Skip to main content

Straightforward security enhancements for your apache2 webserver

If, like me, you've got a scrappy Linux host lying around to run a few websites you're probably interested in taking its security up a notch from the standard install. Assuming you're running the highly common apache2 and iptables, see the links below for some surprisingly straightforward configuration tweaks to improve the security of your webserver.


Add HTTPS with Let's Encrypt

If it's been a while since you've looked into certificates, you may be surprised to learn you can get them for free from Let's Encrypt. There are many guides around, but it is well and truly time to join the HTTPS-only movement:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

SSH Cipher gardening

You're probably already using SSH keys, have disabled password login and are using denyhosts or failtoban. However, have you ever considered reducing the number of ciphers your server accepts to just the most secure? Test your server at: https://sshcheck.com/ and then update your SSHD config (see also: https://infosec.mozilla.org/guidelines/openssh)



HTTPS Header additions

There are a couple of decent free online test sites for webservers, such as those at SSLLabs, Pentest Tools or Immuniweb . One way to improve your score is to configure some extra HTTPS headers, using this guide.


DDoS Protection with IPTables

Have you already got your IPTables config to the point where you have a -j DROP catch all at the end? This guide is a true education in iptables, TCP and DDoS - follow its recommendations.

Application-Level firewall with Modsecurity

Your apache logs are likely full of obvious scans from botnets looking for an easy way in. Public webservers have to have the port open, but you can still block these requests at a higher level than your firewall. On Ubuntu 18.04:
sudo apt-get install libapache2-mod-security2 modsecurity-crs
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo sytstemctl restart apache2


and you'll install a powerful apache module (modsecurity) that has frequently updated patterns that match common exploit requests (OWASP Core Rule Set). Read all the options thoroughly, and when ready set it to block those requests.

Comments

Popular posts from this blog

How to apply for Taiwan's Employment Gold Card

In February 2018, Taiwan launched an "Employment Gold Card",a combination of residence visa and work permit. Aimed to attract more high level professionals, the card has strict application requirements. Here's some information on those and a step-by-step guide on how to apply (see also: official guide).

Do I qualify? You must have worked in one of the below eight fields, and met requirements within the field. This is a very brief unofficial summary not to be relied on - please refer to the supporting document for your field for the official information. Other than law and architecture you only need to meet one of the criteria, and most have a catch-all entry for "other" qualifications as approved by the relevant ministry. Salary references are monthly. This post was updated in October 2019 with to reflect relaxed qualifications in Sport and Culture.

FieldRequirementsSupporting DocumentsScience and TechnologySalary over TWD 160kOutstanding talent or innovation p…

How to transfer money from Taiwan without going to the bank

We live in a digital age. The Taiwanese banking system ... a little less so. Transferring money overseas typically involves a visit to the bank between 9am and 3pm. You'll queue, fill out an outbound remittance form in duplicate, stamp and sign some things and just generally wait while staff do their best with the unfamiliar procedure.

There is another way.*

* for transfers < 500,000 TWD, to accounts you've previously set up in a special way :(
 Background: Remittance Classifications One of the reasons for the myriad of complicated forms when dealing with foreign exchange in Taiwan is the precise codification of transfer types required by the Central Bank. Your knowledge of the existence of these two documents will boost your standing above that of the average banker:

匯出匯款之分類及說明  Code and Description of Outward Remittance Classification匯入匯款之分類及說明 Code and Description of Inward Remittance Classification
These are updated every few years, with new versions found in the "F…

Marriage in Taiwan: Document Requirements - Registration

For most foreign residents, the process of getting married in Taiwan is a simple trip to the local household registration agency. If you have the right documents, you can be married in as little as fifteen minutes. This post is the most comprehensive list around of what you need to prepare.

This post is part of a series on Marriage in Taiwan:
Marriage in Taiwan: Document Requirements - the lawsMarriage in Taiwan: Acquiring a Single Status Certificate from AustraliaMarriage in Taiwan: Document Requirements - Registration
Documents required for a Foreign National and Taiwanese National to Register Marriage in Taiwan
Original Single Status Certificate/Certificate of No Impediment to Marriage/Affidavit of Single Status, Authenticated and Legalised for use in TaiwanCertified Chinese Translation of the above certificatePassport(unconfirmed) Normally, the most recent entry stamp in your passport is checked. If you use eGate to enter the country, you may require a Certificate of Entry and Ex…