Installation & configuration of mod_evasive in Ubuntu Server 9.04

From its README file:

“Mod_evasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack. It
is also designed to be a detection tool, and can be easily configured to talk
to ipchains, firewalls, routers, and etcetera.

Detection is performed by creating an internal dynamic hash table of IP
Addresses and URIs, and denying any single IP address from any of the following:

• Requesting the same page more than a few times per second.
• Making more than 50 concurrent requests on the same child per second.
• Making any requests while temporarily blacklisted (on a blocking list).”

Its installation is quite easy:

apt-get install libapache2-mod-evasive

To configure it, create a directory to place its log files:

mkdir /var/log/apache2/mod_evasive
chown www-data:www-data /var/log/apache2/mod_evasive


Afterwards, create its configuration file with a default content (change “]” and “[" for ">" and "<" respectively):

[ifmodule mod_evasive20.c]
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/apache2/mod_evasive
DOSEmailNotify root@localhost
DOSWhitelist 127.0.0.1
[/ifmodule]

This values should be optimized depending on the use of your server. Here are the params' descriptions:

DOSHashTableSize: Size of the hash table used to store the IPs.

DOSPageCount: Number of pages allowed per DOSPageInterval.

DOSPageInterval: Time in seconds used by DOSPageCount.

DOSSiteCount: Number of objects allowed per DOSSiteInterval.

DOSSiteInterval: Time in seconds used by DOSSiteCount.

DOSBlockingPeriod: Time in seconds that IPs will be banned. If an IP tries to access the server within this period, the count will be restarted.

DOSLogDir: Optional. Directory to store the logs. If not specified, /tmp will be used.

DOSEmailNotify: Optional. Mail where notifications will be sent.

DOSSystemCommand: Optional. Command to execute if an IP is blocked. For example:

DOSSystemCommand "/sbin/iptables -I INPUT -p tcp --dport 80 -s %s -j DROP"

DOSWhitelist: Optional. List of IPs which won't be blocked.

To finish the configuration process, restart Apache:

/etc/init.d/apache2 restart

You can test whether it works using a script included in the deb package:

perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

How to install & use debtags

Debtags is a command line interface and maintenance tool for debtags’ information. It’s quite useful to search for deb packages with some specific tags.

To install it, run the following command:

apt-get install debtags

Here are some useful options offered by debtags:

• Update all packages’ tags:

  debtags update

• Check debtags’ database:

  debtags selfcheck

• Show tags’ vocabulary:

  debtags tagcat

• Show all tags:

  debtags tagcat | grep Tag: | awk {'print $2;'}

• Show info about a package:

  debtags show package

  Result for debtags show bash:

  Package: bash
Essential: yes
Priority: required
Section: shells
Installed-Size: 1344
Maintainer: Ubuntu Core developers
Original-Maintainer: Matthias Klose
Architecture: amd64
Version: 3.2-5ubuntu1
Replaces: bash-completion (<< 20060301-0), bash-doc (<= 2.05-1) Depends: base-files (>= 2.1.12), debianutils (>= 2.15)
Pre-Depends: libc6 (>= 2.8), libncurses5 (>= 5.6+20071006-3)
Recommends: bash-completion (>= 20060301-0)
Suggests: bash-doc
Conflicts: bash-completion (<< 20060301-0)
Filename: pool/main/b/bash/bash_3.2-5ubuntu1_amd64.deb
Size: 628764
MD5sum: f71c09143a675a8daede1a668ee98941
SHA1: 384ef13302e3f11d49399519fe7231c166d253fc
SHA256: fe15a51dc70b4b0d5ed0556c670ffdf5b0297bb509480f22336684ee156b1d30
Description: The GNU Bourne Again SHell
Bash is an sh-compatible command language interpreter that executes
commands read from the standard input or from a file. Bash also
incorporates useful features from the Korn and C shells (ksh and csh).
.
Bash is ultimately intended to be a conformant implementation of the
IEEE POSIX Shell and Tools specification (IEEE Working Group 1003.2).
.
The Programmable Completion Code, by Ian Macdonald, is now found in
the bash-completion package.
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Task: minimal, mythbuntu-backend-master, mythbuntu-backend-slave, mythbuntu-desktop, mythbuntu-frontend

• Show a package’s tags:

  debtags tag ls package

  Result for debtags tag ls bash

  implemented-in::c
interface::shell
role::program
scope::utility
suite::gnu
uitoolkit::ncurses

• Show packets similar or related to a given package:

  debtags related package -d 1

  Result for debtags related bash -d 1

  bash-minimal - The GNU Bourne Again SHell (minimal version)
es - (short description not available)
fish - a friendly interactive shell
tcsh - TENEX C Shell, an enhanced version of Berkeley csh
zsh-beta - A shell with lots of features (dev tree)

More packages are listed if you increment the value of -d.

• Show packages with a given tag::

  debtags search tag

  For example, to obtain IPv6 enabled packages: debtags search tagprotocol::ipv6

• Show packages with no tags:

  debtags todo

• Show stats about packages’ tags:

  debtags stats

  Result for debtags stats in Ubuntu 9.04:

  Total count of packages: 34703
Total count of packages (according to APT): 34703
Total count of packages (according to Debtags): 32603
Number of facets: 30
Number of tags: 578
Number of packages with tags, but no special::not-yet-tagged tags: 24547 (75.3%)
Number of packages with special::not-yet-tagged tags: 8056 (24.7%)
Number of packages with only special::not-yet-tagged tags: 2932 (9.0%)
Number of packages with no tags: 0 (0.0%)

Installing ModSecurity for Apache in Ubuntu Server 9.04

From its web: “ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.”

Its installation is simple:

apt-get install libapache-mod-security

To enable ModSecurity in Apache, create the file /etc/apache2/conf.d/mod_security.conf with this content:

(Sorry for the images of the code, but LiveJournal doesn’t allow XML code inside the posts)

Then, make a directory to store the logs generated by ModSecurity:

mkdir /var/log/apache2/mod_security

ln -s /var/log/apache2/mod_security /etc/apache2/logs

After that, download the latest set of rules (called modsecurity-code-rules*.tar.gz).

Afterwards, configure the set of rules:

mkdir /etc/apache2/conf.d/mod_security

cp modsecurity-core-rules* /etc/apache2/conf.d/mod_security/

cd /etc/apache2/conf.d/mod_security

tar xvfz modsecurity-core-rules*

rm CHANGELOG LICENSE README modsecurity-core-rules*.tar.gz


If you want to disable any rule, just create the file /etc/apache2/conf.d/mod_security/modsecurity_crs_99_disabled_rules.conf and tell ModSecurity which rules on which locations you want to disable (you can know rule numbers reading ModSecurity log files in /var/log/apache2/mod_security ). For example:

To let logrotate do its job, replace the first line of /etc/logrotate.d/apache2 with this one:

/var/log/apache2/*.log /var/log/apache2/mod_security/*.log {


Finally, restart your Apache server:

/etc/init.d/apache2 restart

Installing & using etckeeper in Ubuntu 9.04

Etckeeper is a collection of tools to store /etc in a version control system. It allows you to read the changes that have been made to the files in /etc, document these changes and recover a previous version of a modified file in case we made some changes that we don’t want to keep.

Its installation is trivial:

apt-get install etckeeper

By default, Bazaar Distributed Version Control System is used, but you can use Git, Mercurial or Darcs instead. You just have to edit its configuration file (/etc/etckeeper/etckeeper.conf) and uncomment the line with your favorite DVCS (and comment the line VCS=”bzr” if you don’t want to use Bazaar).

To initialize etckeeper use:

etckeeper init

To make your first commit to etckeeper use:

etckeeper commit "Initial commit"

Any time you make a change to any file in /etc and you want to document it, use the previous command with the corresponding explanation.

Changes to /etc before installing new software using dpkg or apt are kept automatically by default. You can change this by editing its configuration file and uncommenting “AVOID_COMMIT_BEFORE_INSTALL=1″. Besides, etckeeper commits changes automatically every day, so if you want to avoid it, uncomment “AVOID_DAILY_AUTOCOMMITS=1″ in its configuration file.

Here are some useful commands to take advantage of etckeeper if you use Bazaar DVCS:

• To show etckeeper’s history:

  bzr log --line /etc

• To show differences between the last version and the current state of /etc:

  bzr diff /etc

• To show changes in version X:

  bzr diff -cX /etc

• To recover version X of a FILE:

  bzr revert -rX /etc/FILE

Ubuntu man pages repository

Reading a lot of man pages and searching through them in a regular basis isn’t always easy. So, if you feel more comfortable using your web browser than using your console, you can use the Ubuntu man pages repository.

You can browse through all the man pages or just search for the command or config file you’re looking for, choosing the Ubuntu release you use. But the most useful option, IMHO, is the search plugin they provide so that you can search from your browser’s bar, without entering this web whenever you want to look for a man page.