Apache is the de-facto web server on the internet today and with the addition of modules becomes a very versatile server. Modules are usually built to solve a certain problem or to provide a missing functionality. This open source application comes with prebuilt modules which can be reviewed from the apache website. If you wish to search for all modules whether from the 1.x branch or 2.x branch this site offers a search facility which displays all registered modules.
Providing security for the servers and web applications that provide internet users with the flexibility and ease of use that they have come to depend on when doing internet banking or online shopping from spammers and hackers who are always looking to find ways to exploit these interfaces for there own benefit and creating ways for them to either steal your money or worse your identity. Apache modules that can address these security issues are.
Mod Securiy can monitor HTTP traffic in real time in order to detect attacks, thus acting as an application level firewall and intrusion prevention for web applications.
Mod Security has three different models for preventing attacks:
Mod Security can be deployed either embedded within apache or deployed on the network within apache in front of all web based applications acting as a web filtering proxy, this has the added benefit of protecting non apache based web servers as well.
Mod Security works on a wide range of operating systems.
Mod Security whether embedded or deployed on the network relies on a configuration file. This configuration file can de lengthy and needs to be reviewed before deploying. Mod Security configuration manual can be reviewed from this link.
The following configuration file can be used as a starting point for deploying this open source tool
#Disable executing Unix commands
SecFilterSelective ARGS "bin/"
#Guard against Cross site scripting attacks
#Guard against directory traversal
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$"
SecFilterSelective HTTP_Content-Type \
# Reject requests with status 403
# By default log and deny suspicious requests
# with HTTP status 500
#Deny wget worm scripts
#Block Sanity Worm
SecFilterSelective ARG_highlight %27
Webmasters have not had the opportunity to stop denial of service attacks on their webserver, blindly beleiving that the network firewall is offering this protection. Most perimeter firewalls don't protect against attacks of requesting one or more pages in rapid succession eventually overloading and bringing the server to it knees (DOS). Mod Evasive and it's old version mod_dosevasive offers real time denial of service protection.
Mod Evasive is configured from a config file once the module is loaded into apache and it's configuration file.
The following configuration file can be used as a starting point.
If you are running apache 2.x the code above can be placed within a file located within your apache config located within the "Includes" directory
As attacks are blocked you can observe what IP'tried to attack your server, heres an example of the log directory
ls -la /var/lock/mod_dosevasive/
drwxrwxrwx 2 root wheel 1024 Feb 7 10:20 .
drwxr-xr-x 3 root wheel 512 Jan 24 17:40 ..
-rw-r--r-- 1 www wheel 6 Jan 24 17:42 dos-127.0.0.1
-rw-r--r-- 1 www wheel 6 Jan 30 15:43 dos-220.127.116.11
-rw-r--r-- 1 www wheel 6 Feb 7 10:20 dos-18.104.22.168
-rw-r--r-- 1 www wheel 6 Jan 31 15:24 dos-22.214.171.124
-rw-r--r-- 1 www wheel 6 Jan 31 16:10 dos-126.96.36.199
-rw-r--r-- 1 www wheel 6 Jan 31 13:57 dos-188.8.131.52
-rw-r--r-- 1 www wheel 6 Jan 29 11:40 dos-184.108.40.206
-rw-r--r-- 1 www wheel 6 Feb 7 05:46 dos-220.127.116.11
-rw-r--r-- 1 www wheel 6 Jan 30 02:43 dos-18.104.22.168
-rw-r--r-- 1 www wheel 6 Feb 3 00:51 dos-22.214.171.124
-rw-r--r-- 1 www wheel 6 Feb 4 04:47 dos-126.96.36.199
-rw-r--r-- 1 www wheel 6 Jan 25 13:39 dos-188.8.131.52
-rw-r--r-- 1 www wheel 6 Jan 27 01:19 dos-184.108.40.206
-rw-r--r-- 1 www wheel 6 Feb 3 14:19 dos-220.127.116.11
-rw-r--r-- 1 www wheel 6 Jan 29 00:47 dos-18.104.22.168
-rw-r--r-- 1 www wheel 6 Feb 3 00:28 dos-22.214.171.124
-rw-r--r-- 1 www wheel 6 Feb 2 16:30 dos-126.96.36.199
-rw-r--r-- 1 www wheel 6 Feb 3 14:23 dos-188.8.131.52
-rw-r--r-- 1 www wheel 6 Feb 3 01:38 dos-184.108.40.206
-rw-r--r-- 1 www wheel 6 Jan 25 18:11 dos-220.127.116.11
-rw-r--r-- 1 www wheel 6 Jan 24 19:18 dos-18.104.22.168
-rw-r--r-- 1 www wheel 6 Feb 3 10:43 dos-22.214.171.124
-rw-r--r-- 1 www wheel 6 Jan 28 12:59 dos-126.96.36.199
-rw-r--r-- 1 www wheel 6 Feb 4 22:57 dos-188.8.131.52
IP addresses are blocked for a beginning of 10 minutes and increased expontially if the attack continues.
Informing about integrators, hardware and Open Source applications that can be used as alternatives to commercial properiertary software. Open source solutions are comprised of different software applications bundled together to create a unique and most times better solution than commercial software.