User Tools
linux:secure_apache
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
linux:secure_apache [2017/03/29 15:04] admin |
linux:secure_apache [2017/03/29 15:10] (current) admin |
||
|---|---|---|---|
| Line 171: | Line 171: | ||
| mod_evasive works very efficiently, it takes one request to process and processes it very well. It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. This module detects attacks with three methods. | mod_evasive works very efficiently, it takes one request to process and processes it very well. It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. This module detects attacks with three methods. | ||
| - | If so many requests come to a same page in a few times per second. | + | * If so many requests come to a same page in a few times per second. |
| - | If any child process trying to make more than 50 concurrent requests. | + | * If any child process trying to make more than 50 concurrent requests. |
| - | If any IP still trying to make new requests when its temporarily blacklisted. | + | * If any IP still trying to make new requests when its temporarily blacklisted. |
| mod_evasive can be installed directly from the source. Here, we have an Installation and setup guide of these modules which will help you to set up these Apache modules in your Linux box. | mod_evasive can be installed directly from the source. Here, we have an Installation and setup guide of these modules which will help you to set up these Apache modules in your Linux box. | ||
| - | Protect Apache using Mod_Security and Mod_evasive | + | |
| - | 8. Disable Apache’s following of Symbolic Links | + | ===== 8. Disable Apache’s following of Symbolic Links ===== |
| By default Apache follows symlinks, we can turn off this feature with FollowSymLinks with Options directive. And to do so we need to make the following entry in main configuration file. | By default Apache follows symlinks, we can turn off this feature with FollowSymLinks with Options directive. And to do so we need to make the following entry in main configuration file. | ||
| + | <code bash> | ||
| Options -FollowSymLinks | Options -FollowSymLinks | ||
| + | </code> | ||
| And, if any particular user or website need FollowSymLinks enable, we can simply write a rule in “.htaccess” file from that website. | And, if any particular user or website need FollowSymLinks enable, we can simply write a rule in “.htaccess” file from that website. | ||
| + | <code bash> | ||
| # Enable symbolic links | # Enable symbolic links | ||
| Options +FollowSymLinks | Options +FollowSymLinks | ||
| + | </code> | ||
| Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should be present in the main configuration globally. | Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should be present in the main configuration globally. | ||
| - | 9. Turn off Server Side Includes and CGI Execution | + | ===== 9. Turn off Server Side Includes and CGI Execution ===== |
| We can turn off server side includes (mod_include) and CGI execution if not needed and to do so we need to modify main configuration file. | We can turn off server side includes (mod_include) and CGI execution if not needed and to do so we need to modify main configuration file. | ||
| + | <code bash> | ||
| Options -Includes | Options -Includes | ||
| Options -ExecCGI | Options -ExecCGI | ||
| - | We can do this for a particular directory too with Directory tag. Here In this example, we are turning off Includes and Cgi file executions for “/var/www/html/web1” directory. | + | </code> |
| + | We can do this for a particular directory too with Directory tag. Here In this example, we are turning off Includes and Cgi file executions for “**/var/www/html/web1**” directory. | ||
| + | <code bash> | ||
| <Directory "/var/www/html/web1"> | <Directory "/var/www/html/web1"> | ||
| Options -Includes -ExecCGI | Options -Includes -ExecCGI | ||
| - | </Directory> | + | </Directory |
| + | </code>> | ||
| Here are some other values with can be turned On or off with Options directive. | Here are some other values with can be turned On or off with Options directive. | ||
| - | Options All – To enable All options at once. This is the default value, If you don’t want specify any values explicitly in Apache conf file or .htaccess. | + | * Options All – To enable All options at once. This is the default value, If you don’t want specify any values explicitly in Apache conf file or .htaccess. |
| - | Options IncludesNOEXEC – This option allows server side includes without the execute permission to a command or cgi files. | + | * Options IncludesNOEXEC – This option allows server side includes without the execute permission to a command or cgi files. |
| - | Options MultiViews – Allows content negotiated multiviews with mod_negotiation module. | + | * Options MultiViews – Allows content negotiated multiviews with mod_negotiation module. |
| - | Options SymLinksIfOwnerMatch – It’s similar to FollowSymLinks. But, this will follow only when the owner is the same between the link and the original directory to which it is linked. | + | * Options SymLinksIfOwnerMatch – It’s similar to FollowSymLinks. But, this will follow only when the owner is the same between the link and the original directory to which it is linked. |
| - | 10. Limit Request Size | + | |
| + | ===== 10. Limit Request Size ===== | ||
| By default Apache has no limit on the total size of the HTTP request i.e. unlimited and when you allow large requests on a web server its possible that you could be a victim of Denial of service attacks. We can Limit the requests size of an Apache directive “LimitRequestBody” with the directory tag. | By default Apache has no limit on the total size of the HTTP request i.e. unlimited and when you allow large requests on a web server its possible that you could be a victim of Denial of service attacks. We can Limit the requests size of an Apache directive “LimitRequestBody” with the directory tag. | ||
| Line 210: | Line 223: | ||
| Here in this example, user_uploads is a directory which contains files uploaded by users. We are putting a limit of 500K for this. | Here in this example, user_uploads is a directory which contains files uploaded by users. We are putting a limit of 500K for this. | ||
| + | <code bash> | ||
| <Directory "/var/www/myweb1/user_uploads"> | <Directory "/var/www/myweb1/user_uploads"> | ||
| LimitRequestBody 512000 | LimitRequestBody 512000 | ||
| </Directory> | </Directory> | ||
| - | 11. Protect DDOS attacks and Hardening | + | </code> |
| + | ===== 11. Protect DDOS attacks and Hardening ===== | ||
| Well, it’s true that you cannot completely protect your web site from DDos attacks. Here are some directives which can help you to have a control on it. | Well, it’s true that you cannot completely protect your web site from DDos attacks. Here are some directives which can help you to have a control on it. | ||
| - | TimeOut : This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. Its default value is 300 secs. It’s good to keep this value low on those sites which are subject to DDOS attacks. This value totally depends on kind of request you are getting on your website. Note: It could pose problems with come CGI scripts. | + | * TimeOut : This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. Its default value is 300 secs. It’s good to keep this value low on those sites which are subject to DDOS attacks. This value totally depends on kind of request you are getting on your website. Note: It could pose problems with come CGI scripts. |
| - | MaxClients : This directive allows you to set the limit on connections that will be served simultaneously. Every new connection will be queued up after this limit. It is available with Prefork and Worker both MPM. The default value of it is 256. | + | * MaxClients : This directive allows you to set the limit on connections that will be served simultaneously. Every new connection will be queued up after this limit. It is available with Prefork and Worker both MPM. The default value of it is 256. |
| - | KeepAliveTimeout : Its the amount of time the server will wait for a subsequent request before closing the connection. Default value is 5 secs. | + | * KeepAliveTimeout : Its the amount of time the server will wait for a subsequent request before closing the connection. Default value is 5 secs. |
| - | LimitRequestFields : It helps us to set a limit on the number of HTTP request’s header fields that will be accepted from the clients. Its default value is 100. It is recommended to lower this value if DDos attacks are occurring as a result of so many http request headers. | + | * LimitRequestFields : It helps us to set a limit on the number of HTTP request’s header fields that will be accepted from the clients. Its default value is 100. It is recommended to lower this value if DDos attacks are occurring as a result of so many http request headers. |
| - | LimitRequestFieldSize : It helps us to set a size limit on the HTTP Request header. | + | * LimitRequestFieldSize : It helps us to set a size limit on the HTTP Request header. |
| - | 12. Enable Apache Logging | + | ===== 12. Enable Apache Logging ===== |
| Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server. | Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server. | ||
| - | To do so you need to include the mod_log_config module. There are three main logging-related directives available with Apache. | + | To do so you need to include the **mod_log_config** module. There are three main logging-related directives available with Apache. |
| - | TransferLog: Creating a log file. | + | * TransferLog: Creating a log file. |
| - | LogFormat : Specifying a custom format. | + | * LogFormat : Specifying a custom format. |
| - | CustomLog : Creating and formatting a log file. | + | * CustomLog : Creating and formatting a log file. |
| You can also use them for a particular website it you are doing Virtual hosting and for that you need to specify it in the virtual host section. For example, here is the my website virtual host configuration with logging enabled. | You can also use them for a particular website it you are doing Virtual hosting and for that you need to specify it in the virtual host section. For example, here is the my website virtual host configuration with logging enabled. | ||
| + | <code bash> | ||
| <VirtualHost *:80> | <VirtualHost *:80> | ||
| DocumentRoot /var/www/html/example.com/ | DocumentRoot /var/www/html/example.com/ | ||
| Line 240: | Line 258: | ||
| CustomLog /var/log/httpd/example.com_access_log combined | CustomLog /var/log/httpd/example.com_access_log combined | ||
| </VirtualHost> | </VirtualHost> | ||
| - | 13. Securing Apache with SSL Certificates | + | </code> |
| + | |||
| + | ===== 13. Securing Apache with SSL Certificates ===== | ||
| Last, but not the least SSL certificates, you can secure your all the communication in an encrypted manner over the Internet with SSL certificate. Suppose you have a website in which people login by proving their Login credentials or you have an E- Commerce website where people provides their bank details or Debit/Credit card details to purchase products, by default your web server send these details in plain – text format but when you use SSL certificates to your websites, Apache sends all this information in encrypted text. | Last, but not the least SSL certificates, you can secure your all the communication in an encrypted manner over the Internet with SSL certificate. Suppose you have a website in which people login by proving their Login credentials or you have an E- Commerce website where people provides their bank details or Debit/Credit card details to purchase products, by default your web server send these details in plain – text format but when you use SSL certificates to your websites, Apache sends all this information in encrypted text. | ||
| You can purchase SSl certificates from So many different SSL providers like namecheap.com. If you are running a very small web business and do not willing to purchase an SSL certificate you can still assign a Self signed certificate to your website. Apache uses the mod_ssl module to support SSL certificate. | You can purchase SSl certificates from So many different SSL providers like namecheap.com. If you are running a very small web business and do not willing to purchase an SSL certificate you can still assign a Self signed certificate to your website. Apache uses the mod_ssl module to support SSL certificate. | ||
| + | <code bash> | ||
| # openssl genrsa -des3 -out example.com.key 1024 | # openssl genrsa -des3 -out example.com.key 1024 | ||
| # openssl req -new -key example.com.key -out exmaple.csr | # openssl req -new -key example.com.key -out exmaple.csr | ||
| # openssl x509 -req -days 365 -in example.com.com.csr -signkey example.com.com.key -out example.com.com.crt | # openssl x509 -req -days 365 -in example.com.com.csr -signkey example.com.com.key -out example.com.com.crt | ||
| + | </code> | ||
| + | |||
| Once your certificate has been created and signed. Now you need to add this in Apache configuration. Open main configuration file with vim editor and add the following lines and restart the service. | Once your certificate has been created and signed. Now you need to add this in Apache configuration. Open main configuration file with vim editor and add the following lines and restart the service. | ||
| + | <code bash> | ||
| <VirtualHost 172.16.25.125:443> | <VirtualHost 172.16.25.125:443> | ||
| SSLEngine on | SSLEngine on | ||
| Line 261: | Line 286: | ||
| CustomLog /var/log/httpd/example.com-access_log common | CustomLog /var/log/httpd/example.com-access_log common | ||
| </VirtualHost> | </VirtualHost> | ||
| + | </code> | ||
| Open up your browser, type https://example.com, and you will be able to see the new self-signed certificate. | Open up your browser, type https://example.com, and you will be able to see the new self-signed certificate. | ||
| These are few security tips that you can use to secure your Apache web server installation. For more useful security tips and ideas, see the official online documentation of Apache HTTP Server. | These are few security tips that you can use to secure your Apache web server installation. For more useful security tips and ideas, see the official online documentation of Apache HTTP Server. | ||
linux/secure_apache.1490792698.txt.gz · Last modified: 2017/03/29 15:04 by admin
Page Tools
