サーバセキュリティ

https://www.supinfo.com/articles/single/4342-how-to-secure-your-linux-server-from-ddos-attack

DDoS Deflate

Fail2Ban

Apache mod_evasive module


インストール

$ sudo apt-get install apache2 apache2-utils -y
$ sudo apt-get install libapache2-mod-evasive -y

Apacheモジュールとして有効になっているかどうか確認

$ sudo apachectl -M | grep evasive
evasive20_module (shared)

mod_evasiveの設定

$ sudo nano /etc/apache2/mods-enabled/evasive.conf

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   100
    #DOSEmailNotify      root@ubuntu1804  
    DOSSystemCommand    "su - someuser -c '/usr/local/bin/a2_evasive_ban_ip.sh %s'"
    DOSLogDir           "/var/log/mod_evasive"
</IfModule>

DOSSystemCommand:ブラックリストIPを検知した際のシェルスクリプトを指定します。

$ sudo nano a2_evasive_ban_ip.sh

#!/bin/sh
# Offending IP as detected by mod_evasive
IP=$1
# Path to iptables binary executed by user www-data through sudo
IPTABLES="/sbin/iptables"
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/log/mod_evasive
# Add the following firewall rule (block IP)
$IPTABLES -I INPUT -s $IP -j DROP
# Unblock offending IP after 2 hours through the 'at' command; see 'man at' for further details
echo "$IPTABLES -D INPUT -s $IP -j DROP" | at now + 1 minute
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"

DOSLogDirの作成

$ sudo mkdir /var/log/mod_evasive
$ sudo chown -R www-data:www-data /var/log/mod_evasive

Apacheの再起動

$sudo service apache2 restart

動作テスト

$ sudo perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
....

FastNetMon

HAPROXY

https://www.haproxy.org/

NGINX

apacheユーザの変更

apache2デフォルトユーザwww-dataの変更

$ sudo pico /etc/apache2/envvars
.....
# Since there is no sane way to get the parsed apache2 config in scripts, some
# settings are defined via environment variables and then used in apache2ctl,
# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.
export APACHE_RUN_USER=apache_user
export APACHE_RUN_GROUP=apache_user
....
$ sudo chown -R apache_user:apache_user /var/www/html
$ sudo chmod -R 7XX /var/www/html

www-dataによるawstats等関連サービスのアクセス権も変更すること。

mod_evasive whitelist

5 Tools to Scan a Linux Server for Malware and Rootkits

https://www.tecmint.com/scan-linux-for-malware-and-rootkits/

clamav freshclam エラー

Redis

$ sudo nano /etc/redis/redis.conf

ファイル最後尾に以下追加:

maxmemory 64mb 
maxmemory-policy allkeys-lru

ModSecurity

ドキュメント

インストール
https://hostadvice.com/how-to/how-to-setup-modsecurity-for-apache-on-ubuntu-18-04/

$ sudo apt-get install libapache2-mod-security2

設定ファイルの作成

$ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

設定ファイルの編集

$ sudo nano /etc/modsecurity/modsecurity.conf

SecRuleEngine = on

既存ルールのバックアップ作成

$ sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bk

Githubから最新ルールのダウンロード

$ sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

ルールファイルのコピー

$ sudo cp /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

ルールファイルの指定

$ sudo nano /etc/apache2/mods-enabled/security2.conf

IncludeOptional /usr/share/modsecurity-crs/*.conf
IncludeOptional /usr/share/modsecurity-crs/rules/*.conf

Apache再起動

$ sudo service apache2 restart

ホワイトリスト

$ sudo nano /etc/modsecurity/whitelist.conf

SecRule REMOTE_ADDR "^XX\.XX\.XX\.XX" "phase:1,nolog,allow,ctl:ruleEngine=off,id:20000221"

XXに任意のIPアドレスを適用します。idには以下のリザーブ以外の値を指定すること。

Rule ID
https://www.modsecurity.org/CRS/Documentation/ruleid.html

ID Reservations
1-99,999; reserved for local (internal) use. Use as you see fit but do not use this range for rules that are distributed to others.
100,000-199,999; reserved for rules published by Oracle.
200,000-299,999; reserved for rules published Comodo.
300,000-399,999; reserved for rules published at gotroot.com.
400,000-419,999; unused (available for reservation).
420,000-429,999; reserved for ScallyWhack .
430,000-439,999: reserved for rules published by Flameeyes
440,000-599,999; unused (available for reservation).
600,000-699,999; reserved for use by Akamai http://www.akamai.com/html/solutions/waf.html
700,000-799,999; reserved for Ivan Ristic.
900,000-999,999; reserved for the OWASP ModSecurity Core Rule Set project.
1,000,000-1,009,999; reserved for rules published by Redhat Security Team
1,010,000-1,999,999; unused (available for reservation)
2,000,000-2,999,999; reserved for rules from Trustwave’s SpiderLabs Research team
3,000,000-3,999,999; reserved for use by Akamai
4,000,000-4,099,999; reserved in use by AviNetworks
4,100,000-4,199,999; reserved in use by Fastly
4,200,000 and above; unused (available for reservation)

適用ルール除外

バーチャルホスト全体の適用ルール除外
<VirtualHost> セクション

<IfModule security2_module>
    SecRuleEngine Off
</IfModule>

特定ディレクトリの適用ルール除外

<Directory "/var/www/wp-admin">
    <IfModule security2_module>
        SecRuleEngine Off
    </IfModule>
</Directory>

または

<LocationMatch "/wp-admin/">
    <IfModule security2_module>
        SecRuleEngine Off
    </IfModule>
</LocationMatch>

特定ルールのみ適用除外

<LocationMatch "/wp-admin/">
    <IfModule security2_module>
        SecRuleRemoveById 981173
    </IfModule>
</LocationMatch>