Thursday, August 17, 2017

Quicky secure Apache

LAMP stack which stands for Linux, Apache, MySQL/MariaDB and PHP/Python/Perl is a very popular model for serving websites.

This is my take on quickly and briefly apache on your server.

Securing Apache:

The default for Apache reveals a little too much about the server. Lets start by hiding some of that information, by editing: 
sudo apt-get install libapache2-modsecurity
sudo vi /etc/apache2/conf-available/custom_security.conf
 
Paste the following: 
 
ServerSignature Off
ServerTokens Prod 
TraceEnable Off
Options all -Indexes
Header unset ETag
Header always unset X-Powered-By
FileETag None
 
Run: 
 
sudo a2enmod headers
sudo a2enconf custom_security.conf
sudo /etc/init.d/apache2 restart
 
Configuring mod_security:

sudo a2enmod security2
 
Configure the module and enable the OWASP ModSecurity Core Rule Set (CRS): 
 
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf


vi /etc/modsecurity/modsecurity.conf 


 

Paste:



 
SecRuleEngine On
SecResponseBodyAccess Off
SecRequestBodyLimit 8388608
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 262144


 


sudo rm -rf /usr/share/modsecurity-crs
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs


sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf


sudo vi /etc/apache2/mods-enabled/security2.conf


 


<IfModule security2_module>
  SecDataDir      /var/cache/modsecurity
  IncludeOptional /etc/modsecurity/*.conf
  IncludeOptional "/usr/share/modsecurity-crs/*.conf"
  IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>


 


sudo /etc/init.d/apache2 restart


 

Be sure to keep an eye on the apache and mod_security logs but running:




sudo tail -f /var/log/apache2/*.log /var/log/mod_evasive/*


 

Automatic updates: 



Last but not least, automatic updates. I know I said, this blog post is to secure apache, but one thing I am an advocate of, is secure your server. If you are a one man show, use 
unattended-upgrades.



Unattended-upgrades purpose is to keep the server 
current, up to date with the latest security (and other) updates 
automatically. This alone will allow you too sleep safe and tight at night. :)




sudo apt-get install unattended-upgrades


 


 

For extra security look at mod_evasive, and dont forget fail2ban.



 












Posted by



at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)