The Linux Page

A firewall inside Apache

If you are running a webserver, you should use a webserver firewall. This prevents many attacks from being perpetrated on to your servers without the need to make your own applications more complex than necessary.

The idea is very simple, if you have a few people who can edit your data from the Internet and those have a static IP address, you can check that the editor pages are only accessible to those IP addresses. Any other access can simply be blocked.

Whenever an access is blocked, an action is executed. That action can be to block the IP address of the user in your main firewall and thus avoid additional illegal accesses (that way you also save a lot of data transfer since the front firewall prevents everything from coming in.

For Apache, you have different solutions, the best I have found so far is modsecurity by Breach.

Unfortunately, when they created modsecurity2, which is the one you want, they changed their license in such a way that it is not included in the Debian and Ubuntu distributions. So you have to recompile the whole thing.

To do so, download the modsecurity-apache_<version>.tar.gz file, extract it, and run the configure + make + make install commands. There should be no need to change anything with the configure script. The defaults should work just fine. The make install will automatically install the dynamic library (.so file) at the right place using the Apache tools.

WARNING:

If you have mod_security installed, you will have to remove it before running mod_secutiry2. It is important since both modules are not compatible with each others.

apt-get remove libapache2-mod-security mod-security-common

The command will generate a warning message if the module is not installed. It is safe to ignore that message.

You may have a hard time because your server do not include the right development files. Installing the following should do it for you:

   sudo apt-get install apache2-prefork-dev libxml++2.6-dev g++ make

It is safe to run this command even if one or more of those libraries are already installed.

The g++ and make tools make or may not already be installed. I had to install them on my bare server.

Once installed, you want to configure your module, Breach offers a lot of documentation on how to tweak your install. Make sure to get the core rules and put them somewhere in /etc/apache2 and load that configuration with an Include command such as:

   Include modsecurity/*.conf

Is Slackware affected?!

I thought that Slackware was a go get that tarball somewhere distro... and not really a distro per se. So I'm thinking that having to recompile is certainly a daily choir with that system.

Now, I'm not too sure what you mean about vim?! I had it in all the Debian & Ubuntu distros I have had... And it is definitively tons of time more powerful than pico. I don't ever use nano so I don't know about that one.

Thanks for the comment.
Alexis

It's a shame we run across this, but

The reasons for various distros doing this has helped to ensure even more GPL'd software.

Yes, it's annoying that say, your fav distro doesn't include something by default because of a licensing issue.

In my case, being a Slackware diehard, I constantly find myself entering 'pico' on the CLI when I want to open a file. Sometimes it upsets me enough that I just type 'vim' instead of 'nano'.

Not that I've got anything against nano, I don't. But I just like typing 'pico' instead.

No, I was taught not to use aliasing on a regular basis, because it can get you into trouble.