Introduction
The security measures we enable for our multipurpose serv:wqaer, such
as the best practices to limit attack surfaces, use of the PKI to prevent unauthorized SSH connections, the firewall to block network traffic based such things as the application protocol, the source IP, ports, and other characteristics, Fail2ban to block repeated attempts by adding its own firewall rules, the Open Source HIDS SECurity (OSSEC) HIDS to detect and block intrusions and other unwanted activity by creating its own deny rules are able to detect and prevent many classes of security threats.
ModSecurity is a web application firewall that is able to inspect the HTTP communication between the server on which it is installed and clients that make requests to the server. It is able to examine request messages, and if
so configured, response messages as well. Based on specific characteristics of the messages, it will block requests with a 403 Forbidden response.
ModSecurity acts as another layer by acting as an HIDS specifically for HTTP communication, to prevent several classes of security threats that, while possibly being applicable to all of the services provided by the server,
may be specifically applicable, in certain modes, to a web server providing a website or web application. These are
Modsecurity2 is able to use rules based on the GEO variable, that causes it to query a database that maps IP addresses to geographic locations, either by ISO country code, city, or ASN. When a request is received by Apache, in the normal course of processing its rules, when it processes one of these GEO rules, it queries the database it is configured to use to determine if the request source IP address maps to the value of the GEO variable that is the subject of the rule. If there is a match it performs the disruptive action specified in the rule, which can be to block the request.
This guide assumes that Modsecurity2 is already installed, configured, and working as expected.
MaxMind GeoIP Database
MaxMind provides various services of interest to organizations that provide content and services on the internet: fraud prevention, IP address based geolocation, and proxy detection. The geolocation service is of interest in securing our Apache webserver for blocking connections to our server based on location of host clients by the firewall and the web application served by our Apache server through ModSecurity’s ability to perform disruptive actions based on location data provided by MaxMind’s geolocation service.
Of the geolocation services, one called GeoLite is a free service that only requires an account. It provides three databases, in two formats, that map IP addresses to location by city, location by country and the IP address to a network operator’s Autonomous System Number (ASN). Unfortunately ModSecurity2 only supports MaxMind legacy database format .dat. This requires the use of GeoLite databases converted to the legacy format, which can be performed with a third party utility https://github.com/sherpya/geolite2legacy, the conversions performed using this tool have been published by https://www.miyuru.lk/geoiplegacy. We will use these converted formats with ModSecurity2, as described below.
Post Install Configuration
Apparently not required as in the installation process described in A Fedora Installation with an openSUSE Style Btrfs Subvolume Layout and Snapper Integration for System Snapshots and Rollbacks
- Changing SELinux Mode
- Setting the default subvolume
