Date: Fri, 29 Mar 2024 12:33:39 +0000 (UTC) Message-ID: <259370092.73.1711715619085@fa0ec5443aab> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_72_989175857.1711715619084" ------=_Part_72_989175857.1711715619084 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This article is about securing apache2.
There's some excellent resources and article about several things you ca= n do to secure apache2. One is by Peter Freitag = and called 20 ways to Secure your Apache Configura= tion. Although it is quite an old post, much of it is still relev= ant.
Hiding apache version information is a worthwhile change and can be done= by adding
# Turn = off apache version info displaying ServerSignature Off ServerTokens Prod
to /etc/apache2/apache2.conf
.
Version information can be useful in attack planning as there are often = bugs and exploits that are particular to a version (later versions having b= een patched for example).
I would recommend implementing Implementing fail2ban with custom apache filter, ipset, and a s= ample based verification approach instead of (or in conjunction with) t= he below approach. Fail2ban will automate (based on regex expressions= on queries received) the blocking of IPs. Also our fail2ban implemen= tation uses ipset so are blocked at the firewall level rather tha= n being processed and blocked by Apache.
Apache allows several approaches to blocking ip addresses. You mea= nt have several ip addresses you would like to block, or several hundred.&n= bsp; The approach outlined here is focused more on the latter.
This assumes you're using apache 2.4. We'll using using the &= lt;RequireAll> directive inside a <Location /> directive so I= 'm assuming you're using a apache also as a reverse-proxy (like outlined&nb= sp;here). Alternatively you can place it inside a <Prox= y *> directive as well.
Let's first start with creating a file with the blocked ip addresses in = there. This file can be placed anywhere but for simplicity we'll keep= it in /etc/apache2. Create a file like this:
sudo na= no /etc/apache2/ipblacklist.conf
This will open our text editor: nano. You want every line to start= with
Require= not ip
followed by a space and then either an ip address or an multiple ip addr= esses separated by a space.
Here's an example of a file with ip addresses from the excellent wizcrafts.net/htaccess-blocklists. Note= though that I used the .htaccess files provided but since I'm not using .h= taccess in this approach I modified (simplifed) the file to only contain th= e lines starting with "Require not ip":
### NOTE: THE COMMANDS IN THIS BLOCKLIST APPLY TO APACHE 2.4 AND NE= WER. THEY ARE NOT BACKWARDS COMPATIBLE!=20 ### THEY WILL CAUSE A SERVER 500 ERROR LOCKOUT IN EARLIER VERSIONS OF APACH= E! ### BEFORE USING THIS BLOCKLIST, MAKE SURE THAT YOUR WEBSITE IS RUNNING ON = APACHE WEB SERVER 2.4 OR NEWER. ##### IMPORTANT USAGE NOTES ### If your website, or dedicated server, has an IP address falling within = the ones below and you use absolute URLs in your includes or links, those p= ages will be blocked from loading. ### If this occurs you should find the IP of your website, or server, and a= llow it, using the example form: allow from (your IP address(es)) ### You can find your website's IP address by logging into your website's C= ontrol Panel (e.g. Cpanel, Plesk, vDeck, Ensim) and it should be displayed = on the control panel home page. ### You can also run a Whois lookup, at - http://whois.domaintools.com - on= your domain name, to see the IP where it is hosted. ### Example of a page that might be blocked: You use PHP (or SSI) includes = for headers, navigation links, or footers, using this form: <php include= ('http://www.example.com/folder/filename'); ### If your web server is covered by this blocklist the included page will = get a 403 forbidden server status. =20 # Miscellaneous badware, comment spam (including Zhou Pizhong and DataShack= ) and exploiting hosts and servers: Require not ip 5.34.240.0/21 5.61.32.0/20 5.135.0.0/16 5.254.144.213 27.122= .14.0/24 37.1.208.0/21 37.187.0.0/17 45.43.224.0/20 62.210.82.0/23 63.141.2= 24.0/19 67.215.235.224/27 69.197.186.0/24 72.46.128.0/19 78.46.64.0/19 79.1= 43.80.0/22 91.121.0.0/16 94.23.0.0/16 94.242.237.0/24 104.36.84.0/24 104.16= 8.128.0/17 104.243.128.0/20 104.194.0.0/19 104.200.154.0/24 104.243.128.0/2= 0 107.150.32.0/19 107.183.203.174 137.175.0.0/17 142.0.128.0/20 142.4.96.0/= 19 142.4.192.0/19 142.54.160.0/19 151.236.36.16 173.208.128.0/17 184.28.188= .177 185.43.220.0/22 188.165.192.0/18 192.3.0.0/20 192.34.108.176/28 192.74= .224.0/19 192.151.144.0/20 192.187.96.0/19 192.227.128.0/17 194.28.115.0/24= 198.2.192.0/18 198.199.64.0/18 198.204.224.0/19 208.76.83.195 208.89.208.0= /21 208.115.124.0/23 208.115.192.0/18 208.167.254.64/26 209.126.132.11 # Bulk email company Media Place Ground, 23.95.187.196 - 23.95.187.222 Require not ip 23.95.187.196/30 23.95.187.200/29 23.95.187.208/28 # United Gameservers in Germany (compromised by spammers) Require not ip 89.163.150.105 # DigitalOcean and ServerStack Require not ip 46.101.0.0/16 82.196.0.0/20 95.85.0.0/21 104.131.0.0/16 107.= 170.0.0/16 141.0.170.0/24 185.14.187.0/24 188.226.128.0/17 192.34.56.0/21 1= 92.81.208.0/20 208.68.36.0/22 # Psychz Networks - Spam and attack friendly web hosting company that turns= a blind eye to abuse reports Require not ip 23.91.0.0/19 23.238.128.0/17 45.35.20.192/26 74.117.56.0/21 = 104.149.0.0/16 107.160.158.64/27 108.171.240.0/20 160.20.12.0/22 173.224.20= 8.0/20 192.210.48.0/20 199.71.212.0/22 199.119.200.0/21 208.87.240.0/22 216= .24.192.0/20 216.99.144.0/20 # Spammers from MNT-WEBEXXPURTS or OVH servers in France Require not ip 37.203.208.0/24 91.121.0.0/18 149.255.107.2 185.3.134.0/24 1= 76.31.0.0/16 176.61.140.0/22 # Proxy servers and services and hosting companies with proxy server client= s, listed by the full CIDR of the hosting company. Require not ip 61.206.125.0/24 62.171.194.0/23 62.210.56.250 75.126.0.0/16 = 80.33.0.0/16 80.58.0.0/16 81.12.0.0/17 83.16.154.152/29 85.10.219.104/29 85= .92.130.0/24 88.198.241.104/29 88.198.252.144/29 145.253.239.8/29 150.188.0= .0/15 178.73.192.0/23 193.164.131.0/24 194.112.195.202 198.145.112.128/25 1= 98.145.182.0/26 200.30.64.0/20 200.43.108.0/24 200.75.128.0/20 200.126.112.= 0/20 200.172.222.0/26 200.202.192.0/18 200.210.0.0/16 203.160.0.0/23 207.44= .128.0/17 207.210.192.0/18 208.110.68.144/29 216.104.32.0/20 # Individual Proxy Server IPs Require not ip 5.153.234.154 64.20.205.251 64.202.161.130 66.6.122.130 66.3= 6.230.163 66.37.153.74 66.63.167.166 66.79.162.102 66.212.18.89 66.232.107.= 140 69.50.208.74 69.94.124.137 72.55.146.175 72.167.115.164 74.115.6.56 74.= 208.16.108 75.175.243.195 76.76.15.73 77.235.40.189 85.92.130.117 88.198.5.= 220 88.214.192.24 91.186.21.78 107.151.152.218 141.76.45.34 206.221.184.108= 208.100.20.148 209.139.208.236 # Cyveillance, Performance Systems International (PSI) and associated compa= nies (Internet Content Spies) Require not ip 38.100.21.0/24 38.100.22.104/29 38.100.22.112/28 38.100.22.1= 28/26 38.100.41.64/26 38.104.111.92/30 38.108.108.160/27 # End of file
Now that we've created our file, we need to modify our apache config to = use this file.
In Ubuntu you would add the following to the /etc/apache2/apache2.conf= p>
# Defau= lt to allow through all reverse proxies. ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> # Block ip addresses in our ipblacklist.conf file <Location /> <RequireAll> Require all granted Include /etc/apache2/ipblacklist.conf </RequireAll> </Location> # Add a 403 forbidden message for blacklisted ips ErrorDocument 403 "<h3>Unusual activity has been detected from this I= P address.</h3><p>As a consequence, access has been denied.<= /p><p>If you believe this is a mistake please contact me directly.= </p>"
Finally, reload apache2 configuration
sudo se= rvice apache2 reload