Apache 2.2.x security tricks (CentOS)

[NewEraCracker]

1. Install httpd-devel and gcc:
   

   yum install httpd-devel gcc

2. Download this modules (you'll need the .c files)
   mod_allowmethods: http://www.apachelounge.com/viewtopic.php?t=4238
   mod_antiloris: http://www.apachelounge.com/viewtopic.php?t=4222
   mod_reqtimeout: https://github.com/apache/httpd/blob/2.2.x/modules/filters/mod_reqtimeout.c
   
3. Upload those files to your server (secure ftp via ssh port should be a good way to do so).
   
4. Build and install the modules
   

   apxs -cia mod_allowmethods.c
   apxs -cia mod_antiloris.c
   apxs -cia mod_reqtimeout.c

5. Configure it
   Go to /etc/httpd/conf.d and add a file named 3rdparty.conf with:
   

   TraceEnable Off
   
   <Directory />
       LimitRequestBody 8388608
       <IfModule allowmethods_module>
           AllowMethods GET HEAD OPTIONS POST
       </IfModule>
   </Directory>
   
   <IfModule antiloris_module>
       IPReadLimit 20
   </IfModule>
   
   <IfModule reqtimeout_module>
       RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
   </IfModule>

   
   Please note that LimitRequestBody will disallow uploading/posting more than 8MB (8388608 bytes) but for most websites it should be ok.

Enjoy

If running cPanel you have to run after installing the module:

/usr/local/cpanel/bin/apache_conf_distiller --update

 

[GoPantheoN]

I think the uploading limit is not going to affect the forums. We can use it.

 

[feronso]

Ok, but what overall conclusion to install this ? which area its cover ? what are the benefits ? even we can install mod_evasive to do this all in just one module !

Thanks

 

[NewEraCracker]

mod_evasive is old and un-efficient with the new attack vectors to apache.

 

[maxtor]

mod_antiloris is making error in my apache:


Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.
If apache restart reported success but it failed soon after, it may be caused by oddities with mod_ssl.
You should run /usr/local/cpanel/scripts/ssl_crt_status as part of your troubleshooting process.
Pass it --help for more details.
Also be sure to examine apache's various log files.
Apache Restart Output:

[Mon Dec 19 12:10:47 2011] [notice] caught SIGTERM, shutting down

 

[NewEraCracker]

maxtor, It seems you are running cPanel in your server, you should contact cPanel support for help into getting your issues fixed. I only work with servers via SSH and Webmin (don't use cPanel).

 

[Not_Responding]

nice share, awesome contributions, as always

 

[ServerNode]

It would also be a good idea to learn how to setup good mod security rules and install that, it'll help a lot against certain attacks.

 

[CJ]

bump, this should help loads of guys here :O

 

[bhanuprasad1981]

i have tried to install these on my cpanel server but modules doesnt load even though build seems successful , even restart of apache doesn't show any error any clue ?

 

[NewEraCracker]

As I've said a few posts ago.
You should contact cPanel support for help into getting your issues fixed. I only work with servers via SSH and Webmin (don't use cPanel).

 

[NewEraCracker]

I have updated the first post with information about cPanel.

 

[onel0ve]

check mod_reqtimeout.c link . Is it correct link ? installation not working .

 

[DLow]

@ onel0ve

Anyone using Apache 2.x.x is way out of date fyi

i would recommend everyone upgrading to 3.x.x

using 2.x.x is a security risk just saying

 

[onel0ve]

@Dlow
Apache 3.x.x :O when its released ?

 

[NewEraCracker]

Apache 2.0.x is out of date
Apache 2.2.x is the current series
Apache 2.4.x are the next series.

In my Linux box I use 2.2.x as that's the latest I can find. In Windows 2.4.x version.

 

[CookieServers]

Thanks for the great tutorial