Security – ajni.IT

Linux Apache2 Virtual Hosts with different users

September 15, 2020 by AJNI No Comments

Apache Virtual Hosts are great because they let you host multiple websites on the same server. The public IP address can also be re-used - Apache knows, based on the HTTP host header, which website to show.

But have you considered this scenario? website1.com gets compromised and some malicious person has access to the server. What can they do? Most certainly they have access to every other website on the server because, by default, every Virtual Host runs under the same user www-data. Fortunately, there is a module that allows us to use different users for every Apache2 Virtual Host called apache2-mpm-itk.

It is very easy to install:

apt-get install libapache2-mpm-itk

a2enmod mpm_itk

If you face any issues, disable mpm-prefork and try enabling mpm_itk again.

a2dismod mpm_prefork

Now, in the Virtual Host config file, insert these lines (user www-site1 and group www-site1):

<IfModule mpm_itk_module>
AssignUserId www-site1 www-site1
</IfModule>

The user could be added with useradd:

useradd www-site1

Lastly, give owner rights to the new user and no one else.

chown www-site1:www-site1 -R /var/www/site1

Or even better, give the www-site user write rights on the upload folder. Everything else is readable only.

find /var/www/site1/ -type d -exec chmod 0755 {} \; #Change directory permissions rwxr-xr-x

find /var/www/site1/ -type f -exec chmod 0644 {} \; #Change file permissions rwxr-xr-x

chown ajni:ajni -R /var/www/site1/ # Let your useraccount be owner

chown www-site1:www-site1 -R /var/www/site1/uploads/ #Let apache be owner of upload folder

Oh yeah. Don't forget to restart apache:

service apache2 restart

References:

https://cloudkul.com/blog/apache-virtual-hosting-with-different-users/

Reading time: 1 min

Set up Fail2Ban for SSH on Linux (Debian/Ubuntu)

June 16, 2020 by AJNI No Comments

The first step to securing your SSH configuration is to configure key-based authentication and not allow password authentication at all. That topic has already been discussed. Check out my post about that: https://www.ajni.it/2020/03/configure-ssh-key-based-authentication-on-a-linux-system/

The second step is to introduce an Intrusion Detection System (IDS or IPS). Fail2ban can achieve that specific goal. It analyses SSH authentication logs (it can be also set for other services) and blacklists IP addresses after n failed attempts with the help of iptables (firewall rules). Let's check it out.

First of all make sure to update your system:

apt update

apt upgrade

Now install fail2ban:

apt install fail2ban

Start and enable the fail2ban service:

systemctl start fail2ban

systemctl enable fail2ban

Now a "jail" can be configured for failed ssh login attempts. There is a default /etc/fail2ban/jail.conf file, but we are going to create a new config jail.local.

nano /etc/fail2ban/jail.local

Paste following parameters in the file:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
mode = aggressive
bantime = -1
findtime = 3600

Mode=aggressive includes failed attempts with public key authentication. Bantime = -1 is for persistent bans. Findtime indicates how far back logs are checked (now - 3600 minutes or 1 hour).

After saving the file, restart fail2ban:

service fail2ban restart

Blacklisted IPs can be viewed with

fail2ban-client status sshd

After some minutes one IP already showed up: