Skip to main content

Straightforward security enhancements for your apache2 webserver

If, like me, you've got a scrappy Linux host lying around to run a few websites you're probably interested in taking its security up a notch from the standard install. Assuming you're running the highly common apache2 and iptables, see the links below for some surprisingly straightforward configuration tweaks to improve the security of your webserver.


Add HTTPS with Let's Encrypt

If it's been a while since you've looked into certificates, you may be surprised to learn you can get them for free from Let's Encrypt. There are many guides around, but it is well and truly time to join the HTTPS-only movement:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

SSH Cipher gardening

You're probably already using SSH keys, have disabled password login and are using denyhosts or failtoban. However, have you ever considered reducing the number of ciphers your server accepts to just the most secure? Test your server at: https://sshcheck.com/ and then update your SSHD config (see also: https://infosec.mozilla.org/guidelines/openssh)



HTTPS Header additions

There are a couple of decent free online test sites for webservers, such as those at SSLLabs, Pentest Tools or Immuniweb . One way to improve your score is to configure some extra HTTPS headers, using this guide.


DDoS Protection with IPTables

Have you already got your IPTables config to the point where you have a -j DROP catch all at the end? This guide is a true education in iptables, TCP and DDoS - follow its recommendations.

Application-Level firewall with Modsecurity

Your apache logs are likely full of obvious scans from botnets looking for an easy way in. Public webservers have to have the port open, but you can still block these requests at a higher level than your firewall. On Ubuntu 18.04:
sudo apt-get install libapache2-mod-security2 modsecurity-crs
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo sytstemctl restart apache2


and you'll install a powerful apache module (modsecurity) that has frequently updated patterns that match common exploit requests (OWASP Core Rule Set). Read all the options thoroughly, and when ready set it to block those requests.
Labels:

Comments

Post a Comment

Popular posts from this blog

How to transfer money from Taiwan without going to the bank

We live in a digital age. The Taiwanese banking system ... a little less so. Transferring money overseas typically involves a visit to the bank between 9am and 3pm. You'll queue, fill out an outbound remittance form in duplicate, stamp and sign some things and just generally wait while staff do their best with the unfamiliar procedure. There is another way.* * for transfers < 500,000 TWD, to accounts you've previously set up in a special way :(  Background: Remittance Classifications One of the reasons for the myriad of complicated forms when dealing with foreign exchange in Taiwan is the precise codification of transfer types required by the Central Bank. Your knowledge of the existence of these two documents will boost your standing above that of the average banker: 匯出匯款之分類及說明  Code and Description of Outward Remittance Classification 匯入匯款之分類及說明 Code and Description of Inward Remittance Classification These are updated every few years, with new versions fo...
Post a Comment
Read more

How to flash Seeed Wio-WM1110 Dev Kit with Meshtastic

The Seeed Wio-WM1110 Dev Kit is an nRF52840-based LoRa® transceiver with built-in GPS, Temperature/Humidity sensor and supports solar and battery power. Unfortunately, unlike many Meshtastic devices, this board cannot be flashed using USB. Instead, you require an external device that can connect via SWDIO. Luckily, if you have a Raspberry Pi around this is surprisingly straightforward. 1. Set up Wiring Connect GPIO pin 11 on your Raspbery Pi to the CLK pin on the Wio-WM1110. Connect GPIO pin 8 on your Raspbery Pi to the DIO pin on the Wio-WM1110. Ensure you get the GPIO numbers correct. Plug in your Raspberry Pi to USB power. Plug in the Wio-WM1110 to USB for power. 2. Install OpenOCD OpenOCD is the program we'll use for communicating with the Wio-WM1110. Install it on your Raspberry Pi. $ sudo apt update $ sudo apt install libtool autoconf automake texinfo telnet gdb-multiarch git $ git clone git://repo.or.cz/openocd.git $ cd openocd/ $ ./bootstrap $ ./configure --enable-bcm2835...
Post a Comment
Read more

How to play Monster Hunter: World on Linux

The release of Monster Hunter: World on PC has broken records. Powered by the unfamiliar MT Engine, Linux users were worried that they might miss out on the experience. Luckily, some got it working on day 1 (hat tip Vahron and all the users on the reddit thread). Here's a way to get it working :) Upgrade to Ubuntu 18.04 Bionic Beaver. The previous release, 17.10 Artful Aardvark didn't work for me. Install lutris . Lutris is a launcher for games on Linux. There are so many different wine versions and configuration options. Lutris manages them all for you and has installers with 'known good' configurations. Open lutris and install the 'Wine Steam' runner. (Lutris -> Manage Runners -> Wine Steam -> Install). This will let Lutris run games via a wine-installed version of steam Manage the wine version of lutris to install esync-3.13 . (Lutris-> Manage Runners -> Wine -> Manager versions -> Tick esync 3.13). This will make the latest high...
Post a Comment
Read more