Apache is the most used application for Web Server followed by NGINX and Microsoft IIS (we will not recommend Microsoft as they are part of the Global Massive Surveillance and that it is not Free/Libre and Open Source Software). Before starting you may want to check your server response headers using curl.

$ curl -I http://myunsecureserver.com
HTTP/2 302 
date: Thu, 26 Apr 2018 11:48:59 GMT
content-type: text/html; charset=utf-8
vary: Accept-Language, Cookie
location: http://myunsecureserver.com/
content-language: en
server: Apache/2.4.12
ETag: "1320-821a324"

Apache2 has Qos support/rate limit and DDoS protection using mod_evasive. You need to install these modules first. Also we are going to setup the mod security for apache2 this prevents SQL injection attacks and other malicious attacks by the use of rules (OWASP Core Rule Set)

$ sudo apt install libapache2-mod-evasive libapache2-mod-qos libapachge2-mod-ratelimit modsecurity-crs libapache2-mod-security2 lnav

Edit the /etc/apache2/apache2.conf file and include the lines:
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Enable the mods if not yet enabled:

$ sudo a2enmod qos
$ sudo a2enmod evasive
$ sudo a2enmod ratelimit

Edit the configuration:


$ sudo nano /etc/apache2/mods-available/qos.conf

<IfModule qos_module>
  #handles connectio >640 < 1000000
  QS_ClientEntries 650

  # minimum request rate (bytes/sec at request reading):
  QS_SrvRequestRate  120

  # limits the connections for this virtual host:
  QS_SrvMaxConn      95

  # allows keep-alive support till the server reaches 600 connections:
  QS_SrvMaxConnClose  96

  # allows max 50 connections from a single ip address:
  QS_SrvMaxConnPerIP  25                                30


</IfModule>

 

Modify the mod_evasive for DDoS protection it is usually used with an Intrusion Prevention System like Fail2ban although we will not cover it’s configuration here.

$ sudo nano /etc/apache2/mods-available/evasive.conf

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify

Configure them on your preferred settings. For more information please visit the references below.

Edit the security.conf

$ sudo nano /etc/apache2/conf-enabled/security.conf

#set server token (eg. Apache/2.4.12)
#set servertoken to Prod to show apache
#set serversignature off and secserversignature nginx to show server: nginx spoofing
ServerTokens Prod
ServerSignature Off
SecServerSignature nginx

TraceEnable Off

#DENY ACCESS TO SVN AND GIT FOLDERS
<DirectoryMatch "/\.svn">
   Require all denied
</DirectoryMatch>
#deny GIT access
<DirectoryMatch "/\.git">
   Require all denied
</DirectoryMatch>

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

#OWASP RECOMMENDATION SECURE HEADERS
#CAN BE ALSO APPLIED IN INDIV. SITES-ENABLED/*.CONF
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "strict-origin"

#ANTIDDOS
Timeout 60

#MODSECURITY
LimitRequestBody 1024000


MODSECURITY CONFIGURATION

Edit the file and add the following:

$ sudo nano /etc/modsecurity/modsecurity.conf

 SecRuleEngine On
 SecRequestBodyLimit 4194304
 SecResponseBodyAccess Off
 SecStatusEngine Off

Blocking Bad Bots and User Agents

The configuration depends on your Apache version, for 2.4, I just cloned the entire project directory so I have a backup. Also, be sure to backup your /etc/apache2 directory in the event that something goes wrong.

$ git clone --depth 1 https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker

$ sudo cp -rfv apache-ultimate-bad-bot-blocker/Apache_2.4/custom.d /etc/apache2/

 

You need to modify the following files in /etc/apache2/custom.d:
whitelist-domains.conf – add your domain names (eg. mysite.com)
blacklist-ips.conf – add your IP blacklist from IPS like fail2ban or from your apache logs
bad-referrer-words.conf – if you want to block some bad referrer words
blacklist-user-agents.conf – add the botnames you want to keep out of your server (eg. Binbot, Googlebot)

Here is the example configuration for the sites-enabled/default.conf

<VirtualHost *:443>
	ServerName mysite.com
        ServerAlias www.mysite.com
	DocumentRoot /var/www/html
	RewriteEngine On

    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile   /path/to/private/key

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"

# CSP BASIC CONFIG OWASP
Header set Content-Security-Policy "default-src 'all';"

<IfModule mod_qos.c>

	<Directory "/var/www/html">
        #BAD BOT BLOCKER CONFIG
	Include /etc/apache2/custom.d/globalblacklist.conf
	
        AllowOverride All
    	Options FollowSymLinks -Indexes
        #-Indexes denies directory listing
        
        # RATE_LIMIT CONFIG
	SetOutputFilter RATE_LIMIT
	SetEnv rate-limit 968
	SetEnv rate-initial-burst 1084

</Directory>
</IfModule>

# CUSTOMIZE THE ERROR PAGES, BE SURE TO CREATE YOUR error.html in the site root directory with www-data or apache permissions. 
ErrorDocument 404 https://mysite.com/error.html
ErrorDocument 400 https://mysite.com/error.html
ErrorDocument 403 https://mysite.com/error.html
ErrorDocument 504 https://mysite.com/error.html
ErrorDocument 500 https://mysite.com/error.html
 </VirtualHost>

# https://mozilla.github.io/server-side-tls/ssl-config-generator/ # modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) 

Finally restart the apache2 using systemctl.

$ sudo systemctl restart apache2

Testing Apache2 bad bot blocker:

$ curl -A "googlebot" -I http://yourdomain.com
HTTP/2 200
date: Sat, 28 Apr 2018 02:30:26 GMT
content-type: text/html; charset=UTF-8
server: nginx
x-xss-protection: 1; mode=block
content-security-policy: default-src 'all'; 
x-frame-options: sameorigin
referrer-policy: strict-origin
x-content-type-options: nosniff


$ curl -A "masscan" -I http://yourdomain.com
HTTP/1.1 403 ...

Take a look a the server name, we spoofed it to show nginx instead of apache.

SECURING PHP

nano: Ctrl+W to search, Ctrl + \ to replace, Ctrl + X to exit

Set the parameters based on your server configuration and application recommendations.

$ sudo locate php.ini
$ sudo nano /etc/php/7.0/apache2/php.ini

allow_url_fopen=Off
allow_url_include=Off
file_uploads=Off
session.cookie_httponly=1
session.referrer_check=mysite.com
memory_limit=40MB
max_execution_time=30
max_input_time=30
expose_php=Off
display_errors=Off
log_errors=On
sql.safe_mode=On
post_max_size=1K
disable_function=exec,shell_exec
cgi.force_redirect=On
open_basedir="/path1:/path2"

VIEWING APACHE LOGS:

$ sudo lnav /var/log/apache2/access.log
$ sudo lnav /var/log/apache2/error.log

I suggest you read the references for more information.

 

Except where otherwise noted, this work is licensed under Creative Commons Attribution-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-sa/4.0/).
I hope that this post is useful to you, if you liked this post you may support me via liberapay. Thank you for your support.

Donate using Liberapay

References:

https://httpd.apache.org/docs/trunk/mod/mod_ratelimit.html

https://www.linode.com/docs/web-servers/apache-tips-and-tricks/modevasive-on-apache/

https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/tree/master/Apache_2.4

https://www.modsecurity.org/CRS/Documentation/exceptions.html

https://www.the-art-of-web.com/system/logs/

https://www.owasp.org/index.php/OWASP_Secure_Headers_Project