Skip to main content

Straightforward security enhancements for your apache2 webserver

If, like me, you've got a scrappy Linux host lying around to run a few websites you're probably interested in taking its security up a notch from the standard install. Assuming you're running the highly common apache2 and iptables, see the links below for some surprisingly straightforward configuration tweaks to improve the security of your webserver.


Add HTTPS with Let's Encrypt

If it's been a while since you've looked into certificates, you may be surprised to learn you can get them for free from Let's Encrypt. There are many guides around, but it is well and truly time to join the HTTPS-only movement:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

SSH Cipher gardening

You're probably already using SSH keys, have disabled password login and are using denyhosts or failtoban. However, have you ever considered reducing the number of ciphers your server accepts to just the most secure? Test your server at: https://sshcheck.com/ and then update your SSHD config (see also: https://infosec.mozilla.org/guidelines/openssh)



HTTPS Header additions

There are a couple of decent free online test sites for webservers, such as those at SSLLabs, Pentest Tools or Immuniweb . One way to improve your score is to configure some extra HTTPS headers, using this guide.


DDoS Protection with IPTables

Have you already got your IPTables config to the point where you have a -j DROP catch all at the end? This guide is a true education in iptables, TCP and DDoS - follow its recommendations.

Application-Level firewall with Modsecurity

Your apache logs are likely full of obvious scans from botnets looking for an easy way in. Public webservers have to have the port open, but you can still block these requests at a higher level than your firewall. On Ubuntu 18.04:
sudo apt-get install libapache2-mod-security2 modsecurity-crs
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo sytstemctl restart apache2


and you'll install a powerful apache module (modsecurity) that has frequently updated patterns that match common exploit requests (OWASP Core Rule Set). Read all the options thoroughly, and when ready set it to block those requests.
Labels:

Comments

Post a Comment

Popular posts from this blog

How to apply for Taiwan's Employment Gold Card

In February 2018, Taiwan launched an "Employment Gold Card",a combination of residence visa and work permit. Aimed to attract more high level professionals, the card has strict application requirements. Here's some information on those and a step-by-step guide on how to apply (see also: official guide ). Do I qualify? You must have worked in one of the below eight fields, and met requirements within the field. This is a very brief unofficial summary not to be relied on - please refer to the supporting document for your field for the official information. Other than law and architecture you only need to meet one of the criteria, and most have a catch-all entry for "other" qualifications as approved by the relevant ministry. Salary references are monthly. This post was updated in October 2019 with to reflect relaxed qualifications in Sport and Culture.   Field Requirements Supporting Documents Science and Technolog
Post a Comment
Read more

How to transfer money from Taiwan without going to the bank

We live in a digital age. The Taiwanese banking system ... a little less so. Transferring money overseas typically involves a visit to the bank between 9am and 3pm. You'll queue, fill out an outbound remittance form in duplicate, stamp and sign some things and just generally wait while staff do their best with the unfamiliar procedure. There is another way.* * for transfers < 500,000 TWD, to accounts you've previously set up in a special way :(  Background: Remittance Classifications One of the reasons for the myriad of complicated forms when dealing with foreign exchange in Taiwan is the precise codification of transfer types required by the Central Bank. Your knowledge of the existence of these two documents will boost your standing above that of the average banker: 匯出匯款之分類及說明  Code and Description of Outward Remittance Classification 匯入匯款之分類及說明 Code and Description of Inward Remittance Classification These are updated every few years, with new versions fou
Post a Comment
Read more

How to get your credit report using Taiwan's Alien Citizen Digital Certificate[外籍人士自然人憑證]

 Taiwan offers a smart card to adult foreign residents that can be used to verify their identity online. This allows some government services previously only available in person to be provided online, including: Tax return submission Applying for credit reports Accessing healthcare data from the NHI Requesting a police check Certificate of Entry and Exit dates from the NIA Ordering Face Masks Sounds great! However, the system relies on some ironically insecure/outdated technology, a mishmash of different browser plugins and very few support staff know about its existence. Here's a tip on how to use yours... How to get your Credit Report from Taiwan's Joint Credit Information Center Get a Digital Citizen Certificate and set it up in your card reader Visit https://apply.jcic.org.tw/CreditQueryInput.do , download and install the setup file when prompted. Close your browser and re-open it (I used Chrome, for reference) Enter your ARC ID and the CAPTCHA, ti
Post a Comment
Read more