Must Have Cybersecurity Software for your Apache web-server

In an age where online security is paramount, safeguarding your Apache web server is non-negotiable. This article explores three essential cybersecurity tools that every Apache server administrator should have in their arsenal. From fortifying defenses with intrusion prevention systems like fail2ban to virus scanning with clamav and enhancing network security through UFW firewall, we’ll uncover the must-have software to protect your server and data from threats in the digital landscape.

A. Web-server best practices

In the previous chapter we discussed about the perils of the world wide web as discovered on my very own web server, now we will extend that chapter with what are the best practices to stay safe and how to reinforce them.

In the noon of this pandemic and of ever present lockdowns, cybersecurity risks discoveries and attacks have risen, people are staying more indoors and hackers are too, definitely thriving and getting ever more creative in terms of automations, penetration method attacks and code complexity, nobody is safe and at the increasing rate of technology development I do not foresee a slowdown in these maleficent intentions.

Just to get an idea oh how bad things are and why cybersecurity is a mission critical and detrimental business I recommend that you read this report on 2020 statistics.

The most shocking one I found was this comment from the FBI: “Since the pandemic began, the FBI reported a 300% increase in reported cybercrimes.” and now probably with the war (Russia-Ukraine) the numbers have grown even more.

But enough with the chit chat, let’s get down to business!

After my extensive research I’ve reached the conclusion that the bare minimum necessities with the least resource consumption are:

• a firewall
• an antivirus
• intrusion prevention software IPS
• this is besides strong passwords and user configurations with restricted access (which I had implemented from the beginning).

B. Antivirus ClamAV

What is an antivirus?

Antivirus is a software that helps protect your computer against malware and cybercriminals. Antivirus software looks at data — web pages, files, software, applications from your device. It searches for known threats and monitors the behavior of all programs, flagging suspicious behavior. It seeks to block or remove malware as quickly as possible.

What does antivirus software help protect us from?

The beauty of malware for hackers is its ability to gain access to or damage a computer without our knowledge. It’s important to be aware of the many different types of mal_icious soft_ware, or “mal-ware” against which antivirus software is designed to protect:

-- Spyware: stealing sensitive information

-- Ransomware: extorting money
-- Viruses
-- Worms: spreading copies between computers 
-- Trojans: promising one thing but delivering another 
-- Adware: advertising
-- Spam: spreading unwanted emails

a. Update system

$ sudo apt-get update

b. Install ClamAV

$ sudo apt-get install clamav clamav-daemon

c. Check status

$ sudo systemctl status clamav-freshclam

● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-03-14 12:32:47 CET; 20min ago
       Docs: man:freshclam(1)
             man:freshclam.conf(5)
             https://www.clamav.net/documents
   Main PID: 90349 (freshclam)
      Tasks: 1 (limit: 9022)
     CGroup: /system.slice/clamav-freshclam.service
             └─90349 /usr/bin/freshclam -d --foreground=true

Mar 14 12:32:47 ubuntu systemd[1]: Started ClamAV virus database updater.
Mar 14 12:32:47 ubuntu freshclam[90349]: Sun Mar 14 12:32:47 2021 -> ClamAV update process started at Sun Mar 14 12:32:47 2021
Mar 14 12:32:47 ubuntu freshclam[90349]: Sun Mar 14 12:32:47 2021 -> daily.cld database is up to date (version: 26107, sigs: 3959602, f-level: 63, builder: raynman)
Mar 14 12:32:47 ubuntu freshclam[90349]: Sun Mar 14 12:32:47 2021 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Mar 14 12:32:47 ubuntu freshclam[90349]: Sun Mar 14 12:32:47 2021 -> bytecode.cld database is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

d. Update virus definition database

Stop ClamAV

sudo systemctl stop clamav-freshclam

Start update

sudo freshclam

Sun Mar 14 12:56:43 2021 -> ClamAV update process started at Sun Mar 14 12:56:43 2021
Sun Mar 14 12:56:43 2021 -> daily.cld database is up to date (version: 26107, sigs: 3959602, f-level: 63, builder: raynman)
Sun Mar 14 12:56:43 2021 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Sun Mar 14 12:56:43 2021 -> bytecode.cld database is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)  

Start ClamAV

sudo systemctl start clamav-freshclam

e. Start scanning

On a specific directory, recursively

sudo clamscan --infected --remove --recursive /home/ubuntu/Desktop/

----------- SCAN SUMMARY -----------
Known viruses: 8509251
Engine version: 0.102.4
Scanned directories: 269
Scanned files: 1471
Infected files: 0
Data scanned: 55.71 MB
Data read: 33.38 MB (ratio 1.67:1)
Time: 91.890 sec (1 m 31 s)

Full computer scan

clamscan -r /

Additional Resources:

ClamAv home page

More commands for clamav

C. Firewall — UFW

What is a firewall?

Cisco: A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of defense in network security for over 25 years.

They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.

A firewall can be hardware, software, or both.

I’m not going to go into details as there are tons of articles online regarding what firewalls are and how they can help you, what I am going to mention is the fact that you can also use firewalls to restrict access only for certain IPs, routes or people, and that is exactly what I did.

Image source

Uncomplicated firewall UFW

UFW, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community — even installed by default in a lot of distros. As such, it’s a great way to get started securing your server.

a. Installing UFW

sudo apt-get install ufw

b. Enable UFW

sudo ufw enable

c. Check status

$ sudo ufw status

d. Adding rules

I only want to add rules that allow traffic from Apache and from my internal ip address.

sudo ufw allow 'Apache'

sudo ufw allow from 192.168.1.21 to any port 22 proto tcp

e. Verifying your configuration

sudo ufw status

Status: active
To                         Action      From
--                         ------      ----
Apache                     ALLOW       Anywhere                  
Anywhere                   ALLOW       192.168.1.21              
22/tcp                     ALLOW       192.168.1.21              
Apache (v6)                ALLOW       Anywhere (v6)

Additional resources:

Quick and dirty from Digital Ocean

More commands

D. Intrusion prevention software — Fail2Ban

What is an intrusion prevention system?

An intrusion prevention system (IPS) is a form of network security that works to detect and prevent identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents and capturing information about them. The IPS reports these events to system administrators and takes preventative action, such as closing access points and configuring firewalls to prevent future attacks. IPS solutions can also be used to identify issues with corporate security policies, deterring employees and network guests from violating the rules these policies contain.

Wait, that sounds familiar, hmm, what about Intrusion Detection Systems?

IPS and IDS — What is the Difference?

• When looking into IPS solutions, you may also come across intrusion detection systems (IDS). Before we look into how intrusion prevention systems work, let’s take a look at the difference between IPS and IDS.
• The main difference between IPS and IDS is the action they take when a potential incident has been detected.
• Intrusion prevention systems control the access to an IT network and protect it from abuse and attack. IPS are designed to monitor intrusion data and take the necessary action to prevent an attack from developing.
• Intrusion detection systems — IDS are not designed to block attacks and will simply monitor the network and send alerts to systems administrators if a potential threat is detected.

I will not spend more time explaining the technicalities and the theory on how IPSs and IDSs work, you can find more information in the full article from forcepoint

Fail2Ban

As per their homepage: Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

To put it in simple terms, based on the rules that we configure and on the jails we have installed fail2ban is able to monitor both access.log and error.log files from Apache2 and ban ip addresses for a certain amount of time.

But wait, you might ask yourself, why don’t we ban that malicious ip for life?

• Well, the answer is pretty simple, the ISP — internet service provided rarely allocates static IPs to your home router, so one day you might be 123.123.123.123 and the next day you might be 173.21.14.4, that also means that 173.21.14.4 can be a hacker today and a normal user tomorrow. I know it’s not a totally accurate explanation but the idea is to block the attack and not the person.

a. Update system

$ sudo apt-get update

b. Install Fail2Ban

sudo apt install fail2ban

c. Check status

sudo systemctl status fail2ban

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-03-08 16:40:48 CET; 5 days ago
       Docs: man:fail2ban(1)
   Main PID: 2049 (f2b/server)
      Tasks: 31 (limit: 9022)
     CGroup: /system.slice/fail2ban.service
             └─2049 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Mar 08 16:40:48 ubuntu systemd[1]: Starting Fail2Ban Service...
Mar 08 16:40:48 ubuntu systemd[1]: Started Fail2Ban Service.
Mar 08 16:40:51 ubuntu fail2ban-server[2049]: Server ready

d. Configuration

Fail2ban comes with two default files for storing the configuration, and it is wise not to modify their contents as to have a way of rolling back if something goes wrong, I must add that configuring fail2ban took me 2 days that is why I will be sharing my config file.

do not touch /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf

*create a copy of jail.conf that we will update/customize to our needs

$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the .local file. I will configure only one jail as an example and will share below my jail.local file settings which cater for almost all Apache web server vulnerabilities.

$ vi /etc/fail2ban/jail.local

jail.local breakdown

#
# HTTP servers
#

[apache-auth]                          <-- jail name
enabled  = true                        <-- false is when jail is inactive
filter   = apache-auth                 <-- filter name, all filters are found under: /etc/fail2ban/filter.d
port     = http,https                  <-- application-layer protocol
logpath  = /var/log/apache2/error.log  <-- which log the IPS checks
maxretry = 1                           <-- number of matches (i.e. value of the counter) which triggers ban action on the IP.
bantime  = -1                          <-- duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.

$ ls -l /etc/fail2ban/filter.d | grep apache

ubuntu:filter.d/ :ls -l | grep apache
-rw-r--r-- 1 root root 3228 Jan 11  2020 apache-auth.conf
-rw-r--r-- 1 root root 2831 Jan 11  2020 apache-badbots.conf
-rw-r--r-- 1 root root 1265 Jan 11  2020 apache-botsearch.conf
-rw-r--r-- 1 root root 1619 Jan 11  2020 apache-common.conf
-rw-r--r-- 1 root root  324 Jan 11  2020 apache-fakegooglebot.conf
-rw-r--r-- 1 root root  511 Jan 11  2020 apache-modsecurity.conf
-rw-r--r-- 1 root root  596 Jan 11  2020 apache-nohome.conf
-rw-r--r-- 1 root root 1230 Jan 11  2020 apache-noscript.conf
-rw-r--r-- 1 root root 2184 Jan 11  2020 apache-overflows.conf
-rw-r--r-- 1 root root  362 Jan 11  2020 apache-pass.conf
-rw-r--r-- 1 root root 1020 Jan 11  2020 apache-shellshock.conf

As promised the jail.local file.

e. Restart

After configuring you must restart and check the system status.

systemctl restart fail2ban

I consider this suffices, for more details please check the Fail2ban manual.

                     **Congrats, you're done!**

Photo by Wil Stewart on Unsplash

Conclusion

We have learned about the bare minimum security reinforcements that you can have on your web server. We have also learned about anti-viruses, firewalls and intrusion prevention software. Finally, for each subchapter we went over the installation and configuration steps.

Bogdan Tudorache | Founder @ berrynews.org

If you like the article and would like to support me, make sure to:

👏 Clap for the story (50 Claps) to help this article be featured

🔔 Follow me Bogdan Tudorache

📰 Find more tech content in Tech & ML Articles

🔔 Connect w/ me: LinkedIn | Reddit