Earlier to this post we have talked ’bout apache server installation for best performance and securing the server using tcp wrappers and iptables filrewall, let’s take the whole discussion one step further and talk ’bout application security hosted on your web server.
As more and more attacks are being carried out over the HTTP layer there is a growing need to push the envelope and bring Web security to new levels. Most existing tools work on the TCP/IP level, failing to use the specifics of the HTTP protocol in their operation. The need for increased security has lead to the creation of application gateways, tools that are essentially reverse proxies with the added capability of protocol analysis. Apache web server it self provides solution of the problem to a great extent, provided it’s loaded with some specific modules. Those apache modules are
Mod_Proxy: So the question is what we going to do with mod_proxy anyway, and why the hell we need it ? the answer is very simple and world wide acceptable, you will figure it out after our discussion. I assume that you have at least two or more Web servers, a database server, and possibly other internal servers. The more servers there are, the more useful the reverse proxy concept becomes. A proxy by definition is a layer between client and server taking part in a communication, reverse proxy holds the same scenario with a deflation that it’s a proxy server that is installed in the neighborhood of one or more web servers.
So let’s talk ’bout the advantages of having installed a reverse proxy in front of your web server cluster.
- Single point of access. With a single point of access you can enforce access control for all Web servers with little effort.
- HTTP level firewalling. Even without further effort a proxy will help because it usually does not pass the initial request to the Web server, but instead creates a new request based on it.
- Increased performance. Because the reverse proxy is installed on a separate machine this means you have additional CPU resources to use. Caching can be implemented for both static and dynamic content. SSL traffic can be terminated at the proxy, freeing the actual Web server to focus on responding to incoming requests. Finally, the outgoing traffic can be transparently compressed, lowering total bandwidth requirements.
- Network isolation. In this case the reverse proxy introduces another firewall layer. Instead of having multiple Web servers and operating systems exposed directly, you hide them all behind a single proxy.
- Network topology hidden from the outside world. This is good for at least two reasons. First, it gives less information to the attackers. Second, it decouples the implementation of the network from its interface. Changes can be made to the network as required without the public being aware of them.
- Web servers Load balancing and failover.
So what are the disadvantages:
- Increased complexity. This is how you pay for the increased security, by increasing the complexity of the network.
- Single point of failure. For mission critical operations, having a single point of failure is unacceptable. This problem can be solved by having two reverse proxies in a cluster, but the effect of that is even more complexity added to the network.I guess that’s fairly acceptable, although the complexity increases but it certainly provides you more time to relax once done, rather then just to keep worrying ’bout your servers 24X7, i can bet you won’t be disagree my thought.
Mod_Security : is an Apache module (for Apache 1 and 2) that provides intrusion detection and prevention for web applications. It aims at shielding web applications from known and unknown attacks, such as SQL injection attacks, cross-site scripting, path traversal attacks, etc.
Mod_Evasive : is another Apache module that provides evasive maneuvers action in the event of an HTTP DoS or DDoS (Denial of Service) attack or brute force attack at the web server. When possible attacks are detected, mod_evasive will block the traffic from the source for a specific duration of time, while reports abuses via email and syslog facilities. Or administrators can configure mod_evasive to talk to iptables, ipchains, firewalls, routers, and etc. to build a comprehensive DDOS prevention system for the high traffic busy web server.
Although mod_evasive is not a foolproof and complete DDOS prevention system, but installing mod_evasive module for Apache will likely to reduce and stop certain DDOS attacks, minimizing the risks of web hosts and web sites been completely brought down inaccessible by malicious denial of service attack attempts.
No more talking and let’s get down to real work now ; so let’s see how can we configure mod_proxy with apache2 to get reverse proxy with load balancing and fail over.
Configure Apache with mod_proxy, mod_security, mod_evasive : I have already discussed Apache configuration option for best performance, if you are not aware of configuring Apache options for best performance, i would recommend you to go though it before coming to this section. The idea here is to have reverse proxy server, all though any web server can be configured easily as a reverse proxy just by adding the mod_proxy modules but asking web server to work as a reverse proxy is not recommended at all. I assume you going to have a complete different server for this setup.
Compile Apache with following options only, as we are not going to server a web page with Apache acting as a reverse proxy server, we need not to compile any modules, which is not required.
- Compile Apache : First task is to Configure apache with mod_proxy, mod_proxy_connect, mod_proxy_ftp, mod_proxy_http, mod_proxy_ajp, mod_proxy_balancer and compile your apache. Mod_Security and mod_evasive will be added to apache as a module after it’s compiled with mod_proxy modules.
Download mod_security from http://www.modsecurity.org/download/- cd /usr/local/src
- wget http://www.modsecurity.org/download/modsecurity-apache_1.9.5.tar.gz
- tar -zxvf modsecurity-apache_1.9.5.tar.gz
- cd modsecurity-apache_1.9.5/apache2/
- /usr/local/apache2/bin/apxs -cia mod_security.c
- /usr/local/apache2/bin/apache2/apachectl restart
Now download mod_evasive from http://www.zdziarski.com/projects/mod_evasive/
- cd /usr/local/src
- wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
- tar -zxvf mod_evasive_1.10.1.tar.gz
- cd mod_evasive
- /usr/local/apache2/bin/apxs -cia mod_evasive20.c
- /usr/local/apache2/bin/apache2/apachectl restart
Configuring Reverse proxy with load balancing and fail over for Apache web server cluster: It’s rather straigh, need to configure a virtual host for your domain. let’s say www.sachin.com.
<VirtualHost www.sachin.com>
# Just the bare minimum of directives
ServerName sachin.com
DocumentRoot /var/www/rproxy/nowhere/
#################################
ProxyRequests Off
<Proxy www.sachin.com>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /balancer-manager !
ProxyPass / balancer://mycluster/ stickysession=BALANCEID nofailover=On
ProxyPassReverse / http://http1.sachin.com/
ProxyPassReverse / http://http2.sachin.com/
<Proxy balancer://mycluster>
BalancerMember http://http1.sachin.com route=http1 loadfactor=1
BalancerMember http://http2.sachin.com route=http2 loadfactor=2
ProxySet lbmethod=byrequests
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
Order deny,allow
Allow from all
</Location>
##################################
:
:
</VirtualHost>
Now Securing load balancer-manager
mkdir /var/www/balancer-manager
htpasswd -c /var/.htpasswd admin
vi /var/www/balancer-manager/.htaccess
Pate fowllings
AuthType Basic
AuthName “Members Only”
AuthUserfile /var/.htpasswd
<limit GET PUT POST>
require valid-user
</limit>
/usr/local/apache2/bin/htpasswd -mc /var/.htpasswd admin
set password and you are done.
Configuring mod_security : Again you have to configure httpd.conf for this to work.
<IfModule mod_security>
# Yes, we want to use mod_security
SecFilterEngine On
# Scan request body
SecFilterScanPOST On
# Scan response body
SecFilterScanOutput On
Check URL encoding
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow certain byte values to be a part of the request.
# This is pretty relaxed, most applications where only English
# is used will happily work with a range 32 – 126.
SecFilterForceByteRange 1 255
# Audit log logs complete requests. Configured as below it
# will only log invalid requests for further analysis.
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You may need this later but we don’t log anything
# here for now. Excessive debug logging may slow down
# the server.
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
# By default, deny requests with status 500
SecFilterDefaultAction “deny,log,status:500″
# Masking Server Signature
SecServerSignature “Microsoft-IIS/5.0″
# Put your mod_security rules here
# …
# Command execution attacks
SecFilter /etc/password
SecFilter /bin/ls
# Directory traversal attacks
SecFilter “\.\./”
# XSS attacks
SecFilter “<(.|\n)+>”
SecFilter “<[[:space:]]*script”
# SQL injection attacks
# SQL injection attacks
SecFilter “delete[[:space:]]+from”
SecFilter “insert[[:space:]]+into”
SecFilter “select.+from”
# MS SQL specific SQL injection attacks
SecFilter xp_enumdsn
SecFilter xp_filelist
SecFilter xp_availablemedia
SecFilter xp_cmdshell
SecFilter xp_regread
SecFilter xp_regwrite
SecFilter xp_regdeletekey
SecFilterSelective OUTPUT “Fatal error:”
</IfModule>
For more security rule for securing your apache visit http://www.modsecurity.org/
Mod_evasion :Again you have to configure httpd.conf file
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 25
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300
</IfModule>
- Where DOSHashTableSize is the size of the table that would contain ip list to block.
- DOSPageCount no more then this number any ip is supposed to request a page withing a time frame defined by DOSPageInterval, if any ip does it gets into the black list for the time frame defined by DOSBlockingPeriod.
- DOSSiteCount no more then this number any ip is supposed to request the site withing a time frame defined by DOSSiteInterval, if any ip does it gets into the black list for the time frame defined by DOSBlockingPeriod.
- Other than above common configuration parameters, mod_evasive also supports the following three advanced directives:DOSEmailNotify users@example.com
DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’”
DOSLogDir “/var/lock/mod_evasive”
So this is it, your apache is secure and ready for public, enjoy safe hosting.
