Syndicate content

A firewall inside Apache

If you are running a webserver, you should use a webserver firewall. This prevents many attacks from being perpetrated on to your servers without the need to make your own applications more complex than necessary.

The idea is very simple, if you have a few people who can edit your data from the Internet and those have a static IP address, you can check that the editor pages are only accessible to those IP addresses. Any other access can simply be blocked.

Whenever an access is blocked, an action is executed. That action can be to block the IP address of the user in your main firewall and thus avoid additional illegal accesses (that way you also save a lot of data transfer since the front firewall prevents everything from coming in.

For Apache, you have different solutions, the best I have found so far is modsecurity by Breach.

Unfortunately, when they created modsecurity2, which is the one you want, they changed their license in such a way that it is not included in the Debian and Ubuntu distributions. So you have to recompile the whole thing.

To do so, download the modsecurity-apache_<version>.tar.gz file, extract it, and run the configure + make + make install commands. There should be no need to change anything with the configure script. The defaults should work just fine. The make install will automatically install the dynamic library (.so file) at the right place using the Apache tools.

WARNING:

If you have mod_security installed, you will have to remove it before running mod_secutiry2. It is important since both modules are not compatible with each others.

apt-get remove libapache2-mod-security mod-security-common

The command will generate a warning message if the module is not installed. It is safe to ignore that message.

You may have a hard time because your server do not include the right development files. Installing the following should do it for you:

   sudo apt-get install apache2-prefork-dev libxml++2.6-dev g++ make

It is safe to run this command even if one or more of those libraries are already installed.

The g++ and make tools make or may not already be installed. I had to install them on my bare server.

Once installed, you want to configure your module, Breach offers a lot of documentation on how to tweak your install. Make sure to get the core rules and put them somewhere in /etc/apache2 and load that configuration with an Include command such as:

   Include modsecurity/*.conf

Is Slackware affected?!

I thought that Slackware was a go get that tarball somewhere distro... and not really a distro per se. So I'm thinking that having to recompile is certainly a daily choir with that system.

Now, I'm not too sure what you mean about vim?! I had it in all the Debian & Ubuntu distros I have had... And it is definitively tons of time more powerful than pico. I don't ever use nano so I don't know about that one.

Thanks for the comment.
Alexis

It's a shame we run across this, but

The reasons for various distros doing this has helped to ensure even more GPL'd software.

Yes, it's annoying that say, your fav distro doesn't include something by default because of a licensing issue.

In my case, being a Slackware diehard, I constantly find myself entering 'pico' on the CLI when I want to open a file. Sometimes it upsets me enough that I just type 'vim' instead of 'nano'.

Not that I've got anything against nano, I don't. But I just like typing 'pico' instead.

No, I was taught not to use aliasing on a regular basis, because it can get you into trouble.

Syndicate content

Diverse Realty

Diverse Realty Team

Want a New Home?
Want to Sell Your House?

Call Alex at
+1 (916)
220 6482

Alexis Wilke, Realtor
Salesperson
Lic. # 02024063

Cory Marcus, Broker
Lic. # 01079165

     

Terms of Site Index

Find the page/content you are looking for with our index.

  • RSS
  • click
  • dialog
  • msdn

    Microsoft Developer Network, a website, many documentations, all for developers on Microsoft Windows.

  • vsftpd

    Very Secure File Transfer Protocol Daemon, an FTP server that allows people to transfer data between computers. It is marked as very secure, at least it is as secure as an FTP server can be (although there has been several security advisories for this tool...)

    Remember that an FTP transfer is rarely using an encrypted pipe (it is possible to use kerberos and SSL to really secure the data transmission) and also because it uses a data stream opened dynamically, it is possible for hackers to spoof a data connection.