Skip to main content

Straightforward security enhancements for your apache2 webserver

If, like me, you've got a scrappy Linux host lying around to run a few websites you're probably interested in taking its security up a notch from the standard install. Assuming you're running the highly common apache2 and iptables, see the links below for some surprisingly straightforward configuration tweaks to improve the security of your webserver.


Add HTTPS with Let's Encrypt

If it's been a while since you've looked into certificates, you may be surprised to learn you can get them for free from Let's Encrypt. There are many guides around, but it is well and truly time to join the HTTPS-only movement:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

SSH Cipher gardening

You're probably already using SSH keys, have disabled password login and are using denyhosts or failtoban. However, have you ever considered reducing the number of ciphers your server accepts to just the most secure? Test your server at: https://sshcheck.com/ and then update your SSHD config (see also: https://infosec.mozilla.org/guidelines/openssh)



HTTPS Header additions

There are a couple of decent free online test sites for webservers, such as those at SSLLabs, Pentest Tools or Immuniweb . One way to improve your score is to configure some extra HTTPS headers, using this guide.


DDoS Protection with IPTables

Have you already got your IPTables config to the point where you have a -j DROP catch all at the end? This guide is a true education in iptables, TCP and DDoS - follow its recommendations.

Application-Level firewall with Modsecurity

Your apache logs are likely full of obvious scans from botnets looking for an easy way in. Public webservers have to have the port open, but you can still block these requests at a higher level than your firewall. On Ubuntu 18.04:
sudo apt-get install libapache2-mod-security2 modsecurity-crs
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo sytstemctl restart apache2


and you'll install a powerful apache module (modsecurity) that has frequently updated patterns that match common exploit requests (OWASP Core Rule Set). Read all the options thoroughly, and when ready set it to block those requests.
Labels:

Comments

Post a Comment

Popular posts from this blog

How to transfer money from Taiwan without going to the bank

We live in a digital age. The Taiwanese banking system ... a little less so. Transferring money overseas typically involves a visit to the bank between 9am and 3pm. You'll queue, fill out an outbound remittance form in duplicate, stamp and sign some things and just generally wait while staff do their best with the unfamiliar procedure. There is another way.* * for transfers < 500,000 TWD, to accounts you've previously set up in a special way :(  Background: Remittance Classifications One of the reasons for the myriad of complicated forms when dealing with foreign exchange in Taiwan is the precise codification of transfer types required by the Central Bank. Your knowledge of the existence of these two documents will boost your standing above that of the average banker: 匯出匯款之分類及說明  Code and Description of Outward Remittance Classification 匯入匯款之分類及說明 Code and Description of Inward Remittance Classification These are updated every few years, with new versions fou
Post a Comment
Read more

How to apply for Taiwan's Employment Gold Card

In February 2018, Taiwan launched an "Employment Gold Card",a combination of residence visa and work permit. Aimed to attract more high level professionals, the card has strict application requirements. Here's some information on those and a step-by-step guide on how to apply (see also: official guide ). Do I qualify? You must have worked in one of the below eight fields, and met requirements within the field. This is a very brief unofficial summary not to be relied on - please refer to the supporting document for your field for the official information. Other than law and architecture you only need to meet one of the criteria, and most have a catch-all entry for "other" qualifications as approved by the relevant ministry. Salary references are monthly. This post was updated in October 2019 with to reflect relaxed qualifications in Sport and Culture.   Field Requirements Supporting Documents Science and Technolog
Post a Comment
Read more

How to work with Packages at Taiwan's convenience stores

A service provided by the major convenience store chains in Taiwan is to use their network to send a package from one store to another.  This post is an aggregation of information about working with packages across the various chains.  Family Mart To know when to receive your package, visit the Famiport tracking site , enter the 11-digit tracking number and pay attention to the status, which is listed with the most recent status at the top of the page. You will see the following in order:   訂單成立未寄件  - paperwork completed 已完成寄件 - sent from the origin 貨件前往物流中心 - on the way to the distribution center 貨件抵達物流中心 - at the distribution center    7-Eleven To know when to receive your package, visit the tracking site , enter the tracking number and pay attention to the status .   OK-Mart To know when to receive your package, visit the tracking site and pay attention to the status .   Hi-Life     To know when to receive your package, visit the tracking site and pay attention to the status .
Post a Comment
Read more