Archive

Articles taggués ‘HTTP’

How to Restrict IP Addresses from Accessing your Web Server using .htaccess

17/04/2019 Aucun commentaire

If you are running the Apache Web Server or your web hosting provider running Apache based web server, you can use .htaccess configuration file to restrict access to your website. This could be a very important issue from security stand point of view especially if your server is being attacked or hacked from any specific or range of IP addresses.

Now, restricting access method works in two ways. First, you can restrict access to certain IP addresses and allow others. Second, you can restrict access to everyone but few IP addresses only. On this post, I will focus on both method and will try to explain as much as I can.

Restrict Certain IP Addresses

If you want to restrict specific IP addresses from accessing your site, you can use the following lines on your .htaccess file.

order deny,allow
deny from 123.4.5.6
deny from 654.3.2.1
allow from all

These lines above will block “123.4.5.6” and “654.3.2.1” IP addresses from accessing your site. You can add as many IP addresses as you want on this “deny from” list. One interesting fact is, Apache web server gives you lot more flexibility in terms of blocking IP addresses. Take a look at the following lines.

order deny,allow
deny from 123.4.5.
allow from all

If you observe it carefully, you will see that the fourth set of digit is missing on this IP address. It means, if any IP address that matches the first three set of digits will be blocked. So basically anyone with IP address like “123.4.5.1” or “123.4.5.244” won’t be able to access your site as in both IP address matches with the first three (123.4.5.) sets of digits blocked by the Apache web server.

Allow Specific IP Addresses

Think of about a site that you built for a very specific purpose and for very few people, where you do not want everyone to show up. Apache allows you to do that as well.

For an example, lets assume that you built a site that you want one of your friend to be able to access and his IP address is “123.4.5.12”. Simply write the following line on your .htaccess file and you are good to go.

order allow,deny
allow from 123.4.5.12
deny from all

In this case Apache will block all IP addresses except your friends IP address. This is as simple as it can get and I hope you got the basic idea.

Note: On all of my example I used either “allow from all” or “deny from all” at the bottom, this is very important. You must declare either one of these line based on your requirement or things might get little more complicated.

Also remember that all blocked IP addresses would be forwarded or shown an “403 Forbidden” error message. You can definitely customize this message as well but that’s something I will talk about in another post.

Source: iftekhar.net

Categories: Logiciel Tags: , , ,

How to configure virtual hosts in Apache HTTP server

12/04/2019 Aucun commentaire

Source: Xmodulo

Virtual hosting refers to the technique that allows a physical server to host more than one website domain (e.g., site1.com, site2.com). Virtual hosting is prevalent in shared web hosting environments, where typically hundreds or more of websites or blogs are packed on a single dedicated server to amortize server maintenance cost.

You are not a web hosting company? Sure, virtual hosting can still be useful to you. For example, you can place multiple websites of yours on one VPS that you rent out, saving on your VPS cost. To serve multiple domains on a VPS, you just need to configure as many virtual hosts on its web server, and point the domains to the static IP address of your VPS.

Due to its usefulness, virtual hosting is supported by all modern web server software such as Apache, Nginx, Lighttpd, IIS. In this tutorial, I will demonstrate how to create and enable virtual hosts in Apache HTTP server under Linux environment. There is slight difference in the configuration between Debian-based and Red Hat-based systems. I will highlight the difference along the way.

Before I start, I assume that Apache HTTP server is already installed on your Linux server. If you haven’t, refer to our tutorials for Debian or Red Hat based systems, and install Apache server before proceeding.

As an exercise, let’s create a virtual host for domain abc.com on Apache web server.

Step One: Create Document Root Directory for Abc.com Domain

Start by creating a directory which will hold the web pages for abc.com. This directory is known as « document root » for the domain. Following the common practice, let’s organize all document root directories under /var/www, and name them after the corresponding domains. Also, create a dedicated log directory for abc.com under /var/log.

$ sudo mkdir /var/www/abc.com
$ sudo mkdir /var/log/apache2/abc.com (Debian, Ubuntu, Mint)
$ sudo mkdir /var/log/httpd/abc.com (Fedora, CentOS, RHEL)

Create a test webpage for the domain:

$ sudo vi /var/www/abc.com/index.html
<html>
  <head>
    <title>Welcome to Abc.com</title>
  </head>
  <body>
    <h1>Sample page</h1>
    This page is powered by Apache Virtual Host!
  </body>
</html>

Change the ownership of the document root directory to the user that Apache web server runs as.

On Debian, Ubuntu or Linux:

$ sudo chown -R www-data:www-data /var/www/abc.com

On Fedora, CentOS or RHEL:

$ sudo chown -R apache:apache /var/www/abc.com

Lire la suite…

Categories: Logiciel Tags: ,

How to analyze and view Apache web server logs interactively on Linux

10/04/2019 Aucun commentaire

analyze apache logsWhether you are in the web hosting business, or run a few web sites on a VPS yourself, chances are you want to display visitor statistics such as top visitors, requested files (dynamic or static), used bandwidth, client browsers, and referring sites, and so forth.

GoAccess is a command-line log analyzer and interactive viewer for Apache or Nginx web server. With this tool, you will not only be able to browse the data mentioned earlier, but also parse the web server logs to dig for further data as well – and all of this within a terminal window in real time. Since as of today most web servers use either a Debian derivative or a Red Hat based distribution as the underlying operating system, I will show you how to install and use GoAccess in Debian and CentOS.

Installing GoAccess on Linux

In Debian, Ubuntu and derivatives, run the following command to install GoAccess:

# aptitude install goaccess

In CentOS, you’ll need to enable the EPEL repository and then:

# yum install goaccess

In Fedora, simply use yum command:

# yum install goaccess

If you want to install GoAccess from the source to enable further options (such as GeoIP location), install required dependencies for your operating system, and then follow these steps:

# wget http://tar.goaccess.io/goaccess-0.8.5.tar.gz
# tar -xzvf goaccess-0.8.5.tar.gz
# cd goaccess-0.8.5/
# ./configure --enable-geoip
# make
# make install

That will install version 0.8.5, but you can always verify what is the latest version in the Downloads page of the project’s web site.

Since GoAccess does not require any further configurations, once it’s installed you are ready to go.

Running GoAccess

To start using GoAccess, just run it against your Apache access log.

For Debian and derivatives:

# goaccess -f /var/log/apache2/access.log

For Red Hat based distros:

# goaccess -f /var/log/httpd/access_log

When you first launch GoAccess, you will be presented with the following screen to choose the date and log format. As explained, you can toggle between options using the spacebar and proceed with F10. As for the date and log formats, you may want to refer to the Apache documentation if you need to refresh your memory.

In this case, Choose Common Log Format (CLF):

15868350373_30c16d7c30

and then press F10. You will be presented with the statistics screen. For the sake of brevity, only the header, which shows the summary of the log file, is shown in the next image:

16486742901_7a35b5df69_b

Lire la suite…

Prevent DDoS with iptables

09/04/2019 Aucun commentaire

Iptables against DDoS

Using iptables to fight DDoS attacks.

After a recent conversation on the Ubuntu Forums I wanted to post an example of using iptables.

Of course there are several types of DOS attacks , in this post I will demonstrating the use if iptables to limit the traffic on port 80.

The goal is to keep your web server “responsive” to legitimate traffic, but to throttle back on excessive (potential DOS) traffic.

In this demonstration iptables is configured :

  1. The default policy is ACCEPT (to prevent lockout in the event of flushing the rules with iptables -F).
  2. “Legitimate” traffic is then allowed. In this example I am allowing traffic only on port 80.
  3. All other traffic is then blocked at the end of the INPUT chain (the final rule in the INPUT chain is to DROP all traffic).

The rules I will demonstrate are as follows:

First rule : Limit NEW traffic on port 80

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

Lets break that rule down into intelligible chunks.

-p tcp --dport 80 => Specifies traffic on port 80 (Normally Apache, but as you can see here I am using nginx).

-m state NEW => This rule applies to NEW connections.

-m limit --limit 50/minute --limit-burst 200 -j ACCEPT =>This is the essence of preventing DOS.

  • --limit-burst” is a bit confusing, but in a nutshell 200 new connections (packets really) are allowed before the limit of 50 NEW connections (packets) per minute is applied.

For a more technical review of this rule, see this netfilet page. Scroll down to a bit to the “limit” section.

Second rule – Limit established traffic

This rule applies to RELATED and ESTABLISHED all traffic on all ports, but is very liberal (and thus should not affect traffic on port 22 or DNS).

If you understood the above rule, you should understand this one as well.

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT

In summary, 50 ESTABLISHED (and/or RELATED) connections (packets really) are allowed before the limit of 50 ESTABLISHED (and/or RELATED) connections (packets) per second is applied.

Do not let that rule fool you, although it seems very open, it does put some limits on your connections.

Test it for yourself, try using the first rule with and without the second rule.

Lire la suite…

How to configure fail2ban to protect Apache HTTP server

06/04/2019 Aucun commentaire

Protecting Apache HTTP server with fail2ban

fail2ban apacheFail2ban: An Apache HTTP server in production environments can be under attack in various different ways. Attackers may attempt to gain access to unauthorized or forbidden directories by using brute-force attacks or executing evil scripts. Some malicious bots may scan your websites for any security vulnerability, or collect email addresses or web forms to send spams to.

Apache HTTP server comes with comprehensive logging capabilities capturing various abnormal events indicative of such attacks. However, it is still non-trivial to systematically parse detailed Apache logs and react to potential attacks quickly (e.g., ban/unban offending IP addresses) as they are perpetrated in the wild. That is when fail2ban comes to the rescue, making a sysadmin‘s life easier.

fail2ban is an open-source intrusion prevention tool which detects various attacks based on system logs and automatically initiates prevention actions e.g., banning IP addresses with iptables, blocking connections via /etc/hosts.deny, or notifying the events via emails. fail2ban comes with a set of predefined « jails » which use application-specific log filters to detect common attacks. You can also write custom jails to deter any specific attack on an arbitrary application.

In this tutorial, I am going to demonstrate how you can configure fail2ban to protect your Apache HTTP server. I assume that you have Apache HTTP server and fail2ban already installed. Refer to another tutorial for fail2ban installation.

What is a Fail2ban Jail

Let me go over more detail on fail2ban jails. A jail defines an application-specific policy under which fail2ban triggers an action to protect a given application. fail2ban comes with several jails pre-defined in /etc/fail2ban/jail.conf, for popular applications such as Apache, Dovecot, Lighttpd, MySQL, Postfix, SSH, etc. Each jail relies on application-specific log filters (found in /etc/fail2ban/fileter.d) to detect common attacks. Let’s check out one example jail: SSH jail.

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
banaction = iptables-multiport

This SSH jail configuration is defined with several parameters:

  • [ssh]: the name of a jail with square brackets.
  • enabled: whether the jail is activated or not.
  • port: a port number to protect (either numeric number of well-known name).
  • filter: a log parsing rule to detect attacks with.
  • logpath: a log file to examine.
  • maxretry: maximum number of failures before banning.
  • banaction: a banning action.

Any parameter defined in a jail configuration will override a corresponding fail2ban-wide default parameter. Conversely, any parameter missing will be assgined a default value defined in [DEFAULT] section.

Predefined log filters are found in /etc/fail2ban/filter.d, and available actions are in /etc/fail2ban/action.d.

16076581722_4d51bf2ce8_o

If you want to overwrite fail2ban defaults or define any custom jail, you can do so by creating /etc/fail2ban/jail.local file. In this tutorial, I am going to use /etc/fail2ban/jail.local.

Lire la suite…