New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Securing simple Apache site?
I am using my VPS to mirror another website. To do so I simply added a entry to the out-of-the-box httpd.conf found on this fully-updated CentOS6 system.
Since I'm just acting as a mirror for static content, my intent is for this to be a fairly passive operation; I get the content via rsync periodically (cron job) and dispense it via Apache. Easy-peasy.
What can this Apache newbie do to harden my service so that I can just let it run without frequently monitoring it for hacking and/or DDOS attempts? I would really like this to be a hands-off operation and still feel confident that my site will stay accessible.
Thanks.
Comments
Well, for hacking or DDoS attempts I would suggest making sure you have good software firewalls configured and have the latest Apache, however if you want security I don't find Apache to be the best option as it's sometimes prone to exploits.
For DDoS you can't really do anything as the IP belongs to the data center your VPS is located in and it will nullroute or stop responding after a certain amount of power. If you want real DDoS protection I suggest you look into DDoS protected VPS or a DDoS proxy for your server.
Good luck.
Get a good firewall, cut out modules you don't need, and you should be ok for the most part. Wordpress is the easiest to exploit, so much sure all your plugins are up to date.
That's incorrect. Sometimes new plugins are the cause of the exploits, make sure there are no known exploits before upgrading your plugins.
As Robert said, disable all of the modules you don't need (you should be doing this anyway).
Install some sort of failed login blocker like denyhosts or fail2ban.
Since you're using rsync with a cron job, I imagine you're using key authentication, if somehow you are not, you should be.
Disable root login because you don't need it anyway (this means using sudo, or whatever CentOS uses).
Make sure you have no FTP daemon installed.
Log in every so often to update CentOS.
@izp You could cron yum update -y
@ishaq That too.
Thanks to all that responded.
I looked at my httpd.conf and the list of modules included by default is huge:
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so
Given that I'm just serving static content from a VirtualHost, which of these do I actually need to support non-SSL IPv4 and IPv6 connections?
Thanks again.
Well, they all do different things. I suggest re-searching each one if you have time and disabling what you think won't be necessary.