-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathApache.sh
128 lines (97 loc) · 4.58 KB
/
Apache.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/bin/bash
#apache2 statup script
#installing just in case it's not
apt-get install apache2 -y
#stopping apache server
service apache2 stop
#making a backup of the fresh configs
mv /etc/apache2/apache2.conf /etc/apache2/apache2.conf.bak
mv /etc/apache2/ports.conf /etc/apache2/ports.conf.bak
#moving premade config to apache dir
mv $(pwd)/conf /etc/apache2/apache2.conf
#making the new ports.conf file
echo "NameVirtualHost *:80" > /etc/apache2/ports.conf
echo "Listen 80" >> /etc/apache2/ports.conf
echo "<IfModule mod_ssl.c>" >> /etc/apache2/ports.conf
echo "</IfModule>" >> /etc/apache2/ports.conf
echo "<IfModule mod_gnutls.c>" >> /etc/apache2/ports.conf
echo " Listen 443" >> /etc/apache2/ports.conf
echo "</IfModule>" >> /etc/apache2/ports.conf
#restarting service
service apache2 restart
#MOD SECURITY SECTION
#installing dependencies
apt-get install libxml2 libxml2-dev libxml2-utils -y
apt-get install libaprutil1 libaprutil1-dev -y
apt-get install php5 -y
#installing mod security
apt-get install libapache-mod-security -y
#moving in my config file
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf.bak
mv $(pwd)/mod /etc/modsecurity/modsecurity.conf
#installing OWASP Security measures
wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
tar -zxf SpiderLabs-owasp-modsecurity-crs.tar.gz
cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
rm SpiderLabs-owasp-modsecurity-crs.tar.gz
rm -R SpiderLabs-owasp-modsecurity-crs-*
mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
#creating links
cd /etc/modsecurity/base_rules
for f in * ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done
#adding a php rule
echo "expose_php = Off" >> /etc/php5/apache2/php.ini
#restarting apache to enable
# Hide Apache2 version
echo "ServerSignature Off" >> /etc/apache2/apache2.conf
echo "ServerTokens Prod" >> /etc/apache2/apache2.conf
# Remove ETags
echo "FileETag None" >> /etc/apache2/apache2.conf
# Disable Directory Browsing
a2dismod -f autoindex
# Remove default page
echo "" > /var/www/html/index.html
# Secure root directory
echo "<Directory />" >> /etc/apache2/apache2.conf
echo "Options -Indexes" >> /etc/apache2/apache2.conf
echo "AllowOverride None" >> /etc/apache2/apache2.conf
echo "Order Deny,Allow" >> /etc/apache2/apache2.conf
echo "Deny from all" >> /etc/apache2/apache2.conf
echo "</Directory>" >> /etc/apache2/apache2.conf
# Secure html directory
echo "<Directory /var/www/html>" >> /etc/apache2/apache2.conf
echo "Options -Indexes -Includes" >> /etc/apache2/apache2.conf
echo "AllowOverride None" >> /etc/apache2/apache2.conf
echo "Order Allow,Deny" >> /etc/apache2/apache2.conf
echo "Allow from All" >> /etc/apache2/apache2.conf
echo "Options None" >> /etc/apache2/apache2.conf
echo "</Directory>" >> /etc/apache2/apache2.conf
# Use TLS only
sed -i "s/SSLProtocol all -SSLv3/SSLProtocol –ALL +TLSv1 +TLSv1.1 +TLSv1.2/" /etc/apache2/mods-available/ssl.conf
# Use strong cipher suites
sed -i "s/SSLCipherSuite HIGH:\!aNULL/SSLCipherSuite HIGH:\!MEDIUM:\!aNULL:\!MD5:\!RC4/" /etc/apache2/mods-available/ssl.conf
# Enable headers module
a2enmod headers
# Enable HttpOnly and Secure flags
echo "Header edit Set-Cookie ^(.*)\$ \$1;HttpOnly;Secure" >> /etc/apache2/apache2.conf
# Clickjacking Attack Protection
echo "Header always append X-Frame-Options SAMEORIGIN" >> /etc/apache2/apache2.conf
# XSS Protection
echo "Header set X-XSS-Protection \"1; mode=block\"" >> /etc/apache2/apache2.conf
# Enforce secure connections to the server
echo "Header always set Strict-Transport-Security \"max-age=31536000; includeSubDomains\"" >> /etc/apache2/apache2.conf
# MIME sniffing Protection
echo "Header set X-Content-Type-Options: \"nosniff\"" >> /etc/apache2/apache2.conf
# Prevent Cross-site scripting and injections
echo "Header set Content-Security-Policy \"default-src 'self';\"" >> /etc/apache2/apache2.conf
# Prevent DoS attacks - Limit timeout
sed -i "s/Timeout 300/Timeout 45/" /etc/apache2/apache2.conf
# Adding user apache as a standalone user
adduser apache
echo "User apache" >> /etc/apache2/apache2.conf
echo "Group apache" >> /etc/apache2/apache2.conf
service apache2 restart
service httpd restart
echo [SUCCESS] apache.sh audit ran by $USER on $(date -u). Though apache appears to be: $(service apache2 status | grep ok) $(service apache2 status | grep fail) | tee -a /bin/lib/sh/MK3S/data/MK3S.log