Security

Secure your Apache server from DDoS, Slowloris, and DNS Injection attacks

Find out which three modules to install on your Apache server to lock it down and prevent DDoS, Slowloris, and DNS Injection attacks.

security-access-300-225.jpg
Apache is the most widely used web server on the planet, and it's also one of the most widely attacked. To that end, it's always smart to lock down your Apache server as best as possible. This goes well beyond just locking down your network -- you need to give that Apache server as much attention as it might get from outside sources.

I'll walk you through the process of preventing your Apache server from Distributed Denial of Service (DDoS), Slowloris, and DNS Injection attacks. These breakins are quite simple to prevent, as long as you take the time to lock down that server.

I'm assuming that your Apache server is up and running and (for simplicity's sake) that it's running on the Ubuntu platform -- for any other platform, you'll need to make minor adjustments. All of this work will be done from within a console window, so prepare to get "the flavor of console" all over your fingertips. 

Don't miss: IT Security in the Snowden Era, a TechRepublic and ZDNet Special Feature 

DDoS

There is an Apache module that was created to prevent a DDoS attack, although it's probably not installed by default. Follow these steps to install the module.

1. Open your terminal window.

2. Issue the command sudo apt-get -y install libapache2-mod-evasive.

3. Issue the command sudo mkdir -p /var/log/apache2/evasive.

4. Issue the command sudo chown -R www-data:root /var/log/apache2/evasive.

5. Open the /etc/apache2/mods-available/mod-evasive.load file (using sudo and your favorite text editor) and append the following to the bottom of that file (this is one configuration per line):

DOSHashTableSize 2048
DOSPageCount 20  # maximum number of requests for the same page
DOSSiteCount 300  # total number of requests for any object by the same client IP on the same listener
DOSPageInterval 1.0 # interval for the page count threshold
DOSSiteInterval 1.0  # interval for the site count threshold
DOSBlockingPeriod 10.0 # time that a client IP will be blocked for
DOSLogDir “/var/log/apache2/evasive”
DOSEmailNotify admin@domain.com

6. Save the file and restart Apache.

You should now be better protected from DDoS attacks.

Slowloris

Slowloris is software written by Robert Hansen that allows one machine to take down another machine's web server using minimal bandwidth. Apache has a module to help prevent such attacks. Here's how to get it working for you.

1. Open a terminal window.

2. Issue the command sudo apt-get -y install libapache2-mod-qos.

After the installation is complete, check the configuration in /etc/apache2/mods-available/qos.conf to make sure it perfectly fits your needs. After you tweak the module (if necessary), restart Apache and enjoy a Slowloris-free web server.

DNS Injection

Spam from web forms is not only prevalent, it's a fast-track method of getting your domain blacklisted by the likes of Spamhaus. To prevent DNS Injection attacks, which are attacks that can inject fake DNS names into your server's cache, you need to add another module to Apache. Follow these steps.

1. Open a terminal window.

2. Issue the command sudo apt-get -y install libapache2-mod-spamhaus.

3. After the installation completes, issue the command sudo touch /etc/spamhaus.wl.

4. With the module installed, open the /etc/apache2/apache2.conf file (using sudo and your favorite text editor) and append the following to the bottom of your configuration file:

<IfModule mod_spamhaus.c>
  MS_METHODS POST,PUT,OPTIONS,CONNECT 
  MS_WhiteList /etc/spamhaus.wl 
  MS_CacheSize 256 
</IfModule>
5. Save the apache2.conf file and restart Apache so the new module will take effect.

Summary

Your Apache web server is now better protected from three popular attacks, each of which could take down your server or network. But even with these modules working for you, it's always best to keep a close on your Apache log files (which you should find in /var/log/apache2/).

With a diligent eye to preventing attacks and a proactive stance on watching the logs, Apache should serve you well for a very long time.

 

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

4 comments
Lester Ingber
Lester Ingber

I had a problem with your procedure for mod-evasive.load on Ubuntu 12.04:

service apache2 restart

Syntax error on line 2 of /etc/apache2/mods-enabled/mod-evasive.conf:

DOSPageCount takes one argument, Set maximum page hit count per interval

Action 'configtest' failed.

The Apache error log may have more information.


I put the comments on separate lines.  I also put the info you suggested to add to mod-evasive.load into a new file mod-evasive.conf:

DOSHashTableSize 2048

# maximum number of requests for the same page

DOSPageCount 20

# total number of requests for any object by the same client IP on the same listener

DOSSiteCount 300

# interval for the page count threshold

DOSPageInterval 1.0

# interval for the site count threshold

DOSSiteInterval 1.0

# time that a client IP will be blocked for

DOSBlockingPeriod 10.0

DOSLogDir /var/log/apache2/evasive

DOSEmailNotify admin...


Does this look OK to you?


Thanks.


Lester


joetron2030
joetron2030

The experienced readers will know what you meant but you have a minor typo:

/ete/apache2/mods-available/mod-evasive.load -> /etc/apache2/mods-available/mod-evasive.load?

jlwallen
jlwallen

@joetron2030 you got that right joetron2030. That slipped by my eyes. Thank you for pointing that out. I belive I need to get a bigger screen or better glasses. ;-)

DT2
DT2

@jlwallen @joetron2030 Go with the bigger monitor.  One can't have a monitor that's too big.  Well - I guess you can but I haven't found one yet.  ;-)

Editor's Picks