Apache 2 is a robust server with many features. This guide tightens the security of an Apache 2 server by applying basic settings.
This howto is tested on:
- Debian 10.0 Buster
Requirements
This howto requires:
- the Apache 2 HTTP server, as described by Install Apache 2 on Debian.
This howto recommends:
Setup
Detect if sudo is available (“command” is used if not):
cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'
Tightening default configuration
Download the security tightening configuration file:
${cmdProxy} wget --quient --no-check-certificate \
--output-document='/etc/apache2/conf-available/security-hardened.conf' \
'https://raw.github.com/biapy/howto.biapy.com/master/apache2/security-hardened.conf'
Enable the downloaded configuration:
${cmdProxy} a2enconf 'security-hardened'
Make sure the cgi-bin functionality is disabled if it is not needed:
${cmdProxy} a2disconf 'serve-cgi-bin'
Reload the server configuration:
${cmdProxy} systemctl reload 'apache2'
Blocking attackers with fail2ban
Install fail2ban :
${cmdProxy} apt-get install fail2ban
Enable fail2ban rules for Apache:
confFile='/etc/fail2ban/jail.d/apache-rules.conf'
[[ ! -e "${confFile}" ]] && ${cmdProxy} touch "${confFile}"
while read jailRule; do
# Enable fail2ban configuration rule if it exists and
# is not already present in the configuration file.
if [[ -n "${jailRule}" \
&& -z "$(command grep "\[${jailRule}\]" "${confFile}")" \
&& -n "$(command grep "\[${jailRule}\]" '/etc/fail2ban/jail.conf')" ]]; then
${cmdProxy} tee -a "${confFile}" <<< "
[${jailRule}]
enabled = true"
fi
done <<< "apache-auth
apache-badbots
apache-noscript
apache-overflows
apache-nohome
apache-botsearch
apache-fakegooglebot
apache-shellshock
php-url-fopen"
Reload fail2ban configuration :
${cmdProxy} systemctl restart 'fail2ban'
Thanks
- Thanks to Alsacréations (fr) for Installation d’Apache et PHP (fr).
- Thanks to la Ferme du Web (fr).
- Thanks to Be-Root.com (fr) for Protéger Apache de slowloris (fr).
- Thanks to System-Linux.eu (fr) for Attaque Slowloris (DoS) l’essayer et l’empécher (fr) and Compilation, Installation et Configuration de ModSecurity (fr).
0 Comments