Install and configure a secure Apache Web server in Ubuntu

In this tutorial, we assume that you already have an Ubuntu server running and the network has been set up and can be accessed through SSH.

Apache2 is the default Web server used by many installed Linux distributions. It is not the only available Web server for all environments, nor the best Web server, but it is suitable for many use cases. During the installation process, the system may ask which Web server you want to automatically reconfigure. Select "apache2.

Install Apache2

Run the following command to install Apache2 and other libraries.

$ Sudo apt-get-y install apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libapache2-mod-php5 libexpat1 ssl-cert php5-common php5 php5-gd php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt libapache2-mod-suphp libopenssl-ruby libapache2-mod-ruby

Update the time zone and check the correct time

To reduce confusion between shared data and image data, all servers should be as close to the synchronization status as possible during operation. Some encryption key management systems require accurate time. Finally, for enterprise servers, Sarbanes-Oxley and HIPAA) the correct timestamp mechanism is required.

$ sudo apt-get -y install openntpd tzdata$ sudo dpkg-reconfigure tzdata$ sudo service openntpd restart

 

Disable AppArmor conflicts

Although the AppArmor suite does provide additional security, in my opinion, you need to create custom configuration files for each system. This is not the content discussed in this tutorial. So now, we will disable AppArmor to prevent conflicts with any default configuration.

$ sudo /etc/init.d/apparmor stop$ sudo update-rc.d -f apparmor remove$ sudo apt-get remove apparmor apparmor-utils

NOTE: If it is a Web server in the production environment, it is not recommended to disable AppArmor. If someone wants to create a custom AppArmor profile, see the official instructions (http://wiki.apparmor.net/index.php/Documentation ).

Block distributed denial of service (DDoS) attacks

DDoS attacks are distributed denial of service attacks. An Apache module can prevent such attacks.

$ sudo apt-get -y install libapache2-mod-evasive$ sudo mkdir -p /var/log/apache2/evasive$ sudo chown -R www-data:root /var/log/apache2/evasive

Add the following command to the end of the mod-evasive.load.

$ Sudo nano/etc/apache2/mod-available/mod-evasive.load DOSHashTableSize 2048 DOSPageCount 20 # maximum number of requests to the same page DOSSiteCount 300 # Total number of DOSPageInterval requests from the same client IP address on the same listener 1.0 # interval of page quantity threshold DOSSiteInterval 1.0 # interval of site quantity threshold DOSBlockingPeriod 10.0 # DOSLogDir "/var/log/apache2/evasive" DOSEmailNotify admin@domain.com

Block Slowloris attacks

Another Apache module can prevent Slowloris attacks, but the module name depends on the specific version of Ubuntu. For Ubuntu 12.10 or later versions:

$ sudo apt-get -y install libapache2-mod-qos

Then, check the configuration in qos. conf:

$ sudo nano /etc/apache2/mods-available/qos.conf

# Service quality settings

# Process connections from up to 100000 different IP addresses

QS_ClientEntries 100000

# Only 50 connections per IP address are allowed

QS_SrvMaxConnPerIP 50

# The maximum number of active TCP connections is 256

MaxClients 256

# When 70% of TCP connections are occupied, disable the active connection.

QS_SrvMaxConnClose 180

# Minimum request/response speed (refuse to block the slow client of the server, that is, slowloris keeps the connection open without making any request ):

QS_SrvMinDataRate 150 1200

# And restrict the request title and body (note that this also limits the upload and post requests ):

# LimitRequestFields 30# QS_LimitRequestBody 102400

 

Note: If you run the Ubuntu version earlier than 12.04, use the following command:

$ sudo apt-get -y install libapache2-mod-antiloris

Check the configuration in antiloris. conf.

$ sudo nano /etc/apache2/mods-available/antiloris.conf

 

# Maximum number of parallel connections for each IP address in the READ status

IPReadLimit 5

 

Prevent DNS injection attacks

The Spamhaus module uses the domain name system blacklist (DNSBL) to prevent spam forwarding through Web forms, prevent URL injection attacks, and prevent http DDoS attacks from bot programs, it usually protects the server from known malicious IP addresses.

$ sudo apt-get -y install libapache2-mod-spamhaus$ sudo touch /etc/spamhaus.wl Append the config to apache2.conf$ sudo nano /etc/apache2/apache2.confMS_METHODS POST,PUT,OPTIONS,CONNECTMS_WhiteList /etc/spamhaus.wlMS_CacheSize 256

 

Restart Apache to load new modules

$ sudo service apache2 restart

The Web server has been installed and is running properly. Direct the Web browser to your domain to see the default message that proves that everything is normal. As the final check mechanism, run the following command to check whether your server has any error information. If there is an error message, you need to search for it on Google to immediately solve the error.

$ sudo tail -200 /var/log/syslog

Apache-multi-site log analysis

Install Apache that supports SSL in Ubuntu 13.10

Disguise Apache to prevent Web Server intrusion

Compiling and installing the Apache Python module mod_wsgi

Enterprise Shell script analysis and Apache Log cutting practices

Linux website architecture series-Apache-deployment