7- How to Set Up the Password Protect

Web Directory in Apache

Apache is one of the most widely used and popular web servers in the world, so it is
important to keep your websites private from unauthorized users. Apache
authentication can be configured to require website visitors to log in with a user ID
and password. There are many ways you can password protect directories under an
Apache web server.

This article describes an easy way to password protect a web directory in Apache
using an .htaccess file.

Note: this tutorial is done on a Ubuntu server with Apache installed.

Installing the Apache Utilities Package

First, you need to install the apache2-utils package which provides
a utility called htpasswd to create a password file.

You can install it by running the following command:

sudo apt-get install apache2-utils

Configure Apache to Allow .htaccess

Authentication
By default, Apache doesn’t allow the use of an .htaccess file in Ubuntu 14.04. You
will need to set up the Apache config file to allow .htacces- based authentication.

You can do this by editing the Apache config file:

sudo nano /etc/apache2/apache2.conf

Find the section that begins with the Directory "/var/www/html" and change the line
from AllowOverride none to AllowOverride AuthConfig

Page 1
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Require all granted

Save and close the file.

Create the Password File

You can use the htpasswd command line utility to create a password file that
Apache can use to authenticate users. Now, create a hidden .htpasswd file in the
“/etc/apache2” configuration directory.

sudo htpasswd -c /etc/apache2/.htpasswd authuser1

This will ask you to supply and confirm a password for authuser1.

If you want to add another user, then leave out the -c argument
with htpasswd command.

Now, to create another authentication for a second user, authuser2:

sudo htpasswd /etc/apache2/.htpasswd authuser2

You can see the user name and the encrypted password for each record by
running:

sudo cat /etc/apache2/.htpasswd

You need to grant permission to the “www-data” user to be able to read the
.htpasswd file.

Page 2
sudo chown www-data:www-data /etc/httpd/.htpasswd
sudo chmod 0660 /etc/httpd/.htpasswd

Configure Apache Password Authentication

You need to create an “.htaccess” file in the web directory you wish to restrict. In
this example I will create an “.htaccess” file in the “/var/www/html/” directory to
restrict the entire document root.

sudo nano /var/www/html/.htaccess

Add the following content:

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Here is what the above code means:

 AuthType: This option defines the type of authentication.

 AuthName: This is content which displays on web page when prompted for user
name and password.

 AuthUserFile: This option specifies the location of user credentials.

 require valid-user: This indicates that only successful authenticated requests

may load the page.

Save and close the file, and restart Apache to make these changes take effect.

sudo /etc/init.d/apache2 restart

Testing Password Authentication

Now on a remote machine, access your website in a web browser. You will be
prompted with a user name and password to access web page.

Page 3
If you enter the correct user credentials, you will be allowed to access the content. If
you enter the wrong user credentials or hit “Cancel,” you will see
the Unauthorized error page.

Page 4
8- Setting Up Fail2ban to Protect
Apache from a DDOS Attack
Apache is one of the most widely used and popular web servers in the world, so it is
important to protect your website and users from Brute-force attacks. Fail2ban is an
open-source intrusion prevention software written in Python. Fail2Ban continuously
analyzes various services’ log files (like Apache, ssh, postfix …), and if it detects
malicious attacks, then it creates rules on the firewall to block hackers IP addresses
for a specified amount of time. Fail2Ban also informs a system admin with an email
of its activity.

Page 5
In this article I will explain how to install fail2ban and configure it to monitor your
Apache logs for malicious authentication failure attempts.

Requirements
 Ubuntu server 14.04 with Apache installed

 Apache configured with password authentication

Installing Fail2Ban
First, make sure the Apache server is running and password authentication is
enabled.

Next, you can install Fail2ban by running:

sudo apt-get update

sudo apt-get install fail2ban

Configure fail2ban for Apache

The fail2ban keeps its configuration file “jail.conf” in the “/etc/fail2ban/” directory. It
contains a set of pre-defined filters for various services, and it is recommended that
you not edit this file. You need to enable predefined Apache jails by creating a
“/etc/fail2ban/jail.local” file:

To create new “jail.local” file, run:

sudo nano /etc/fail2ban/jail.local

Add the following content:

[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 3
findtime = 600
ignoreip = 192.168.1.227

[apache-noscript]

Page 6
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
maxretry = 3
findtime = 600
ignoreip = 192.168.1.227

[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
maxretry = 2
findtime = 600
ignoreip = 192.168.1.227

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
maxretry = 2
findtime = 600
ignoreip = 192.168.1.227

Save and close the file, then restart fail2ban for the changes to take effect.

sudo /etc/init.d/fail2ban restart

You can verify the rules that were added by Fail2Ban in iptables using the following
command:

sudo iptables -L

The output will look something like this:

Page 7
Note : You can find the details of each jail described below:

 [apache] : this jail is used to block failed login attempts.

 [apache-noscript] : this jail is used to block remote clients who are searching
for scripts on the website to execute.

 [apache-overflows] : this jail is used to block clients who are attempting to

request suspicious URLs.

 [apache-noscript] : this jail is used to block remote clients who are searching
for scripts on website to execute.

 [apache-badbots] : this jail is used to block malicious bot requests.

Page 8
Note : You can find the details of each rule described below.

 enabled : this option means Apache protection is on.

 port : this option specifies the services that fail2ban monitors.

 filter : this option refers the config file located in

the /etc/fail2ban/filter.d/ directory.

 logpath : this option specifies the location of log file.

 bantime : this option specifies the number of seconds that a remote host will be
blocked from the server.

 maxretry : this option specifies the number of failed login attempts before
a remote host is blocked for the length of the ban time.

 ignoreip : this option allows you to whitelist certain IP addresses from blocking.

Check Fail2ban Banning Status

Once jails are activated, you can check fail2ban using the fail2ban-
client command:

sudo fail2ban-client status

You can see a list of all of the jails you enabled.

Page 9
To see the status of a particular jail like apache, apache-badbots by running the
following commands:

sudo fail2ban-client status apache

The output looks like this:

You can also manually set ban or unban IP addresses.

For example, to ban an IP address (192.168.1.20) with an apache jail:

sudo fail2ban-client set apache banip 192.168.1.20

To unban an IP address (192.168.1.21) with an apache jail:

sudo fail2ban-client set apache unbanip 192.168.1.21

Testing Fail2Ban
It is important to test your fail2ban whether it is working as expected or not. Now on
a remote machine, open your web browser and type the URL of your domain (or
your server’s IP address). When Apache prompts for authentication, give an
incorrect user name and password repeatedly. After you have reached the limit you
should be blocked and unable to access the site.

Page 10
Check the status with the fail2ban-client command:

sudo fail2ban-client status apache

You will see your IP address being blocked from the site.

Page 11
Conclusion
Now, you have enough knowledge to configure fail2ban. Using fail2ban is a good
and easy way to stop flooding (Brute-force attacks). It is also a good way to limit the
number of bad requests you receive on your Apache web server.

Page 12