Hello Bitnami Community & Bitnami Staff,
Apache Security Modules
Recently, I enabled many security features on my Bitnami Apache WordPress Sever. These features include: password protection, ModEvasive, and ModSecurity. The reason I had gone all out is because on a past server I had been using the Bitnami WordPress Stack vanilla and after reading the access log I had found out that my site was being inundated with bot traffic and being scraped successfully, receiving html code 200 every time a GET or POST Request had been made by any outside actor.
Before implementing any of these new (to me) security features on the server I had been blocking IP's manually via the httpd-app.conf file as follows:
deny from 220.127.116.11. That was taking too long so I then tried implementing ModEvasive which automated the process based on predefined rules from the modevasion.conf file.
This is where the docs start to defer...
The Bitnami Docs write the code inside of the modevasion.conf file as follows:
#increases size of hash table. Good, but uses more RAM."
#Interval, in seconds, of the page interval."
#Interval, in seconds, of the site interval."
#period, in seconds, a client is blocked. The counter is reset to 0 with every access within this interval."
#threshold of requests per page, per page interval. If hit == block."
#threshold of requests for any object by the same ip, on the same listener, per site interval."
#locking mechanism prevents repeated calls. email can be sent when host is blocked (leverages the following by default "/bin/mail -t %s")"
#locking mechanism prevents repeated calls. A command can be executed when a host is blocked. %s is the host IP."
#DOSSystemCommand \"su - someuser -c \'/sbin/... %s ...\'\""
#whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.*"
The syntax in the Mod Evasive Doc is as follows:
Optionally you can also add the following directives:
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
I have some questions relating to this:
1) Is the reason that in the Bitnami code there is a
" at the end of every rule because the file is linked to the httpd.conf
2) Why is the include in the httpd.conf file written as follows
Include conf/modevasion.conf and not this way
3) Why is the
DOSLogDir rule written like this
DOSLogDir \"/var/lock/mod_evasive\"" for the modevaion.conf in the bitnami docs and not like this DOSLogDir"/var/lock/mod_evasive"? I have created the directory and there is nothing in there as of yet?
After enabling mod evasive. I Enabled ModSecurity. Then I added the OWASP CRS following the directions in a reply made by @marcos
I had to make a few changes to the code as the repository for the current OWASP CRS had been moved. This is the code that I used to install the OWASP CRS.
sudo wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz
sudo tar xzf v3.3.0.tar.gz
sudo mv coreruleset-3.3.0 crs
sudo crs/mv crs-setup.conf.example crs/crs-setup.conf
I followed everything else verbatim from @marcos post and the link he provided.
1) I was wondering if there was anything else left to do?
2) Should I enable the ModSecurity Log file or not. As it could potentially slow down processes according to the netnea link.
3) How do I know I have implemented the CRS correctly?
4) Currently, I have set WordPress to password protect. So, all bot traffic is receiving http 401 error messages rather than successfully scraping or performing remote code injection. Should I remove password protection to see whether or not these Mods are working properly?
Password Protection phpMyAdmin
On the topic of password protecting Apache. I successfully applied password protection to WordPress after following this doc. Then I tried to do the same for phpMyAdmin following this doc to no avail.
1) I was wondering if there was some sort of mistake I made as I followed the docs and created an htpsswd file for administrator and I am not prompted for double login when accessing phpMyAdmin.
My last question is about databases and mysql.
1) Is there a way that I can password protect the mysql database or any other dbs included in the Bitnami Wordpress Stack? Are they already password protected with defaults? I haven't accessed any mysql or maria db resources yet that is why I am asking.
Thank you for any help you may provide!