Apache 2 is a robust server with many features. This guide tightens the security of an Apache 2 server by applying basic settings.

This howto is tested on:

  • Debian 10.0 Buster

Requirements

This howto requires:

This howto recommends:

Setup

Detect if sudo is available (“command” is used if not):

cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'

Tightening default configuration

Download the security tightening configuration file:

${cmdProxy} wget --quient --no-check-certificate \
    --output-document='/etc/apache2/conf-available/security-hardened.conf' \
    'https://raw.github.com/biapy/howto.biapy.com/master/apache2/security-hardened.conf'

Enable the downloaded configuration:

${cmdProxy} a2enconf 'security-hardened'

Make sure the cgi-bin functionality is disabled if it is not needed:

${cmdProxy} a2disconf 'serve-cgi-bin'

Reload the server configuration:

${cmdProxy} systemctl reload 'apache2'

Blocking attackers with fail2ban

Install fail2ban :

${cmdProxy} apt-get install fail2ban

Enable fail2ban rules for Apache:

confFile='/etc/fail2ban/jail.d/apache-rules.conf'
[[ ! -e "${confFile}" ]] && ${cmdProxy} touch "${confFile}"
while read jailRule; do
  # Enable fail2ban configuration rule if it exists and
  # is not already present in the configuration file.
  if [[ -n "${jailRule}" \
    && -z "$(command grep "\[${jailRule}\]" "${confFile}")" \
    && -n "$(command grep "\[${jailRule}\]" '/etc/fail2ban/jail.conf')" ]]; then
    ${cmdProxy} tee -a "${confFile}" <<< "
[${jailRule}]
enabled = true"
  fi
done <<< "apache-auth
apache-badbots
apache-noscript
apache-overflows
apache-nohome
apache-botsearch
apache-fakegooglebot
apache-shellshock
php-url-fopen"

Reload fail2ban configuration :

${cmdProxy} systemctl restart 'fail2ban'

Thanks

Categories: Apache 2

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.