Ban all the attackers. Easier said than done. A website is constantly under attack as the whole server. One day I decided it was too difficult to maintain every single server and ban those attackers. Blocking IPs on the website level is too late. Also, it consumes a lot of resources. So I went for iptables. You can find it on github/JBlond/ban_em_all
DROP vs REJECT. Well, DROP is a bad option for debugging. Also, it is not the default behavior of the OS itself. Nothing is listing on a port? The OS sends a reject. Sadly I haven’t found a way to use REJECT when it comes to IPs. Using DROP on the other hand the automatic server/website scanners assume a firewall and it is more likely to continue the scan.
On Windows Server is can be a hassle to find the start-up folder/autostart folder. Quick shortcut: Win Key + R -> shell:startup
Choosing the right cipher for your server.
The wanted options:
- Only 256 bit
- Only Mac AEAD since in TLS 1.3 that is only allowed.
- Kx (Key exchange) and Au (Authentication) PSK (pre-shared key) is not an option for a webserver
- DSS cipher is for key auth
- Kx=DH without an EC ( Elliptic curves) is not secure enough
- Kx=RSA is weak
- AESCCM is also a Cipher Block Chaining (CBC)
- Aria is for Secure Real-Time Transport Protocol (SRTP)
- DHE-RSA-AES256-GCM-SHA384 and DHE-RSA-CHACHA20-POLY1305 have no EC (elliptic curves)
/opt/openssl/bin/openssl ciphers -v ALL:COMPLEMENTOFALL | grep -v "(128)" | grep "Mac=AEAD" | grep -v "Kx=PSK" | \
grep -v "Au=PSK" | grep -v "Kx=RSAPSK" | grep -v "Au=DSS" | grep -v "Kx=RSA" | grep -v "Enc=AESCCM" | \
grep -v "Enc=ARIAGCM" | grep -v "Au=None" | grep -v "Kx=DH"
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
At last POLY over AES for speed, and ECDSA over RSA also for speed.
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
This was done with the current latest OpenSSL version 1.1.1l
Only for the completeness, GCM is Galois/Counter Mode
I had issues with the zend framework and its implementation of lucene. It saved the values from my UTF-8 database in the lucene files with characters like UTF-8 in ISO 8859-1 like on the search result page. And I wasn’t able to search case insensitive.
I noticed that the apache header (zend server CE) wasn’t sending UTF-8. So I added AddDefaultCharset utf-8 to my httpd.conf. Didn’t help.
What helped: In the Bootstrap.php adding to the init of the search
In the model it is needed to decode it to ISO 8859-1 and than save it as UTF-8. Sounds insane, but it was the only thing that works for me.
WTF Zend Lucene!
I made some testing on my dev machine and liked event mpm. So I installed it here. I noticed that the event mpm closes the connections faster than worker mpm. Some download tests sadisfied me. Less memory usage and faster serving :-) For now I keeped the settings from worker mpm. I’ll look for tweaking in the next days.
Different to the docs event mpm works fine with SSL.
sudo apt-get install apache2-mpm-event libapache2-mod-fcgid
Also the serving PHP over fcgid is nice. The implementation of PHP over fcgid in the older post.
Today I changed my server to from prefork mpm to worker mpm.
There are only some issues: in my phpmyadmin I had to set auth from http to cookie. And PHP_ADMIN_VALUE don’t work in the vhosts.
How to install it:
sudo apt-get install apache2-mpm-worker libapache2-mod-fcgid
In the single vhosts
Options Indexes ExecCGI
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
So that isn’t hard to do.
Well I would like to have a windows server with apache which is also threaded like worker mpm, but there is no cheap hoster for that yet. At home have that server is not an option cause of the small upload I have with my DSL, the coast of energie and where the hell should I put that server in my small apartment to that I still can sleep?