Apache is the most used application for Web Server followed by NGINX and Microsoft IIS (we will not recommend Microsoft as they are part of the Global Massive Surveillance and that it is not Free/Libre and Open Source Software). Before starting you may want to check your server response headers using curl.
$ curl -I http://myunsecureserver.com HTTP/2 302 date: Thu, 26 Apr 2018 11:48:59 GMT content-type: text/html; charset=utf-8 vary: Accept-Language, Cookie location: http://myunsecureserver.com/ content-language: en server: Apache/2.4.12 ETag: "1320-821a324"
Apache2 has Qos support/rate limit and DDoS protection using mod_evasive. You need to install these modules first. Also we are going to setup the mod security for apache2 this prevents SQL injection attacks and other malicious attacks by the use of rules (OWASP Core Rule Set)
$ sudo apt install libapache2-mod-evasive libapache2-mod-qos libapachge2-mod-ratelimit modsecurity-crs libapache2-mod-security2 lnavEdit the /etc/apache2/apache2.conf file and include the lines:
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Enable the mods if not yet enabled:
$ sudo a2enmod qos
$ sudo a2enmod evasive
$ sudo a2enmod ratelimit
Edit the configuration:
$ sudo nano /etc/apache2/mods-available/qos.conf
<IfModule qos_module>
#handles connectio >640 < 1000000
QS_ClientEntries 650
# minimum request rate (bytes/sec at request reading):
QS_SrvRequestRate 120
# limits the connections for this virtual host:
QS_SrvMaxConn 95
# allows keep-alive support till the server reaches 600 connections:
QS_SrvMaxConnClose 96
# allows max 50 connections from a single ip address:
QS_SrvMaxConnPerIP 25 30
</IfModule>
Modify the mod_evasive for DDoS protection it is usually used with an Intrusion Prevention System like Fail2ban although we will not cover it’s configuration here.
$ sudo nano /etc/apache2/mods-available/evasive.conf
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify
Configure them on your preferred settings. For more information please visit the references below.
Edit the security.conf
$ sudo nano /etc/apache2/conf-enabled/security.conf #set server token (eg. Apache/2.4.12) #set servertoken to Prod to show apache #set serversignature off and secserversignature nginx to show server: nginx spoofing ServerTokens Prod ServerSignature Off SecServerSignature nginx TraceEnable Off #DENY ACCESS TO SVN AND GIT FOLDERS <DirectoryMatch "/\.svn"> Require all denied </DirectoryMatch> #deny GIT access <DirectoryMatch "/\.git"> Require all denied </DirectoryMatch> Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure #OWASP RECOMMENDATION SECURE HEADERS #CAN BE ALSO APPLIED IN INDIV. SITES-ENABLED/*.CONF Header set X-Content-Type-Options: "nosniff" Header set X-Frame-Options: "DENY" Header set X-XSS-Protection "1; mode=block" Header set X-Permitted-Cross-Domain-Policies "none" Header set Referrer-Policy "strict-origin" #ANTIDDOS Timeout 60 #MODSECURITY LimitRequestBody 1024000
MODSECURITY CONFIGURATION
Edit the file and add the following:
$ sudo nano /etc/modsecurity/modsecurity.conf SecRuleEngine On SecRequestBodyLimit 4194304 SecResponseBodyAccess Off SecStatusEngine Off
Blocking Bad Bots and User Agents
The configuration depends on your Apache version, for 2.4, I just cloned the entire project directory so I have a backup. Also, be sure to backup your /etc/apache2 directory in the event that something goes wrong.
$ git clone --depth 1 https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker $ sudo cp -rfv apache-ultimate-bad-bot-blocker/Apache_2.4/custom.d /etc/apache2/
You need to modify the following files in /etc/apache2/custom.d:
whitelist-domains.conf – add your domain names (eg. mysite.com)
blacklist-ips.conf – add your IP blacklist from IPS like fail2ban or from your apache logs
bad-referrer-words.conf – if you want to block some bad referrer words
blacklist-user-agents.conf – add the botnames you want to keep out of your server (eg. Binbot, Googlebot)
Here is the example configuration for the sites-enabled/default.conf
<VirtualHost *:443> ServerName mysite.com ServerAlias www.mysite.com DocumentRoot /var/www/html RewriteEngine On SSLEngine on SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs SSLCertificateKeyFile /path/to/private/key # Uncomment the following directive when using client certificate authentication #SSLCACertificateFile /path/to/ca_certs_for_client_authentication # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" # CSP BASIC CONFIG OWASP Header set Content-Security-Policy "default-src 'all';" <IfModule mod_qos.c> <Directory "/var/www/html"> #BAD BOT BLOCKER CONFIG Include /etc/apache2/custom.d/globalblacklist.conf AllowOverride All Options FollowSymLinks -Indexes #-Indexes denies directory listing # RATE_LIMIT CONFIG SetOutputFilter RATE_LIMIT SetEnv rate-limit 968 SetEnv rate-initial-burst 1084 </Directory> </IfModule> # CUSTOMIZE THE ERROR PAGES, BE SURE TO CREATE YOUR error.html in the site root directory with www-data or apache permissions.ErrorDocument 404 https://mysite.com/error.html ErrorDocument 400 https://mysite.com/error.html ErrorDocument 403 https://mysite.com/error.html ErrorDocument 504 https://mysite.com/error.html ErrorDocument 500 https://mysite.com/error.html</VirtualHost># https://mozilla.github.io/server-side-tls/ssl-config-generator/ # modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000)
Finally restart the apache2 using systemctl.
$ sudo systemctl restart apache2Testing Apache2 bad bot blocker:
$ curl -A "googlebot" -I http://yourdomain.com HTTP/2 200 date: Sat, 28 Apr 2018 02:30:26 GMT content-type: text/html; charset=UTF-8 server: nginx x-xss-protection: 1; mode=block content-security-policy: default-src 'all'; x-frame-options: sameorigin referrer-policy: strict-origin x-content-type-options: nosniff $ curl -A "masscan" -I http://yourdomain.com HTTP/1.1 403 ...
Take a look a the server name, we spoofed it to show nginx instead of apache.
SECURING PHP
nano: Ctrl+W to search, Ctrl + \ to replace, Ctrl + X to exit
Set the parameters based on your server configuration and application recommendations.
$ sudo locate php.ini $ sudo nano /etc/php/7.0/apache2/php.ini allow_url_fopen=Off allow_url_include=Off file_uploads=Off session.cookie_httponly=1 session.referrer_check=mysite.com memory_limit=40MB max_execution_time=30 max_input_time=30 expose_php=Off display_errors=Off log_errors=On sql.safe_mode=On post_max_size=1K disable_function=exec,shell_exec cgi.force_redirect=On open_basedir="/path1:/path2"
VIEWING APACHE LOGS:
$ sudo lnav /var/log/apache2/access.log $ sudo lnav /var/log/apache2/error.log
I suggest you read the references for more information.
Except where otherwise noted, this work is licensed under Creative Commons Attribution-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-sa/4.0/).
I hope that this post is useful to you, if you liked this post you may support me via liberapay. Thank you for your support.
References:
https://httpd.apache.org/docs/trunk/mod/mod_ratelimit.html
https://www.linode.com/docs/web-servers/apache-tips-and-tricks/modevasive-on-apache/
https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/tree/master/Apache_2.4
https://www.modsecurity.org/CRS/Documentation/exceptions.html
https://www.the-art-of-web.com/system/logs/
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
