Protection for APACHE using mod_dosevasive

The mod_evasive Apache module, formerly known as mod_dosevasive, helps protect against DoS, DDoS (Distributed Denial of Service), and brute force attacks on the Apache web server. It can provide evasive action during attacks and report abuses via email and syslog facilities. The module works by creating an internal dynamic table of IP addresses and URIs as well as denying any single IP address from any of the following:

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted

If any of the above conditions are met, a 403 response is sent and the IP address is logged. Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address.

Step 1 — Installing mod_evasive

In this section, we will be installing the packages required for mod_evasive to function and finally install mod_evasive.

First, we need to install the EPEL (Extra Packages for Enterprise Linux) yum repository on the server. EPEL is a Fedora Special Interest Group that creates, maintains, and manages a high quality set of open source add-on software packages for Enterprise Linux. Run the following command to install and enable the EPEL repository on your server:

On CentOS 7:

sudo rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

Let us verify that the EPEL repo is enabled using:

sudo yum repolist

If enabled, you will see the following repo listed in the output:

epel/x86_64                                                            Extra Packages for Enterprise Linux 7 - x86_64

Now, let us protect the base packages from EPEL using the yum plugin protectbase.

sudo yum install yum-plugin-protectbase.noarch -y

The purpose of the protectbase plugin is to protect certain yum repositories from updates from other repositories. Packages in the protected repositories will not be updated or overridden by packages in non-protected repositories even if the non-protected repo has a later version.

Now we are ready to install mod_evasive module. Run the following command to install it:

sudo yum install mod_evasive -y

Step 2 — Verifying the Installation

Now that mod_evasive is installed, let’s verify that configuration file has been installed and that the module is being loaded.

During installation, the mod_evasive configuration file /etc/httpd/conf.d/mod_evasive.conf was added. To verify this run:

sudo ls -al /etc/httpd/conf.d/mod_evasive.conf

Output should look similar to:

-rw-r--r-- 1 root root 3473 Jul 21 01:41 /etc/httpd/conf.d/mod_evasive.conf

By default, the following LoadModule line will be added to the top of configuration file mod_evasive.conf. Open the file and add the line if it is not already present. This line tells the Apache web server to load and use the mod_evasive module.

On CentOS 7, the line should read as follows:

/etc/httpd/conf.d/mod_evasive.conf
LoadModule evasive20_module modules/mod_evasive24.so

Let us list the modules loaded for the Apache web server and look for mod_evasive:

sudo  httpd -M | grep evasive

The output should show:

evasive20_module (shared)

Step 3 — Configuring mod_evasive

Now that the installation is complete and verified, let us look into the configuration of the module. mod_evasive can be easily customized through the mod_evasive.conf configuration file. We will discuss some of the configuration parameters in this tutorial. Please refer to the configuration file for information on all the parameters — it contains a description of each parameter.

One of the configuration options you need to change is DOSEmailNotify. This is a very useful directive. If this value is set, an email will be sent to the email address specified whenever an IP address is blacklisted. The email body will show mod_evasive HTTP Blacklisted 222.222.222.251

For example, if you want to send mod_evasive alerts to say, johndoh@example.com, edit the file:

sudo nano /etc/httpd/conf.d/mod_evasive.conf

Uncomment the DOSEmailNotify line by removing the # in front of the line, and change the email address to yours:

/etc/httpd/conf.d/mod_evasive.conf
DOSEmailNotify   youremail@yourdomain.com

Note: mod_evasive uses /bin/mail for sending email alerts. You need to have a mail server installed and working.

Another parameter you might want to set is DOSWhitelist. Using this option, IP addresses of trusted clients can be added to the whitelist to ensure they are never denied. The purpose of whitelisting is to protect software, scripts, local search bots, or other automated tools from being denied for requesting large amounts of data from the server.

To whitelist an IP address, for example 222.222.222.252, add an entry to the configuration file like this:

/etc/httpd/conf.d/mod_evasive.conf
DOSWhitelist    222.222.222.252

Wildcards can be used on up to the last 3 octets of the IP address if necessary.

To whitelist multiple IP addresses from different IP ranges, you can add separate DOSWhitelist lines in the configuration file like this:

/etc/httpd/conf.d/mod_evasive.conf
DOSWhitelist    222.222.222.251
DOSWhitelist    222.222.222.222

DOSPageCount and DOSSiteCount are two other parameters recommended to be changed to less aggressive values to avoid clients getting blocked unnecessarily.

DOSPageCount is the limit for the number of requests for the same page per page interval (usually set to one second) by an IP address. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocked list. The default value is set quite low at 2. You can change it to a higher value, say 20, by editing the following in /etc/httpd/conf.d/mod_evasive.conf:

/etc/httpd/conf.d/mod_evasive.conf
DOSPageCount 20

DOSSiteCount is the limit for the total number of requests for the same website by an IP address per site interval (defaults to 1 second). To change it to a larger value such as 100 seconds:

/etc/httpd/conf.d/mod_evasive.conf
DOSSiteCount 100

There are a few other parameters you can change to achieve better performance.

One is DOSBlockingPeriod, which is the amount of time (in seconds) that a client (IP address) will be blocked for if they are added to the blocked list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) error and the timer being reset (defaults to 10 seconds).

For example, if you want to increase the blocking period to 300 seconds:

/etc/httpd/conf.d/mod_evasive.conf
DOSBlockingPeriod    300

Another is DOSLogDir which refers to the temporary directory used by mod_evasive. By default /tmp will be used for a locking mechanism, which opens some security issues if your system is open to shell users. In the event you have non-privileged shell users, you will want to create a directory writeable only to the user Apache is running as (usually apache) then set this parameter in your mod_evasive.conf file.

For example, to set the directory used by mod_evasive to /var/log/mod_evasive, create the directory using:

sudo mkdir /var/log/mod_evasive

Then set the ownership to apache user:

sudo chown -R apache:apache /var/log/mod_evasive

Now edit the mod_evasive configuration and change the directory as follows:

/etc/httpd/conf.d/mod_evasive.conf
DOSLogDir           "/var/log/mod_evasive"

Another parameter is DOSSystemCommand. If a value is set, the command specified will be executed whenever an IP address is blacklisted. Using this parameter, you can integrate mod_evasive with the firewall installed on your server or a shell script and block the IP addresses blacklisted by mod_evasive in the firewall.

Step 4 — Loading the mod_evasive Module

Once we have made the changes in the configuration file, we need to restart the Apache web server for them to take effect. Run the following command to restart Apache.

On CentOS 7:

sudo systemctl restart httpd.service

Note: Please note that mod_evasive appears to conflict with the FrontPage Server Extensions. You might also want to check your Apache web server settings to make sure mod_evasive is able to function well. Suggested Apache tweaks are to have a very high value for MaxRequestsPerChild but not unlimited (A value of zero implies unlimited) and to have KeepAlive enabled with KeepAliveTimeout set reasonably long.

Step 5 — Testing mod_evasive

Let us do a short test to see if the module is working correctly. We will be using a perl script test.pl written by mod_evasive developers. To execute the script, we need to first install perl package on the server using:

sudo yum install -y perl

The test script is installed with mod_evasive at the following location:

/usr/share/doc/mod_evasive-1.10.1/test.pl

By default, the test script requests the same page from your Apache web server 100 times in a row to trigger mod_evasive. In the last section, we modified mod_evasive to be more tolerant of requests per second to the same page. We need to change the script to 200 requests in a row instead of 100 to make sure we trigger all of mod_evasive’s notification methods.

Edit /usr/share/doc/mod_evasive-1.10.1/test.pl:

sudo nano /usr/share/doc/mod_evasive-1.10.1/test.pl

Find the following line:

/usr/share/doc/mod_evasive-1.10.1/test.pl
for(0..100) {

Replace 100 with 200:

/usr/share/doc/mod_evasive-1.10.1/test.pl
for(0..200) {

Save and exit.

To execute the script, run:

sudo perl /usr/share/doc/mod_evasive-1.10.1/test.pl

You should see output similar to:

HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
...

The script makes 100 requests to your web server. the 403 response code indicates access is denied by the web server. mod_evasive also logs to syslog when the IP address is blocked. Check the log file using:

sudo tailf /var/log/messages

It should show a line similar to:

May 21 00:11:18 servername mod_evasive[18290]: Blacklisting address 127.0.0.1: possible DoS attack.

indicating the IP address is blocked by mod_evasive.

If you have configured mod_evasive to send email alerts when an IP is blocked, you will have an email in your inbox with the following content:

mod_evasive HTTP Blacklisted 127.0.0.1

Conclusion

mod_evasive is great at fending off single server, scripted attacks as well as distributed attacks. However, it is only useful to the point of your server’s total bandwidth and processor capacity for processing and responding to invalid requests. For this reason, it is a good idea to integrate this module with your server firewall for maximum protection. Without a really good infrastructure and a firewall in place, a heavy DDoS might still take you offline. If an attack is very heavy and persistent, you might need to move to a hardware-based DDoS mitigation solution.

Source : www.digitalocean.com

mod_parmguard for Apache Webserver

The Apache module that will protect your scripts against hacker’s input !

There is an Apache module, mod_parmguard (http://www.trickytools.com/php/mod_parmguard.php), which is close to providing a complete solution to positive security model requirements. When I checked Version 1.3, the module was not stable for production use, but you should check on it from time to time to see if it improves.

Download version 1.4

Documentation

Its configuration is XML-based and, for this purpose, easier to use than Apache-style configuration typical for other modules. Here’s a short excerpt from its documentation for a page with a single parameter:

<url>
    <match>validate.php</match>
    <parm name="name">
      <type name="string"/>
      <attr name="maxlen" value="10"/>
      <attr name="charclass" value="^[a-zA-Z]+$"/>
    </parm>
</url>

Other interesting features of this module include a spider that analyzes the application and produces configuration data automatically and the ability to generate custom data types and save time writing the configuration.

Note: https://books.google.ca/books?id=zJUuToRbZ7oC&pg=PA149&lpg=PA149&dq=mod_parmguard&source=bl&ots=RI2WYAgchh&sig=KvdOU6_UALjcF3ZADX5RSi1R0LI&hl=en&sa=X&ved=0ahUKEwjVyeq72PzTAhVBpCwKHcEaDLwQ6AEIWDAO#v=onepage&q=mod_parmguard&f=false

How to Harden the Apache Web Server on CentOS 7

NOTE: https://www.feistyduck.com/library/apache%2dsecurity/online/

Introduction

Apache is one of the most widely-used and popular web servers. It is also one of the most secure web servers available. In this article, I will explain some tips and tricks that will secure your Apache server.

Requirements

  • A server running CentOS v. 7 with Apache installed
  • A static IP address for your server
  • Firefox browser with the Firebug add-on installed (for testing)

Hide the Apache version

Visit your web server in Firefox. Activate Firebug by clicking the Firebug icon on the top right side.

If you check the HTTP response headers in Firebug, it will show the Apache version along with your operating system name and version, as shown in this screenshot:

To hide this information from browsers, you will need to make some changes in Apache’s main configuration file.

You can do this by editing the httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line at the end of file:

ServerSignature Off
ServerTokens Prod

Save the file and restart the Apache service to reflect these changes:

sudo apachectl restart

Now, open Firefox and access your web server. Check the HTTP response headers in Firebug, You can see that setting ServerSignature to Off has removed the version information from Server.

Turn off directory listing

Directory listing in the absence of an index file is enabled by default in Apache. Directory listing displays all the files from the Apache web root directory. If this is enabled, then a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.

You can turn off this setting by using the Options directive in the Apache configuration file for a specific web directory.

sudo nano /etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html and add -Indexes in the Options directive:

<Directory /var/www/html/>
    Options -Indexes
    AllowOverride None
    Require all granted
</Directory>

Save the file and restart Apache service to reflect these changes.

sudo apachectl restart

Next, try to visit your website in a browser. You will get a “Forbidden” error.

Disable unnecessary modules

By default Apache comes with lots of unnecessary installed modules. It is a good policy to disable any unnecessary modules that are not in use.

You can list all enabled modules on your server using the following command:

sudo grep LoadModule /etc/httpd/conf.modules.d/00-base.conf

From the enabled modules in 00-base.conf file, some modules like mod_info, mod_userdir, mod_autoindex are enabled but not needed.

You can disable this modules by editing the 00-base.conf file:

sudo nano /etc/httpd/conf.modules.d/00-base.conf

Insert a # at the beginning of the following lines to disable the modules:

#LoadModule info_module modules/mod_info.so
#LoadModule userdir_module modules/mod_userdir.so</code></pre>

Save the file and restart Apache service to reflect these changes.

sudo apachectl restart

By default Apache follows symbolic links (symlinks). Turning this off is recommended for security.

To do this, you need to edit httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html. Add -FollowSymLinks in option directive:

<Directory /var/www/html/>
    Options -Indexes -FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Now restart Apache to reflect changes.

sudo apachectl restart

Turn off server-side includes (SSI) and CGI execution

Server-side includes (SSI) are directives present on Web applications that are placed in HTML pages. An SSI attack allows a web application to be exploited by remotely executing arbitrary codes. The attacker can access sensitive information like password files, and execute shell commands. It is recommended that you disable server side includes and CGI execution if they are not needed.

To do this, edit the main Apache config file:

 sudo nano /etc/httpd/conf/httpd.conf</code></pre>

Find the section that begins with Directory /var/www/html, Add -ExecCGI and -Includes in option directive:

<Directory /var/www/html/>
    Options -Indexes -FollowSymLinks -ExecCGI -Includes
    AllowOverride None
    Require all granted
</Directory>

Now restart Apache to reflect the changes.

sudo apachectl restart

You can also do this for specific web directories. For example, to turn off Includes and CGI file executions for /var/www/html/www.vhost1.com directory:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line:

<Directory /var/www/html/www.vhost1.com/>
    Options -Includes -ExecCGI
</Directory>

Save the file and restart Apache.

sudo apachectl restart

Limit request size

By default Apache has no limit on the size of the HTTP request. This can allow hackers to send large number of data.

You can limit the requests size by using the Apache directive LimitRequestBody in combination with the Directory tag. This can help protect your web server from a denial of service (DOS) attack.

Suppose you have a site (www.example.com), where you allow uploads, and you want to limit the upload size on this site.

You can set value from 0 (unlimited) to 2147483647 (2GB) in the main Apache config file.

For example, to limit the request size for the /var/www/html/www.example.com directory to 200K:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line:

<Directory /var/www/html/www.example.com>
    LimitRequestBody 204800
</Directory>

Save the file and restart Apache.

sudo apachectl restart

Disallow browsing outside the document root

Unless you have a specific need, it is recommended to restrict Apache to being only able to access the document root.

You can secure the root directory / with Allow and Deny options in the httpd.conf file.

sudo nano /etc/httpd/conf/httpd.conf

Add/edit the following line:

<Directory />
    Options None
    Order deny,allow
    Deny from all
</Directory>

Save the file and restart Apache:

sudo apachectl restart
  • Options None : This will turn off all options
  • Order deny,allow : The order in which the allow and deny commands are applied
  • Deny from all : This will deny request from all to the root directory

Keep Apache up to date

The Apache Server has a good record for security. New Apache updates will contain patches that will reduce vulnerability of your Apache server. You should always be using the most recent version of Apache server.

You can update your Apache to the most recent version by running the following command:

sudo yum update httpd

Secure Apache from clickjacking attacks

Clickjacking, also known as “User Interface redress attack,” is a malicious technique to collect an infected user’s clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site.

To avoid this, you need to use X-FRAME-OPTIONS to prevent your website from being used by clickjackers.

You can do this by editing the httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line:

Header append X-FRAME-OPTIONS "SAMEORIGIN"

Save the file and restart Apache:

sudo apachectl restart

Now, open Firefox and visit your website. When you check the HTTP response headers in Firebug, you should see X-Frame-Options

Disable ETag

ETags (entity tags) are a well-known point of vulnerability in Apache web server. ETag is an HTTP response header that allows remote users to obtain sensitive information like inode number, child process ids, and multipart MIME boundary. ETag is enabled in Apache by default.

To prevent this vulnerability, disabling ETag is recommended.

You can do this by editing httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line:

FileETag None

Save the file and restart Apache:

sudo apachectl restart

Now, open Firefox and visit your website. When you check the HTTP response headers in Firebug, you should not see Etag listed.

HTTP request methods

Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol. Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.

You can do this by editing the httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html. Add the following lines under this section:

<LimitExcept GET POST HEAD>
    deny from all
</LimitExcept>

Save the file and restart Apache:

sudo apachectl restart

Secure Apache from XSS attacks

Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.

You can do this by editing the httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line:

<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

Save the file and restart Apache to reflect changes.

sudo apachectl restart

Now, open Firefox and visit your website. When you check HTTP response headers in Firebug, you should see that XSS Protection is enabled and mode is blocked.

Protect cookies with HTTPOnly flag

You can protect your Apache server from most of the common Cross Site Scripting attacks using the HttpOnly and Secure flags for cookies.

You can do this by editing the httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line:

<IfModule mod_headers.c>
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>

Save the file and restart Apache to reflect changes.

sudo apachectl restart

Let’s Encrypt automatic renewal problem!

I ran into a problem with one of my domain name about a week ago! The problem was related to the automatic renewal of Let’s Encrypt SSL Key. There is a easy fix out there, on this server I am using .htaccess to forward all traffic to https:// the fix is to remove or rename the .htaccess until the SSL key is renewed.

As per today 5-19-2017 Let’s Encrypt gateway make a time-out!


Source : https://statusgator.com/services/lets-encrypt

Cheers

Update :

A new certificate was successfully requested from Let’s Encrypt, and installed for easy-admin.ca, www.easy-admin.ca.

🙂