12 Feb
2022
12 Feb
'22
11:57 a.m.
Hi Tony,
Our standard toolkit for server hardening at work is:
https://dev-sec.io/
You can find the Apache hardening spec at:
https://dev-sec.io/baselines/apache/
They also have Linux and SSH hardening specs there that you can check your setup against.
In practice we are using Ansible to provide compliance assurance, but going through it
manually can help to understand which things the Ansible role is locking down. (The
Ansible role for Apache is broken right now though so you could only do that manually, we
primarily use nginx, and even then it's usually behind either AWS CloudFront or
CloudFlare Access.)
These are guidelines more than rules, and don't work in all cases. For example the
Linux baseline disables some sysctls that we require for Docker. The Ansible roles give a
way to override that though, and we've documented the decision to deviate from the
baseline.
If you try these out I'd be interested to hear how you get on.
Thanks,
Iain.
On Fri, Feb 11, 2022, at 10:48 PM, Lawrence wrote:
Tony
Some thoughts.
My current choice of setup for Apache is to use nginx in front for HTTPS
termination and use letsencrypt for certificates. One thing I like about
nginx is that you can use a special error response of 444 which does not
send an http response it just drops the connection, which slows down
attackers.
I am using the Apache/nginx pair for a number of uses, some API servers
and an user web interface server. (Named virtual hosts)
On the API servers I explicitly list the calls that can be made and just
drop any others (444).
If you can use nginx this is a usefull snippet to drop in, matches any
url that starts with a full stop, e.g. .git, .env and just drops the
connection. I am also seeing attempts to aws credentials.
location ~ /\..* {
return 444;
}
Also api servers do not necessarily get accessed at / (root) so that URL
can also be dropped.
There are rules for fail2ban that can monitor nginx/apache logs as well.
Depending what you use Apache for these ideas may or may not be useful.
Script kiddies will also try accessing admin pages for wordpress and
similar.
Lawrence
On 11/02/2022 19:12, Tony Travis wrote:
Hi,
I'm 'hardening' up a server, and Tom has done some Pen-Testing for me.
If you have time, please attack:
informatics.plus.com
This is a server I've configured for "noVNC" and "SSH" on
obfuscated
ports to keep script-kiddies at bay, but easily discoverable by port
scan. I'm running "fail2ban" on "sshd" and "apache2"
services.
I know a bit about defending "SSH", but SFA about defending
"Apache".
I'd appreciate any help/advice and will buy beer and/or Club Mate for
anyone who gets in and leaves me a note how to block the attack in:
/root/you_left_the_back_door_open
Thanks,
Tony.
_______________________________________________
57north-discuss mailing list -- 57north-discuss(a)lists.57north.org.uk
To unsubscribe send an email to 57north-discuss-leave(a)lists.57north.org.uk