广告

本站里的文章大部分经过自行整理与测试

2017年2月5日星期日

Linux - 加强 Apache2 对 DDOS 的防御

1. 安装

$ su
$ yum install mod_security mod_evasive
$ ls -l /etc/httpd/conf.d

# 编译与安装 ModSecurity
$ cd /usr/local/src
$ wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
$ tar zxvf modsecurity-2.9.1.tar.gz
$ cd modsecurity-2.9.1
$ ./autogen.sh
$ ./configure --enable-standalone-module --disable-mlogc
$ make

$ cd /usr/local/src/modsecurity-2.9.1
$ cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
$ cp unicode.mapping /etc/httpd/conf.d/unicode.mapping

# 下载 OWASP ModSecurity Core Rule Set (CRS)
$ cd /etc/httpd
$ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
$ cd owasp-modsecurity-crs
$ cp crs-setup.conf.example crs-setup.conf

2. 设置

2.1) 编辑 mod_evasive.conf

$ gedit /etc/httpd/conf.d/mod_evasive.conf

LoadModule evasive20_module modules/mod_evasive24.so

2.2) 编辑 mod_security.conf

$ gedit /etc/httpd/conf.d/mod_security.conf

LoadModule security2_module modules/mod_security2.so

2.3) 编辑 httpd.conf

$ gedit /etc/httpd/conf/httpd.conf

<IfModule security2_module>
    Include owasp-modsecurity-crs/crs-setup.conf
    Include owasp-modsecurity-crs/rules/*.conf
</IfModule>

2.4) 创建 tecmint.conf

$ gedit /etc/httpd/modsecurity.d/tecmint.conf

<IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess On 
    SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
    SecDataDir /tmp
</IfModule>

2.5) 编辑 mod_evasive.conf

$ gedit /etc/httpd/conf.d/mod_evasive.conf

<IfModule mod_evasive24.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

3. 重启

$ systemctl restart httpd
$ httpd -M | grep -Ei '(evasive|security)'

没有评论:

发表评论