Step by step guide to secure an Ubuntu 16.04 LTS server – part 2 of 2

Part 2 of this guide is based on various community forum posts, and hours of frustrations. Is only a starting point for getting mod_security, mod_evasive and PSAD working. Refer to both projects documentation for the various configuration option  available and configure your security settings as required.

1. Install ModSecurity on your server.

• Install the dependencies. Open the Terminal Window and enter :

sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev

• 64bit users please note - Because of this bug you need to create a symbolic link to libxml2.so.2 or the installation will report the file missing and fail.

ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2

• Now install ModSecurity

sudo apt-get install libapache-mod-security

2. Configure ModSecurity rules.

• Activate the recommended default rules to get things going. Configure as needed. For complete information refer to the ModSecurity Reference Manual - click here.

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

• The default folder for ModSecurity rules is /etc/modsecurity/ . All .conf files will be included and need to be configured as required.
• We need to activate all the base rules and make sure they also get loaded.
• You might want to edit the SecRequestBodyLimit option in the modsecurity.conf file.
• SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.
• This settings is very important as it limits the size of all files that can be uploaded to the server.
• Open the Terminal Window and enter :

sudo vi /etc/modsecurity/modsecurity.conf

• First activate the rules by editing the SecRuleEngine option and set to On and modify your server signature:

SecRuleEngine On
SecServerSignature FreeOSHTTP

• Edit the following to option to increase the request limit to 16 MB and save the file :

SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000

3. Download and install the latest OWASP Core Rule Set.

• We need to download and install the latest OWASP ModSecurity Core Rule Set from the project website. Click here for more information.
• We will also activate the default CRS config file modsecurity_crs_10_setup.conf.example
• If you prefer not to use the latest rules, replace master below with the a specific version you would like to use e.g :  v2.2.5
• Open the Terminal Window and enter :

cd /tmp
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo rm -R SpiderLabs-owasp-modsecurity-crs-*
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

• Now we create symbolic links to all activated base rules. Open a terminal window and enter :

cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done

• Now add these rules to Apache2. Open a terminal window and enter:

sudo vi /etc/apache2/mods-available/mod-security.conf

• Add the following to towards the end of the file with other includes  and save the file :

Include "/etc/modsecurity/activated_rules/*.conf"

4. Check if ModSecurity is enabled and restart Apache.

• Before restarting Apache2 check if the modules has been loaded.
• Open the Terminal Window and enter :

sudo a2enmod headers
sudo a2enmod mod-security

• Then restart the Apache2 webserver :

sudo /etc/init.d apache2 restart

• OR

service apache2 restart

5. Install ModEvasive.

• Open the Terminal Window and enter :

sudo mkdir /var/log/mod_evasive

• Change the log folder permissions :

sudo chown www-data:www-data /var/log/mod_evasive/

7. Create mod-evasive.conf file and configure ModEvasive.

• Open the Terminal Window and enter :

sudo vi /etc/apache2/mods-available/mod-evasive.conf

• and add the following, changing the email value, and other options below as required :


DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/mod_evasive
DOSEmailNotify [email protected]
DOSWhitelist 127.0.0.1


• Visit this website to see more options on how to configure your mod-evasive.

8. Fix mod-evasive email bug - not needed if you run 16.04

• Because of this bug mod-evasive does not send emails on Ubuntu 12.04.
• A temporary workaround is to create symlink to the mail program.
• Open the Terminal Window and enter :

sudo ln -s /etc/alternatives/mail /bin/mail/

9. Check if ModEvasive is enabled and restart Apache.

• Before restarting Apache2 check if the module has been loaded.
• Open the Terminal Window and enter :

sudo a2enmod mod-evasive

• Then restart the Apache2 webserver :

sudo /etc/init.d/apache2 restart

• OR

service apache2 restart

10. Download and install the latest version of PSAD.

• Download and install the latest version from the Cipherdyne website.
• Visit the CipherDyne PSAD download page and select the latest source tar archive, as of writing this the latest version is PSAD 2.4.5
• To download and install the latest version open a Terminal and enter the following :

sudo su
mkdir /tmp/.psad
cd /tmp/.psad
wget http://cipherdyne.org/psad/download/psad-2.4.3.tar.gz
tar -zxvf psad-2.4.3.tar.gz
cd psad-2.4.3
./install.pl
cd /tmp
rm -R .psad
exit

12. Edit the PSAD configuration file.

• Three main settings need to be set in the PSAD configuration file before we can complete the install, edit the others as required.
• open a Terminal Window and enter :

vi /etc/psad/psad.conf

• EMAIL_ADDRESSES - change this to your email address.
• HOSTNAME - this is set during install - but double check and change to a FQDN if needed.
• ENABLE_AUTO_IDS - set this to Y if you could like PSAD to take action - read configuration instructions before setting this to Y.
• ENABLE_AUTO_IDS_EMAILS - set this to Y if you would like to receive email notifications of intrusions that are detected.

13. Add iptables LOG rules for both IPv4 and IPv6.

• For an explanation of this step click here.
• Add the following iptables policies :

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

14. Reload and update PSAD.

• To restart, update the signature file and reload PSAD to complete the install open a Terminal Window and enter :


psad -R
psad --sig-update
psad -H

• To check the status of PSAD, open a Terminal Window and enter :

psad --Status

 

That’s all. Now your Ubuntu server should be pretty well secured and ready to install and run DEXBot.