tar archive, as of writing this the latest version is PSAD 2.4.5
  • To download and install the latest version open a Terminal and enter the following :

sudo su
mkdir /tmp/.psad
cd /tmp/.psad
wget http://cipherdyne.org/psad/download/psad-2.4.3.tar.gz
tar -zxvf psad-2.4.3.tar.gz
cd psad-2.4.3
./install.pl
cd /tmp
rm -R .psad
exit

12. Edit the PSAD configuration file.

  • Three main settings need to be set in the PSAD configuration file before we can complete the install, edit the others as required.
  • open a Terminal Window and enter :

vi /etc/psad/psad.conf

  • EMAIL_ADDRESSES – change this to your email address.
  • HOSTNAME – this is set during install – but double check and change to a FQDN if needed.
  • ENABLE_AUTO_IDS – set this to Y if you could like PSAD to take action – read configuration instructions before setting this to Y.
  • ENABLE_AUTO_IDS_EMAILS – set this to if you would like to receive email notifications of intrusions that are detected.

13. Add iptables LOG rules for both IPv4 and IPv6.

  • For an explanation of this step click here.
  • Add the following iptables policies :

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

14. Reload and update PSAD.

  • To restart, update the signature file and reload PSAD to complete the install open a Terminal Window and enter :


psad -R
psad --sig-update
psad -H

  • To check the status of PSAD, open a Terminal Window and enter :

psad --Status

 

That’s all. Now your Ubuntu server should be pretty well secured and ready to install and run DEXBot.

I lift things up and put them down.