martes, 14 de julio de 2020

Installing, hardening, mod-security and fail2ban for Apache server

The following post is related to computer security, one of my passions as a hobby and what has fed me for several years being my profession a few years ago. The aim of the article is none other than to install and secure a web server, I have chosen Apache.

  1. Installing

If you need something help in order to compiling and installing you apache web server, please find more information in the official documentation.

    2. Hardening

Relatively recently, I found this public project called "Apache Hardening" and was completely delighted. It's not even worth transcribing, the best thing you can do is go to the original link and marvel at it by following the instructions.

    3. Mod-Security

Another important topic related you webserver Apache, is apply the mod-security. Mod-Security is one of the most popular security module for Apache and due MS more than the 85% of the automatics vulnerabilities and exploits are stopped.

On Intenet, normally you can find a lot of valid websites where explain how you need to install the tool but in my opinion one of the best is this.

    4. Fail2ban

Ok, we are very close to conclude this mini tutorial, imagine that all the above fails, what we have left, well, many things, we should be sure that we have secured our operating system, that we do not have unnecessary services published on the Internet and a long etcetera, but ... what if we apply firewall rules dynamically before events recorded in the log? Welcome to Fail2ban.

Let’s assume that you already installed fail2ban, you can check here how to do that: –

We need to copy this to a file called jail.local for Fail2Ban to find it.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Configure defaults in jail.local
Open up the new Fail2Ban configuration file:
You can see the default section below:

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip =

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

Configure Fail2ban For ssh

Although you can add this parameters in the global jail.local file, it is a good practice to create seperate jail files for each of the services we want to protect with Fail2Ban.
So lets create a new jail for SSH with the vi editor.
vi /etc/fail2ban/jail.d/sshd.local
In the above file, add the following lines of code:
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 5
bantime = 600
Restart Fail2Ban
After making any changes to the Fail2Ban config, always be sure to restart Fail2Ban.
systemctl restart fail2ban
You can see the rules that fail2ban puts in effect within the IP table:
iptables -L -n
Check Fail2Ban Status
Use fail2ban-client command to query the overall status of the Fail2Ban jails.
fail2ban-client status
You can also query a specific jail status using the following command:
fail2ban-client status sshd

Configure Fail2ban For Apache

Edit this file:
sudo nano /etc/fail2ban/jail.local
Add the following content. Note: Substitute your own static IP address for the sample address ( in this example:
# detect password authentication failures
enabled  = true
filter   = apache-auth
action   = iptables-multiport[name=auth, port="http,https"]
logpath  = /var/log/httpd/fail2ban_log
bantime  = 3600
maxretry = 3
ignoreip =

# detect spammer robots crawling email addresses
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=badbots, port="http,https"]
logpath  = /var/log/httpd/fail2ban_log
bantime  = 3600
maxretry = 1
ignoreip =

# detect potential search for exploits
enabled  = true
filter   = apache-noscript
action   = iptables-multiport[name=noscript, port="http,https"]
logpath  = /var/log/httpd/fail2ban_log
bantime  = 3600
maxretry = 6
ignoreip =

# detect Apache overflow attempts
enabled  = true
filter   = apache-overflows
action   = iptables-multiport[name=overflows, port="http,https"]
logpath  = /var/log/httpd/fail2ban_log
bantime  = 3600
maxretry = 2
ignoreip =
Save and close the file, then restart Fail2ban for the changes to take effect:
sudo systemctl restart fail2ban
Now, configure the Fail2ban service to start on boot with the command:
sudo systemctl enable fail2ban
To verify the rules that were added to iptables by Fail2ban, use the following command:
sudo iptables -L