LAMP : Apache Web Server Security Hardening

Firewall - UFW

A good place to start is to install a Firewall.
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use  Shorewall, fwbuilder, or Firestarter.
Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide,  UFW manual pages or the Ubuntu UFW community documentation.

Install UFW and enable, open a terminal window and enter :

:~$ sudo apt-get install ufw

Allow SSH and Http services.
:~$ sudo ufw allow ssh
:~$ sudo ufw allow http
:~$ sudo ufw allow https/tcp

Enable the firewall.
:~$ sudo ufw enable

Check the status of the firewall.
:~$ sudo ufw status verbose

SSH Hardening - key based login, disable root login and change port.

The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
If you have to use password authentication, the easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.

After you install fail2ban (tutorial below), keeping track logs and you will noticed that a ton of  IP addresses are being sshd: banned (Moslty Chinese and Russian IP addresses). Most of these brute force attacks are automated and usually target the default port 22 this would further reduce the number of attacks on your ssh service.

Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only be opened by root or processes running as root.
If you change the SSH port also open the new port you have chosen on the firewall and close port 22.

Open a Terminal Window and enter :
:~$ sudo nano /etc/ssh/sshd_config

Change or add the following and save.
Protocol 2
PermitRootLogin no
DebianBanner no

Update firewall :

:~$ sudo ufw allow <ENTER YOUR PORT>/tcp

Delete Rules
Knowing how to delete firewall rules is just as important as knowing how to create them. There are two different ways specify which rules to delete: by rule number or by the actual rule (similar to how the rules were specified when they were created). We'll start with the delete by rule number method because it is easier, compared to writing the actual rules to delete, if you're new to UFW.

By Rule Number

If you're using the rule number to delete firewall rules, the first thing you'll want to do is get a list of your firewall rules. The UFW status command has an option to display numbers next to each rule, as demonstrated here:

:~$ sudo ufw status numbered

Numbered Output:
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN
[ 2] 80                         ALLOW IN    Anywhere
If we decide that we want to delete rule 1, the one that allows port 22 (SSH) connections, we can specify it in a UFW delete command like this:

:~$ sudo ufw delete 1

:~$ sudo service ufw restart
:~$ sudo service ssh restart

Protect su by limiting access only to admin group

To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username.

Open a terminal window and enter:
:~$ sudo groupadd admin
:~$ sudo usermod -a -G admin <YOUR ADMIN USERNAME>
:~$ sudo dpkg-statoverride --update --add root admin 4750 /bin/su


:~$ sudo apt-get install libapache2-modsecurity
:~$ sudo a2enmod headers
:~$ sudo a2enmod security2

apache2ctl -M | grep -i security

security2_module (shared)


:~$ sudo apt-get install libapache2-mod-evasive

:~$ sudo apachectl -M | grep evasive

Configure Mod_evasive
The mod_evasive module reads its configuration from “/etc/apache2/mods-enabled/evasive.conf.” You can easily customize the mod_evasive module through the “evasive.conf” configuration file. By default, mod_evasive configuration options are disabled, so you will need to enable them first. To do this, edit the “evasive.conf” file:

:~$ sudo mkdir /var/log/mod_evasive
:~$ sudo chown www-data:www-data /var/log/mod_evasive/

:~$ sudo nano /etc/apache2/mods-enabled/evasive.conf

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10

    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           "/var/log/mod_evasive"

:~$ sudo a2enmod evasive


:~$ sudo apt-get install fail2ban

Since this file can be modified by package upgrades, we should not edit this file in-place, but rather copy it so that we can make our changes safely.

:~$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

:~$ sudo nano /etc/fail2ban/jail.local

Read some instruction included in the file, find and update these:

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.

ignoreip = your_home_IP another_ip

destemail =
sendername = Fail2BanAlerts

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section

action = %(action_mwl)s

enabled = true

enabled = true

enabled = true

enabled = true



:~$ sudo apt install unzip



As root user execute the following commands:

:~$ wget
:~$ unzip

:~$ cd ddos-deflate-master
:~$ sudo ./

As root user execute the following commands:

:~$ cd ddos-deflate-master
:~$ ./

Once you hava (D)Dos deflate installed proceed to modify the config files to fit your needs.

:~$ sudo nano /etc/ddos/

On this file you can add a list of host names to be whitelisted, for example:

:~$ sudo nano /etc/ddos/ignore.ip.list

On this file you can add a list of ip addresses to be whitelisted, for example:

:~$ sudo nano /etc/ddos/ddos.conf

The behaviour of the ddos script is modified by this configuration file. For more details see man ddos which has documentation of the different configuration options.

After you modify the config files you will need to restart the daemon. If running on systemd:

:~$ sudo systemctl restart ddos

If running as classical init.d script:

:~$ /etc/init.d/ddos restart
:~$ sudo service ddos restart

if you encounter this error

Job for ddos.service failed because the control process exited with error code. See "systemctl status ddos.service" and "journalctl -xe" for details.

or this

/usr/local/ddos/ 25: [: /etc/ddos/ddos.conf: unexpected operator
DDoS-Deflate version 0.9
Copyright (C) 2005, Zaf <>

$CONF not found.

To fix this open

:~$ sudo nano /usr/local/ddos/

change the first line from #!/bin/sh to #!/bin/bash


:~$ sudo nano /etc/apache2/apache2.conf


<Directory /var/www/>
        Options -Indexes
        AllowOverride All
        Require all granted
        BrowserMatchNoCase WordPress wordpress_ping
        BrowserMatchNoCase Wordpress wordpress_ping
        Order Deny,Allow
        Deny from env=wordpress_ping

:~$ sudo service apache2 restart


:~$ sudo a2enmod ssl

Protect Your Server Against the Dirty COW Linux Vulnerability

:~$ sudo apt-get update && sudo apt-get dist-upgrade

:~$ sudo reboot

Learn more about dirty cow :

Post a Comment

Popular posts from this blog

CakeAdminLTE is based on AdminLTE Theme for CakePHP 2.4+

CakePHP: COUNT data and GROUP BY date

CakePHP: Calling function from other controller