• Recently Written

  • VI Basic Movement
  • Fun With Rsync - Part I
  • How to Remove Linux and Install Windows XP
  • Calculate big using bc
  • What’s wrong with NSOL?
  • to HUP or nohup?
  • Getting started with Ruby
  • Long live FreeBSD
  • What happened to LXPages?
  • Gmail is ridiculous!

• Archives

  • July 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006

• Blogroll

  • Agriculture
  • Business Services
  • Community Services
  • Construction
  • Education
  • Finance
  • Food & Dining
  • Government
  • Health & Medical
  • Industry
  • LXPages.com
  • Manufacturing
  • Motorized Vehicle
  • Personal Services
  • Professional
  • Real Estate
  • Shopping & Shopping Services
  • Transportation
  • Travel & Tourism

  Search

Subscribe

Apache being the most popular Web server on the Internet is a big target for DOS and Hack attacks.  Being customizable using the many hundreds of modules available we can optimize and lock it down to withstand high traffic loads.

In our tutorial, we will be using the following two modules

- mod_dosevasive 1.10 from http://www.nuclearelephant.com

- mod_security 1.8.7 from http://www.modsecurity.org

1) Purpose of mod_dosevasive

This is the official description from mod_dosevasive’s homepage: mod_dosevasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_dosevasive presently reports abuses via email and syslog facilities. Simply put, mod_dosevasive allows us to detect web attacks and take necessary steps to ensure that the attacks do not bring the server down. When an attack takes place (let’s say a hacker decides to initiate a DoS attack against your webserver by requesting thousands of pages at the same time), this module blocks the hacker’s IP address for 10 seconds (default) and issues a 403 error. If within 10 seconds another request comes in from the same user, the counter will be reset to 0 and the attacker will have to wait another 10 seconds before being able to request a page.

1.1) Installing mod_dosevasive

I will assume that your Apache is installed at /etc/httpd. If it is located somewhere else, please change the paths below as needed.

# cd /usr/local/src# tar zxf mod_evasive.1.10.tar.gz# cd mod_dosevasive

# /etc/httpd/bin/apxs -iac mod_dosevasive.c

1.2) Configuring mod_dosevasive

APXS will automatically install the module and change your httpd.conf as needed. We still have to insert the specific module configuration into the Apache configuration file though. Open up httpd.conf with your favorite editor and copy paste the following at the end of the file:

<ifmodule mod_dosevasive.c>DOSHashTableSize 16384DOSPageCount 10

DOSSiteCount 100

DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 60

</ifmodule>

Don’t forget to change the email address in the last line to your real address. If your mail program is in a location other than /bin/mail, please edit the file mod_dosevasive.c and change the mail path to a different location. Reinstall the module with APXS again and you should be ready to go. Those who are curious about what every line means in the above configuration, please read the README file in mod_dosevasive folder. It explains every single directive and its purpose. It’s recommended to increase the DOSHashTableSize to a higher value on busy servers.

2) Purpose of mod_security

mod_security adds intrusion detection and prevention features to the Apache Web Server. It has built-in functions to prevent various types of attacks such as command execution, directory traversal, SQL injection and etc. Overall, mod_security is a very good way to monitor your web services especially in shared hosting environments.

2.1) Installing mod_security

Again, change your Apache path if it’s not /etc/httpd.

# cd /usr/local/src# tar zxf mod_security-1.8.7.tar.gz# cd mod_security-1.8.7/apache1

# /etc/httpd/bin/apxs -iac mod_security.c

2.2) Configuring mod_security

The following configuration is what I would use for a webserver. However, you can read the documentation and tweak mod_security to your needs. There are many things you can do with this module. One of the biggest advantages of mod_security is its ability to be configured differently per virtual host. In this case, you can have one general configuration that applies to all hosts and you could also add more directives on an insecure virtualhost, if necessary. Again, copy-paste the following into the end of httpd.conf:

<ifmodule mod_security.c>    SecFilterEngine On    SecFilterDefaultAction "deny,log,status:403"

    SecFilterScanPOST On

    SecFilterCheckURLEncoding On

    SecFilterCheckCookieFormat On

    SecFilterCheckUnicodeEncoding Off

    SecFilterForceByteRange 1 255

    SecAuditEngine RelevantOnly

    SecAuditLog logs/modsec_audit_log

    SecFilterDebugLevel 0

    SecFilterDebugLog logs/modsec_debug_log

    SecFilter "viewtopic\.php\?" chain

    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    SecFilterSelective REQUEST_METHOD "!^GET$" chain

    SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

    SecFilterSelective REQUEST_METHOD "^POST$" chain

    SecFilterSelective HTTP_Content-Length "^$"

    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"

    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"  

    SecFilterSelective THE_REQUEST "wget "

    SecFilterSelective THE_REQUEST "lynx "

    SecFilterSelective THE_REQUEST "scp "

    SecFilterSelective THE_REQUEST "ftp "

    SecFilterSelective THE_REQUEST "cvs "

    SecFilterSelective THE_REQUEST "rcp "

    SecFilterSelective THE_REQUEST "curl "

    SecFilterSelective THE_REQUEST "telnet "

    SecFilterSelective THE_REQUEST "ssh "

    SecFilterSelective THE_REQUEST "echo "

    SecFilterSelective THE_REQUEST "links -dump "

    SecFilterSelective THE_REQUEST "links -dump-charset "

    SecFilterSelective THE_REQUEST "links -dump-width "

    SecFilterSelective THE_REQUEST "links http:// "

    SecFilterSelective THE_REQUEST "links ftp:// "

    SecFilterSelective THE_REQUEST "links -source "

    SecFilterSelective THE_REQUEST "mkdir "

    SecFilterSelective THE_REQUEST "cd /tmp "

    SecFilterSelective THE_REQUEST "cd /var/tmp "

    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "

    SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "

    SecFilterSelective THE_REQUEST "/../../ "

    SecFilterSelective THE_REQUEST "&highlight=%2527%252E "

    SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "

    SecUploadDir /tmp

    SecUploadKeepFiles Off

</ifmodule>

Want to find out what each line does? Read mod_security documentation. To test mod_security, The above configuration was tested on a production server.

3) Apache config (httpd.conf) considerations

a) Never turn “HostnameLookups” to “On” in httpd.conf. You do not want to look up every single IP that accesses your web server in your DNS.

b) Do not play with “MinSpareservers, MaxSpareServers and StartServers” configuration options unless you know what you are doing. Leaving the defaults works good for most servers.

c) Those who have busy servers should decrease the value of “KeepAliveTimeout” to 5 (the default is 15). You do not want Apache processes to wait for 15 seconds after a request before they die if the number of server requests is considerably high.

d) Set “AllowOverride” to “None” everywhere possible. ISPs might not like this idea because of their users though. If your client does not modify the .htaccess file often, set the parameters expicitly in apache configuration file instead.

e) Decrease the number of “DirectoryIndex” parameters. I usually set it to “index.html index.php” on my apache configuration. Letting Apache look for all DirectoryIndex files in your web folder is a waste of resources.

f) If you do not need to log each request on your webserver, disable logging. This will save some hard disk space and decrease the number of concurrent write processes on your system. You can either uncomment all mod_log* modules or send log requests to /dev/null. An example of this would be “CustomLog /dev/null” and “ErrorLog /dev/null”. For virtual server setups, log only the hosts that need the logs of all requests.

g) Set “ServerTokens” to “Prod” in your httpd.conf. This will hide all of the modules you have compiled into Apache together with Apache’s version. If you check your server in Netcraft’s “What’s That Site Running” it will only show “Apache” instead of the detailed report. For security reasons, you do not want hackers to know what version of Apache and what kind of modules you are running on the server.

h) Put the following lines into your httpd.conf:

<filesmatch "\.(inc|tpl|h|ihtml|sql|ini|conf|bin|spd|theme|module)$">    Deny from all</filesmatch>

<files ~ "\config.php$">

    Deny from all

</files>

This will prevent people from downloading configuration files from your server.

5) Other performance considerations

a) Increase the amount of RAM. The more RAM, the better. You should have enough memory for Apache to put requests into RAM instead of your swap on the hard drive. Letting Apache swap and queue requests is not a good idea. If you have a busy site with less than 512 Mb of RAM there is a possibility that Apache will kill your server (your machine will no longer be accessible from outside). So always make sure that you have enough RAM in your web server.

b) If you have large files in your web server (such as large images, mp3 files, movies, etc) do not let Apache serve the files. Install thttpd server and let it handle all your download requests. You should only use Apache to process dynamic content.

6) Other security considerations

By default Apache is a secure server. However, many administrators decrease its security by installing too many modules that they do not need. Some administrators think “the more modules, the better it is because the server will be full of features and compatible with everything”. But they do not understand the fact that most of Apache modules are written by third party organizations or individuals that have nothing to do with Apache development. Thus, some modules might be the cause of your segmentation faults and security concerns. Rule of thumb while compiling Apache: the lower the number of modules, the tighter the security. Decreasing the number of modules also means smaller Apache binary file (only if you are compiling modules into Apache instead of running them as dso) which, in turn, results in lower memory consumption per Apache child and your server will be capable of handling more simultaneous requests.

I recommend reading security issues for every module installed into Apache. One of the modules you should be always watching for is mod_php. PHP is notorious for security issues that come out every once in a while. Thanks to the ongoing development and a large PHP community, these issues are addressed almost immediately and a new fixed version gets released to public. Make sure that you are running the latest version of PHP.  Carefully review php.ini file in your PHP configuration and set everything to maximum security. You should also consider using Apache in unprivileged non-root chroot environment. Even in case your apache gets compromised, the attacker will not be able to damage your system. This is especially vital if you are running a dedicated server that you do not have physical access to.

7) Apache security/performance related links

- Apache security tips

- Apache: The Definitive Guide, 2nd Edition chapter 13 (O’Reilly)

- Apache performance notes

Comments

• Categories

  • General
  • Health
  • Linux
  • PHP
  • Politics
  • Ruby
  • Security
  • SEO
  • Technology
  • Video Games
  • Web Design

• Sponsors