Posted on

fail2ban + remoteip mod

systemctl status fail2ban
fail2ban-client status
fail2ban-client status apache-get-dos - parodo Banned IP list
fail2ban-client banned - parodo Banned IP list
tail -f /var/log/fail2ban.log - live stebejimas requestu
--------------- sukuriam filtra -------------------------
sudo nano /etc/fail2ban/filter.d/nginx-http-get-dos.conf

[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

--------------- idedam filtra i jail.local --------------
nano /etc/fail2ban/jail.local

[nginx-http-get-dos]
enabled = true
port = http,https
filter = nginx-http-get-dos
logpath = /var/log/nginx/access.log
maxretry = 30
findtime = 60
bantime = 3600
action = iptables[name=HTTP, port=http, protocol=tcp]
----------------------------------------------

systemctl restart fail2ban
Reikalingas, jei naudojamas Cloudflare A Proxied

a2enmod remoteip
nano remoteip.conf
# Failas: /etc/apache2/conf-available/remoteip.conf
# Įjungia mod_remoteip, kad Apache matytų tikrą lankytojo IP per Cloudflare

RemoteIPHeader X-Forwarded-For

# Cloudflare patikimi proxy IP
RemoteIPTrustedProxy 103.21.244.0/22
....
#ikelti visus ip is cia: https://www.cloudflare.com/ips/


a2enconf remoteip
systemctl restart apache2
Blokuoti IP
fail2ban-client set apache-get-dos banip 11.22.33.44

Atblokuoti IP
fail2ban-client set apache-get-dos unbanip 11.22.33.44

Atblokuoti vius IPs
for jail in $(sudo fail2ban-client status | grep "Jail list:" | cut -d: -f2 | tr ',' ' '); do
  for ip in $(sudo fail2ban-client status $jail | grep "Banned IP list:" | cut -d: -f2); do
    [ -n "$ip" ] && sudo fail2ban-client set $jail unbanip $ip
  done
done
Posted on

apache reverse proxy(loadbalancer)

LOAD BALANCER (vidinis: 10.10.10.1)

apache2.conf

<VirtualHost *:80>
<Proxy balancer://mycluster>
BalancerMember http://vidinis.ip (arba isorinis)
BalancerMember http://vidinis.ip (arba isorinis)
</Proxy>

ProxyPreserveHost On

ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/

</VirtualHost>

domain-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin mail@mail.com
ServerName example.com
ServerAlias www.example.com

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

 

WEB SERVER

<Directory /home/test/www/balancer2/>
Options FollowSymLinks
AllowOverride All
Require all granted

Order deny,allow
Deny from all

#from balancer
Allow from 10.10.10.1 (vidinis)
</Directory>

 

https://www.digitalocean.com/community/tutorials/how-to-use-apache-as-a-reverse-proxy-with-mod_proxy-on-ubuntu-16-04

Posted on

Error page template

<VirtualHost *:80>
		
		ErrorDocument 404 /custom_404.html
		ErrorDocument 403 /custom_403.html
		ErrorDocument 500 /custom_50x.html
		ErrorDocument 502 /custom_50x.html
		ErrorDocument 503 /custom_50x.html
		ErrorDocument 504 /custom_50x.html

</VirtualHost>

https://www.digitalocean.com/community/tutorials/how-to-configure-apache-to-use-custom-error-pages-on-ubuntu-14-04
Posted on

Disable Directory Browsing

1. Apache solution 
  a) etc/apache2/apache2.conf
  b) etc/apache2/sites-available/site.conf

<Directory /var/www/>
        Options FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

#<Directory /var/www/>
#	Options Indexes FollowSymLinks
#	AllowOverride None
#	Require all granted
#</Directory>

2. htaccess solution 
  In directory add file: .htaccess
    Options -Indexes
3. Add index.html (simple solution)
  Sorry, the page you are looking for could not be found.

4. htaccess ignore solution
  IndexIgnore *
  IndexIgnore *.jpg