Apache2

Fail2ban jail to mitigate DoS attacks against Apache

Fail2ban jail to block DoS attacks against Apache Excerpt Using a Fail2ban jail to mitigate simple DoS attacks against Apache. # Block a single IP $ iptables -A INPUT -s <IP> -j DROP # Unblock it $ iptables -D INPUT -s <IP> -j DROP Recently, one of our shared hosting webservers got hit by a DoS attack. The attacker started a larger vulnerability scan against common Wordpress security issues. We already had common brute-force attack patterns on Wordpress covered by a custom Fail2Ban jail, which mainly trapped POST requests to xmlrpc.php or wp-login.php (the usual dumb WP brute-force attacks…). But this DoS attack had hundreds of customer sites as target and did not get trapped by our existing rules. After having blocked the attacker’s IP (glad this was no large-scale DDoS!), I wrote an extra Fail2Ban jail which traps such simple DoS attacks. It’s a very basic Fail2Ban jail that should cover common attacks and should not cause any false positives as it is only getting triggered by a large amount of failed GET requests. There are other good articles about setting up such Fail2Ban jails to block simple DoS, but they didn’t quite fit our needs: Using fail2ban to mitigate simple DOS attacks against apache (or why I am a terrible sysop) Install fail2ban to protect your site from DOS attacks Requirements What we would like to accomplish:

Continue reading

Fail2ban persistent banning

Fail2ban persistent banning Excerpt Persistent IP banning using Fail2ban’s recidive jail. If you are using Fail2ban, there is no standard recommended way to persistently ban IPs. Some people recommend to do this outside of Fail2ban, using e.g. iptables-persistent, which is actually super easy to install and configure. But let’s say, we don’t want to install any extras and want to accomplish the same with Fail2ban, as we already have fail2ban on every single host (which is a must!). But this did not work out for me. The thing is, if we extend actionstart in action.d/iptables-multiport.conf (or iptables-multiport.local override) as recommended in above tutorials, that is not going to add any IPs on a Fail2ban restart, but only once the first IP gets added to any jail. So these are my two proposed solutions: Using recidive jail (ban for 1 week) The provided recidive jail/filter monitors the fail2ban log file, and enables you to add long time bans for ip addresses that get banned by fail2ban multiple times. Default configuration looks like this: jail.conf [recidive] logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 1w findtime = 1d Simply enable this jail, e.g. in jail.d/custom.conf: jail.d/custom.conf [recidive] enabled = true We could then ban an IP manually for a whole week by adding it to that jail:

Continue reading

HowTo secure apache2 with lets Encrypt on Debian 12

How To Secure Apache with Let’s Encrypt on Debian 12 Excerpt Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on web servers. In this tutorial, you will use Certbot to get a free SSL certificate for Apache on Debian 12 and configure your certificate for auto-renewal. Introduction Let’s Encrypt is a Certificate Authority (CA) that provides a way to obtain and install free TLS/SSL certificates), thereby enabling encrypted HTTPS on web servers. It helps the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx. In this tutorial, you will use Certbot to get a free SSL certificate for Apache on Debian 12 and configure your certificate for auto-renewal. This tutorial will use the native Apache virtual host file instead of the default configuration file. We recommend that you create new Apache virtual host files for each domain as this helps avoid common errors and keep the default files as a fallback configuration. Prerequisites To follow this tutorial, you will need:

Continue reading