← Back to home
.htaccess Mod_Security Mod_Evasive WAF Apache

.htaccess, Mod_Security & Mod_Evasive

Mar 1, 2022

Manual on using .htaccess as a security tool, configuring the Mod_Security WAF and the Mod_Evasive anti-DoS module.

1. .htaccess Security Rules

# Block SQL injections
RewriteCond %{QUERY_STRING} (union|select|insert|drop|update) [NC]
RewriteRule .* - [F]

# Block malicious bots
RewriteCond %{HTTP_USER_AGENT} (HTTrack|nikto|sqlmap|nmap) [NC]
RewriteRule .* - [F]

# Disable directory listing
Options -Indexes

2. Mod_Security

apt-get install libapache2-mod-security2
sudo a2enmod security2

Configure at /etc/modsecurity/modsecurity.conf. Key directives: SecRequestBodyAccess, SecRequestBodyLimit, SecResponseBodyAccess.

3. Mod_Evasive

apt-get install libapache2-mod-evasive
<IfModule mod_evasive20.c>
    DOSHashTableSize    2048
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>