Consulting services
Implementing, installing and supporting open source applications in your environment email consulting

Apache

Apache Modules

Apache is the de-facto web server on the internet today and with the addition of modules becomes a very versatile server. Modules are usually built to solve a certain problem or to provide a missing functionality. This open source application comes with prebuilt modules which can be reviewed from the apache website. If you wish to search for all modules whether from the 1.x branch or 2.x branch this site offers a search facility which displays all registered modules.

Security

Providing security for the servers and web applications that provide internet users with the flexibility and ease of use that they have come to depend on when doing internet banking or online shopping from spammers and hackers who are always looking to find ways to exploit these interfaces for there own benefit and creating ways for them to either steal your money or worse your identity. Apache modules that can address these security issues are.

Mod Security

Mod Securiy can monitor HTTP traffic in real time in order to detect attacks, thus acting as an application level firewall and intrusion prevention for web applications.

Mod Security has three different models for preventing attacks:

Deploying Mod Security

Mod Security can be deployed either embedded within apache or deployed on the network within apache in front of all web based applications acting as a web filtering proxy, this has the added benefit of protecting non apache based web servers as well.

Mod Security works on a wide range of operating systems.

Mod Security Configuration

Mod Security whether embedded or deployed on the network relies on a configuration file. This configuration file can de lengthy and needs to be reviewed before deploying. Mod Security configuration manual can be reviewed from this link.

The following configuration file can be used as a starting point for deploying this open source tool


#Enable Mod_security
SecFilterEngine On

#Logging
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
# Logging
SecFilterDefaultAction "deny,log,status:404"

#Disable executing Unix commands
SecFilterSelective ARGS "bin/"

#Guard against Cross site scripting attacks
SecFilter
SecFilter <.+>

#Guard against directory traversal
SecFilter "\.\./"

#Chunked encoding
SecFilterCheckUnicodeEncoding On
SecFilterSelective HTTP_Transfer-Encoding "!^$"

#URL validation
SecFilterCheckURLEncoding On
SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$"

#Post Scanning
SecFilterScanPOST Off
SecFilterSelective HTTP_Content-Type \
"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)"

# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"

#Deny wget worm scripts
SecFilter cd\x20/tmp
SecFilter wget\x20

#Block Sanity Worm
SecFilterSelective ARG_highlight %27



Mod Evasive

Webmasters have not had the opportunity to stop denial of service attacks on their webserver, blindly beleiving that the network firewall is offering this protection. Most perimeter firewalls don't protect against attacks of requesting one or more pages in rapid succession eventually overloading and bringing the server to it knees (DOS). Mod Evasive and it's old version mod_dosevasive offers real time denial of service protection.

Mod Evasive is configured from a config file once the module is loaded into apache and it's configuration file.

The following configuration file can be used as a starting point.

<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 10
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSLogDir "/var/lock/mod_dosevasive"
</IfModule>

If you are running apache 2.x the code above can be placed within a file located within your apache config located within the "Includes" directory

As attacks are blocked you can observe what IP'tried to attack your server, heres an example of the log directory

ls -la /var/lock/mod_dosevasive/
total 54
drwxrwxrwx 2 root wheel 1024 Feb 7 10:20 .
drwxr-xr-x 3 root wheel 512 Jan 24 17:40 ..
-rw-r--r-- 1 www wheel 6 Jan 24 17:42 dos-127.0.0.1
-rw-r--r-- 1 www wheel 6 Jan 30 15:43 dos-150.135.118.217
-rw-r--r-- 1 www wheel 6 Feb 7 10:20 dos-192.109.190.88
-rw-r--r-- 1 www wheel 6 Jan 31 15:24 dos-192.160.124.68
-rw-r--r-- 1 www wheel 6 Jan 31 16:10 dos-204.146.182.254
-rw-r--r-- 1 www wheel 6 Jan 31 13:57 dos-206.47.99.133
-rw-r--r-- 1 www wheel 6 Jan 29 11:40 dos-208.76.74.85
-rw-r--r-- 1 www wheel 6 Feb 7 05:46 dos-212.244.47.130
-rw-r--r-- 1 www wheel 6 Jan 30 02:43 dos-213.178.125.41
-rw-r--r-- 1 www wheel 6 Feb 3 00:51 dos-220.225.82.98
-rw-r--r-- 1 www wheel 6 Feb 4 04:47 dos-34.253.3.200
-rw-r--r-- 1 www wheel 6 Jan 25 13:39 dos-63.83.48.10
-rw-r--r-- 1 www wheel 6 Jan 27 01:19 dos-65.248.100.253
-rw-r--r-- 1 www wheel 6 Feb 3 14:19 dos-66.30.220.78
-rw-r--r-- 1 www wheel 6 Jan 29 00:47 dos-66.74.238.233
-rw-r--r-- 1 www wheel 6 Feb 3 00:28 dos-67.86.26.192
-rw-r--r-- 1 www wheel 6 Feb 2 16:30 dos-68.105.138.243
-rw-r--r-- 1 www wheel 6 Feb 3 14:23 dos-69.248.124.178
-rw-r--r-- 1 www wheel 6 Feb 3 01:38 dos-72.66.25.137
-rw-r--r-- 1 www wheel 6 Jan 25 18:11 dos-76.160.35.118
-rw-r--r-- 1 www wheel 6 Jan 24 19:18 dos-81.157.178.67
-rw-r--r-- 1 www wheel 6 Feb 3 10:43 dos-82.170.63.11
-rw-r--r-- 1 www wheel 6 Jan 28 12:59 dos-83.40.97.96
-rw-r--r-- 1 www wheel 6 Feb 4 22:57 dos-99.243.238.139

IP addresses are blocked for a beginning of 10 minutes and increased expontially if the attack continues.

Mod_limitipconn

coming soon

Open Source software

Open source is not freeware or shareware. Open Source software is built from a community of developers committed to a common goal who then make the source code and program available to download allowing modifications and contributions back into the source code.