11 Feb
2022
11 Feb
'22
10:48 p.m.
Tony
Some thoughts.
My current choice of setup for Apache is to use nginx in front for HTTPS
termination and use letsencrypt for certificates. One thing I like about
nginx is that you can use a special error response of 444 which does not
send an http response it just drops the connection, which slows down
attackers.
I am using the Apache/nginx pair for a number of uses, some API servers
and an user web interface server. (Named virtual hosts)
On the API servers I explicitly list the calls that can be made and just
drop any others (444).
If you can use nginx this is a usefull snippet to drop in, matches any
url that starts with a full stop, e.g. .git, .env and just drops the
connection. I am also seeing attempts to aws credentials.
location ~ /\..* {
return 444;
}
Also api servers do not necessarily get accessed at / (root) so that URL
can also be dropped.
There are rules for fail2ban that can monitor nginx/apache logs as well.
Depending what you use Apache for these ideas may or may not be useful.
Script kiddies will also try accessing admin pages for wordpress and
similar.
Lawrence
On 11/02/2022 19:12, Tony Travis wrote:
Hi,
I'm 'hardening' up a server, and Tom has done some Pen-Testing for me.
If you have time, please attack:
informatics.plus.com
This is a server I've configured for "noVNC" and "SSH" on
obfuscated
ports to keep script-kiddies at bay, but easily discoverable by port
scan. I'm running "fail2ban" on "sshd" and "apache2"
services.
I know a bit about defending "SSH", but SFA about defending
"Apache".
I'd appreciate any help/advice and will buy beer and/or Club Mate for
anyone who gets in and leaves me a note how to block the attack in:
/root/you_left_the_back_door_open
Thanks,
Tony.