This section covers settings that can be modified to make it a bit more secure.
ServerSignature
Turn off ServerSignature to prevent Apache from identifying itself and version number.
/etc/apache2/conf-available/security.conf
Code:
ServerSignature Off
ServerTokens
Set ServerTokens to the least amount of information given.
This directive configures what you return as the Server HTTP response Header such as the the OS-Type and compiled in modules.
/etc/apache2/conf-available/security.conf
Fail2Ban - Standard Filters
If you followed my instructions for setting up the Ubuntu Server, you should already have sshd being protected by Fail2Ban. Now we are going to add some pre-defined Apache filters.
Edit the jail configuration file:
Code:
sudo vi /etc/fail2ban/jail.local
Add the following sections to the bottom:
Code:
[apache-auth]
# detect password authentication failures
enabled = true
port = http,https
filter = apache-auth
action = iptables-multiport[name=auth, port="http,https"]
logpath = %(apache_error_log)s
bantime = 3600
maxretry = 3
[apache-noscript]
# detect potential search for exploits
enabled = true
port = http,https
filter = apache-noscript
action = iptables-multiport[name=noscript, port="http,https"]
logpath = %(apache_error_log)s
bantime = 3600
maxretry = 6
[apache-overflows]
# detect Apache overflow attempts
enabled = true
port = http,https
filter = apache-overflows
action = iptables-multiport[name=overflows, port="http,https"]
logpath = %(apache_error_log)s
bantime = 3600
maxretry = 2
[apache-badbots]
# detect spammer robots crawling email addresses
enabled = true
port = http,https
filter = apache-badbots
action = iptables-multiport[name=badbots, port="http,https"]
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
[php-url-fopen]
# detect PHP remote injection attacks
enabled = true
port = http,https
filter = php-url-fopen
action = iptables-multiport[name=phpfopen, port="http,https"]
logpath = %(apache_access_log)s
maxretry = 1
Restart the Fail2Ban service:
Code:
sudo systemctl restart fail2ban
Check the status:
Code:
sudo fail2ban-client status
Fail2Ban - WordPress Login
WordPress does not write login results to the web logs. However, we can make an assumption that anyone trying to access the login page multiple times in a short period of time does not know their credentials or they are trying to brute-force crack accounts. So let's create a filter that looks for anyone accessing the login page multiple time in a short timeframe.
Create a new filter:
Code:
sudo touch /etc/fail2ban/filter.d/wordpress-login.conf
sudo chown root:root /etc/fail2ban/filter.d/wordpress-login.conf
sudo chmod 644 /etc/fail2ban/filter.d/wordpress-login.conf
Edit the filter file:
Code:
sudo vi /etc/fail2ban/filter.d/wordpress-login.conf
Add this to the file:
Code:
[Definition]
failregex = <HOST> - - .*(POST|GET) .*/wp-login.php HTTP.*
Edit the jail configuration file:
Code:
sudo vi /etc/fail2ban/jail.local
Add the following sections to the bottom:
Code:
[wordpress-login]
# detect multiple attempts to login
enabled = true
port = http,https
action = iptables-multiport[name=wordpress, port="http,https"]
filter = wordpress-login
logpath = %(apache_access_log)s
bantime = 3600
findtime = 60
maxretry = 6
Restart the Fail2Ban service:
Code:
sudo systemctl restart fail2ban
Check the status:
Code:
sudo fail2ban-client status
Bookmarks