Mod_security is a free web application firewall (WAF) Apache module that helps to protect your website from various attacks such as PHP and SQL injection attacks, cross-site scripting, path traversal attacks etc. Also, it allows for real-time analysis and HTTP traffic monitoring with little or no changes of the existing Apache configuration. Mod_evasive is an Apache module that helps to prevent server brute force attacks and HTTP DoS (DDoS) attacks.

Login via SSH and update the system

To begin, log in to your Ubuntu 16.04 VPS via SSH as user root

ssh root@IP_Address -p Port_number

Make sure that all OS packages are up to date by running the following command-line commands:

apt-get update
apt-get upgrade

You can also enable automatic updates on your VPS.

Prerequisites

The mod_security and mod_evasive Apache modules have several requirements which we have to install on the server in order to run them. We need to have Apache server installed and running with enabled mod_headers module.
Install Apache, enable it to start on boot and start the Apache service:

sudo apt-get install apache2 -y
sudo systemctl enable apache2.service
sudo systemctl start apache2.service

Then, enable the mod_headers module using the following command:

sudo a2enmod headers

Install mod_security

Installation of the mod_security module is quite simple. Run the following command:

apt-get install libapache2-modsecurity

After installing, run the following command to enable the mod_security Apache module:

sudo a2enmod security2

We can check if mod_security module is active and enabled using the following command:

apachectl -M | grep security

If you see the following output:

security2_module (shared)

it means that mod_security module is enabled. There are no security rules configured by default, so we need to enable the mod_security rules. In order to do so, copy the recommended mod_security configuration file, then edit it and set the ‘SecRuleEngine’ option to On:

sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}
sudo vi /etc/modsecurity/modsecurity.conf

SecRuleEngine On

Also, locate the line ‘SecResponseBodyAccess On’ and change it to:

SecResponseBodyAccess Off

It will disable response body inspection and save server resources.
The mod_security rules are available in following directories:

/usr/share/modsecurity-crs/base_rules
/usr/share/modsecurity-crs/optional_rules
/usr/share/modsecurity-crs/experimental_rules

1. To enable all of the CRS base rules, create symbolic links using the following command:

sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/

To enable the CRS optional and experimental rules files you may want to use, create symbolic links under the ‘activated_rules’ directory location accordingly.

2. Alternatively, configure and enable the Open Web Application Security Project (OWASP) core rule set:

sudo apt-get install git
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak
sudo mv owasp-modsecurity-crs /usr/share/modsecurity-crs
sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

In both cases, we need to edit the /etc/apache2/mods-enabled/security2.conf file:

/etc/apache2/mods-enabled/security2.conf

Add these lines at the end:

IncludeOptional "/usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf

For the changes to take effect, restart Apache with the command:

systemctl restart apache2

Check the /var/log/apache2/modsec_audit.log log file to find the rules that are being triggered by mod_security on your Apache web server. The error log is the same log file that is used by Apache to write error messages, normally stored at /var/log/apache2/error.log.
If you need more information and want to learn how to configure and use mod_security, read the official documentation.

Install mod_evasive

Install the mod_evasive module using the following command:

apt-get install libapache2-mod-evasive

After installing, run this command:

sudo a2enmod evasive

Edit the mod-evasive.conf file and configure mod_evasive module:

sudo vi /etc/apache2/mods-available/mod-evasive.conf

DOSHashTableSize 3097
DOSPageCount 10
DOSSiteCount 30
DOSPageInterval 1
DOSSiteInterval 3
DOSBlockingPeriod 3600
DOSLogDir /var/log/apache2/mod_evasive.log

Save and close that file.
For more details on the various configuration parameters, check the README file included with mod_evasive module.
Use the following command to check if mod_evasive module is active and enabled:

evasive20_module (shared)

Create a log file for mod_evasive:

touch /var/log/apache2/mod_evasive.log
sudo chown www-data:www-data /var/log/apache2/mod_evasive.log

Run the following command to restart Apache:

systemctl restart apache2

That is it. Mod_security and mod_evasive modules have been successfully installed on your Ubuntu VPS.

Conclusion

In order to harden and secure your Apache web server it is a good idea to install and configure mod_security and mod_evasive modules on a Linux VPS with Ubuntu 16.04 OS installed on it.

Of course you don’t have to install mod_security and mod_evasive on Ubuntu 16.04, if you use one of our server support services, in which case you can simply ask our expert Linux admins to setup this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on how to install mod_security and mod_evasive on Ubuntu 16.04, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

The post How to Install mod_security and mod_evasive on Ubuntu 16.04 appeared first on LinuxHostSupport.

1. Install Dependencies

The first step is the installation of the required packages. Run the following command to install them:

apt-get install python-pip python-dev python-setuptools python-flup libpng12-dev zlib1g-dev libpng-dev libjpeg-dev build-essential

2. Install and configure PostgreSQL database

Install PostgreSQL from the Ubuntu package repository . You can do that using this command:

sudo apt-get install -y postgresql postgresql-contrib

At this point, in order to configure local user authentication, you need to edit the pg_hba.conf  using some text editor, e.g. nano:

nano /etc/postgresql/9.5/main/pg_hba.conf

If you want to activate password authentication using an MD5 hash then you should replace peer with md5 on this line:

local   all          all                  md5

Save and exit. You should restart the PostgreSQL service in order to enable automatic start at system boot and at the same time to enable these changes.

systemctl restart postgresql

systemctl enable postgresql

Create a new PostgreSQL database and user for Askbot installation. In this tutorial, a new database ‘askbot_db’ with username ‘askbot_user’ and password ‘YOUR_PASSWORD’ was created.

You need to login as the postgres user and access the PostgreSQL shell ‘psql’.

su - postgres
psql

Using the next queries you should create a new database named ‘askbot_db’ and a new user ‘askbot_user’ with password ‘YOUR_PASSWORD’.

create database askbot_db;
create user askbot_user with password 'YOUR_PASSWORD';
grant all privileges on database askbot_db to askbot_user;
\q

Now, you have created a new PostgreSQL database for Askbot installation.

3. Install and Configure Askbot Django App

You have installed all packages which are needed for the installation of Askbot and also you have created the PostgreSQL database. The next thing on your list is to install and configure Askbot.

Now, for the installation of Askbot a new user should be created, because the root user won`t be uses for it. You need to create a new user ‘askbot‘ and to give a new password to that user.

useradd -m -s /bin/bash askbot
passwd askbot

Then, you should add the askbot user to the sudo group by the usermod command.

usermod -a -G sudo askbot

You need to create a Symbolic link to /user/bin

sudo ln -s /usr/local/bin/pip /usr/bin/

You have created a new user has been created. The next step is to update python-pip and install virtualenv package. Using the following pip commands you can install these packages.

pip install --upgrade pip
pip install virtualenv

At this point you should log in as the ‘askbot’ user with the su command, and install Askbot.

su - askbot

Next we would need a new virtual environment for the installation of askbot and we can create it with virtualenv command.

virtualenv example_user

To activate the new virtual environment, use the following command:

source example_user/bin/activate

Next you should install Askbot Django app with pip, including psycopg2 for PostgreSQL database connection.

pip install askbot psycopg2

Now, you need to create a new directory for Askbot Django app – we choose to use the name ‘my_app’. You should install Askbot in the created directory.

mkdir my_app/
cd my_app

You can now install Askbot using the following command:

askbot-setup

You should only give the single ‘.‘ and press ‘Enter’ when asked about the Askbot installation directory. In a similar way, by choosing number ‘1‘ you can choose PostgreSQL for database config. Input the database name ‘askbot_db‘, username ‘askbot_user‘ with password ‘YOUR_PASSWORD‘.

pip install six==1.10

Using this command you will generate Django static files directory.

python manage.py collectstatic

In order to continue type ‘yes’ and press Enter.

With the use of the syncdb option you can generate the PostgreSQL database.

python manage.py syncdb

You should type ‘yes’ and then type your admin user, email, and password when asked to create the admin user.

Now you have installed Askbot on the system under the ‘askbot’ user virtual environment. If you want to test the installation of Askbot you can run the runserver command below.

python manage.py runserver 0.0.0.0:8080

If you desire to check the Askbot’ page you need to open your web browser and type the server IP with port 8080.

4. AskBot with Let’s Encrypt SSL

uWSGI supports applications based on Python, Perl, and Ruby. Here, we are going to use uWSGI with the Nginx web server for our Askbot installation. You can install uWSGI using the pip command below.

sudo pip install uwsgi

The next step is the creation of a new directory for the uWSGI site configuration ‘/etc/uwsgi/sites’.

mkdir -p /etc/uwsgi/sites
cd /etc/uwsgi/sites

You need to add new uWSGI configuration file ‘askbot.ini’ to the ‘sites’ directory and then to edit it with nano.

nano  askbot.ini

There, paste the following uWSGI configuration.

[uwsgi]

# Project directory, Python directory
chdir = /home/askbot/example_user/my_app
home = /home/askbot/example_user/
static-map = /m=/home/askbot/example_user/my_app/static
wsgi-file = /home/askbot/example_user/my_app/django.wsgi

master = true
processes = 5

# Askbot will running under the sock file
socket = /home/askbot/example_user/my_app/askbot.sock
chmod-socket = 664
uid = askbot
gid = www-data
vacuum = true

# uWSGI Log file
logto = /var/log/uwsgi.log

5. Install and configure Nginx to use SSL Certificates with AskBot

You have now installed Askbot and it’s running under the uWSGI sock file ‘askbot.sock’. At this point, we are going to use Nginx web server as a reverse proxy for uWSGI application Askbot.

Using the apt command below you can install Nginx from the repository.

apt-get install nginx

Now, using the pip command below, you can install LetsEncrypt.

pip install letsencrypt-nginx==0.7.0

certbot --nginx -d your_domain.com -d www.your_domain.com

Once you have completed the installation, don`t forget to add new nginx virtual host file ‘askbot.conf’.

nano /etc/nginx/sites-available/askbot.conf

You need to paste the following askbot nginx virtual host configuration.

server {
        listen 80;
        server_name your_domain.com www.your_domain.com;
        location / {
        include         uwsgi_params;
        uwsgi_pass      unix:/home/askbot/example_user/my_app/askbot.sock;
   }
 listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

}
server {
    if ($host = your_domain.com) {
        return 301 https://$host$request_uri;
    }


        listen 80;
        server_name your_domain.com www.your_domain.com;
    return 404;

}

}

Save and exit.

Next, with the creation of a symlink for ‘askbot’ file to ‘sites-enabled’ directory you will enable the Askbot virtual host file.

ln -s /etc/nginx/sites-available/askbot.conf /etc/nginx/sites-enabled/askbot.conf

Run the following command if you want to test the nginx configuration:

nginx -t

That’s it, you have successfully installed Nginx web server and configured for the Askbot Python Django app.

Of course, you don’t have to install, configure and run Askbot on Ubuntu 16.04, if you use one of our outsourced Linux server support services in which case you can simply ask our expert Linux admins to install and configure Askbot on Ubuntu 16.04 for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on how to install, configure and run AskBot with Let’s Encrypt SSL on Ubuntu 16.04, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

The post How to Install, Configure and Run AskBot with Let’s Encrypt SSL on Ubuntu 16.04 appeared first on LinuxHostSupport.