RASelkirk
Posts: 66
Joined: Mon Jan 07, 2019 2:48 pm

Installed Apache, how to secure?

Sat Feb 09, 2019 6:44 pm

Hi All,

I was finally able to connect to my Pi from the internet after installing Apache. I have an NOIP address, opened port 80 on my router (temp!), and it all works. Now I need to figure the least complicated yet still strong security setup for full-time access from outside. I found a bunch of incomprehensible stuff out there, and am hoping someone here can provide a simple method...

TIA!

Russ

User avatar
DougieLawson
Posts: 36135
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Installed Apache, how to secure?

Sat Feb 09, 2019 6:52 pm

https://www.raspberrypi.org/documentati ... ecurity.md

DO NOT give www-data access to sudo.
DO NOT allow www-data to write /var/www/html unless you have a specific folder that needs to have write.
DO NOT install phpmyadmin without understanding how many folks will be trying to hack at it every minute of the day.

Look at installing an IDS like fail2ban.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Andyroo
Posts: 4479
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: Installed Apache, how to secure?

Sat Feb 09, 2019 7:19 pm

Have a look at https://geekflare.com/10-best-practices ... eb-server/

Also consider putting the server into the router a DMZ if you do not need it to access anything else on the network.

If you are using MySQL make sure accounts have complex passwords

Disable SSH / VNC etc from this machine to others by firewall rules on the other machines

If you are using WordPress, make sure it can auto update and the default admin user is not ‘admin’. Check folder security and look to move the default wp-admin folder.

Assuming you are on version 2.4 look at https://httpd.apache.org/docs/2.4/misc/ ... _tips.html
Need Pi spray - these things are breeding in my house...

tpyo kingg
Posts: 620
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Installed Apache, how to secure?

Sat Feb 09, 2019 7:28 pm

I'd add to those to stick with stock Apache2 and stay with static pages as much as possible. You can get standardized headers and footers and menus using Server-side Includes (NoExec). The next step up would be a static site generator, like Jekyll, Hugo, or Pelican. Those would allow the public-facing components to remain static.

As for SSH, it is necessary for managing the machine but do make a point of using keys and turning off password authentication.

RASelkirk
Posts: 66
Joined: Mon Jan 07, 2019 2:48 pm

Re: Installed Apache, how to secure?

Sun Feb 10, 2019 3:01 pm

Thanks, I'll look into these options.

The "homepage" will have one button to trigger my driveway gate plus a couple of visual indicators for feedback. I'd like to allow access to family members and maybe a few friends, should there be one universal UN/PW or allow each person to make their own? I'm looking for minimum complexity here...

Russ

User avatar
DarkPlatinum
Posts: 844
Joined: Thu Nov 02, 2017 2:30 pm
Location: Unknown
Contact: Website YouTube

Re: Installed Apache, how to secure?

Sun Feb 10, 2019 3:18 pm

DougieLawson wrote:
Sat Feb 09, 2019 6:52 pm
DO NOT install phpmyadmin without understanding how many folks will be trying to hack at it every minute of the day.
Very true. My WordPress site run on apache receives people trying to probe for vulnerable PHP. If running a WordPress site, get a security plugin.
1 * Raspberry Pi Zero W, 1 * Raspberry Pi 2, 1 * Raspberry Pi 3 1 * Raspberry Pi 3B + :mrgreen:

Check Out My Raspberry Site (Run on a Raspberry Pi 3B :) ): https://html.dynu.net

Heater
Posts: 13339
Joined: Tue Jul 17, 2012 3:02 pm

Re: Installed Apache, how to secure?

Sun Feb 10, 2019 3:37 pm

Be sure you are using HTTPS.

You can get your security certificates from https://letsencrypt.org/. For that you will need to register a domain name and point it at your IP address.

You can use self signed certificates but that is less secure and more inconvenient.

Do have passwords for your users.

You will find many "web application security checklists" around the net. For example: https://www.owasp.org/index.php/Web_App ... heat_Sheet

Be paranoid.

RASelkirk
Posts: 66
Joined: Mon Jan 07, 2019 2:48 pm

Re: Installed Apache, how to secure?

Mon Feb 11, 2019 8:04 pm

DougieLawson wrote:
Sat Feb 09, 2019 6:52 pm
https://www.raspberrypi.org/documentati ... ecurity.md

DO NOT give www-data access to sudo.
DO NOT allow www-data to write /var/www/html unless you have a specific folder that needs to have write.
DO NOT install phpmyadmin without understanding how many folks will be trying to hack at it every minute of the day.

Look at installing an IDS like fail2ban.
Apologies to everyone, this is all too overwhelming. After half a day reading, all I managed to get done is set a non-standard port to forward through and get UFW and Fail2Ban installed.

I don't know how to NOT give sudo access to files/folders.

No one should need to write anything to my server unless a "button click" event counts as a write.

I have no idea what "phpmyadmin" is...

Most of the other reading links had "stumble points" for a newbie, mainly saying to alter files that don't exist on my 'puter, or being too complex to comprehend.

I know I'm dumb, but how does someone hack a site if all they can get access to is an index page?

Speaking of which, when I try my page (pigate.hopto.org) from another box on my LAN, I get the logon page for my router. If I append ":xxxx" port number, I get the Apache index page. I get nothing from the WAN (it never loads) unless I append the port, then it pops up quickly. Is this normal behavior?

Russ

Andyroo
Posts: 4479
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: Installed Apache, how to secure?

Mon Feb 11, 2019 9:52 pm

RASelkirk wrote:
Mon Feb 11, 2019 8:04 pm
...
Speaking of which, when I try my page (pigate.hopto.org) from another box on my LAN, I get the logon page for my router. If I append ":xxxx" port number, I get the Apache index page. I get nothing from the WAN (it never loads) unless I append the port, then it pops up quickly. Is this normal behavior?

Russ
Most routers will not route data in a loop so as your machine finds the external address it sends a request out of the router and that comes back from your ISP. The router then has a bit of meltdown and gives you its homepage as it knows you internally and not externally :lol:

A couple of ways around this that I would not use:
1) Modify the host file on the machine doing the search so that the domain IP is your local address (not wise).
2) Use your mobile (with WiFi off) to access the site

I would use an external proxy server - a quick Google will show lots of free ones and some have no adverts :roll:

As for the port - what are you using? It reads that your site is not on Port 80 and you have not told Apache this is the default.

When you load Apache, it puts its own index.html file in the web root as confirmation things are working. It’s up to you to replace this or configure a virtual server to go elsewhere.
Need Pi spray - these things are breeding in my house...

RASelkirk
Posts: 66
Joined: Mon Jan 07, 2019 2:48 pm

Re: Installed Apache, how to secure?

Tue Feb 12, 2019 2:43 pm

Andyroo wrote:
Mon Feb 11, 2019 9:52 pm
RASelkirk wrote:
Mon Feb 11, 2019 8:04 pm
...
Speaking of which, when I try my page (pigate.hopto.org) from another box on my LAN, I get the logon page for my router. If I append ":xxxx" port number, I get the Apache index page. I get nothing from the WAN (it never loads) unless I append the port, then it pops up quickly. Is this normal behavior?

Russ
Most routers will not route data in a loop so as your machine finds the external address it sends a request out of the router and that comes back from your ISP. The router then has a bit of meltdown and gives you its homepage as it knows you internally and not externally :lol:

A couple of ways around this that I would not use:
1) Modify the host file on the machine doing the search so that the domain IP is your local address (not wise).
2) Use your mobile (with WiFi off) to access the site

I would use an external proxy server - a quick Google will show lots of free ones and some have no adverts :roll:

As for the port - what are you using? It reads that your site is not on Port 80 and you have not told Apache this is the default.

When you load Apache, it puts its own index.html file in the web root as confirmation things are working. It’s up to you to replace this or configure a virtual server to go elsewhere.
External proxy server... I thought that was what NOIP was but now I'm not so sure as it's not specifically listed as one. It doesn't show my IP, but it does redirect to it.

I'd rather not state my port, but I'm sure someone could find it by running through all 65536 of them. I do have the Apache set up for this port and it all works, but only with that port forwarded in my router.

I have been playing with the index file so it's not the std Apache greeting page right now.

Something else I thought of last night while "counting sheep". If this webpage is the front-end to my gate opener, maybe it would be better to have an internal access list and no logins. Wouldn't logins would keep the page tied to the last user while locking out others? I'd hate to have people need to login every time to access it. Then again, I'd not like it if some one unknown decided to play games with it.

Russ

Return to “General discussion”