Web Services Security
Context
Securing Rainbow Bank's web infrastructure: HTTPS implementation, attack protection, and encrypted FTP server configuration.
Objectives
- Configure Apache with SSL/TLS (HTTPS)
- Implement attack protection (Fail2ban, mod_evasive)
- Deploy a secure FTP server (vsftpd)
- Document security configurations
Technologies Used
- Apache: web server with mod_ssl, mod_evasive
- Let's Encrypt / SSL Certificates: HTTPS encryption
- Fail2ban: brute-force protection
- vsftpd: secure FTP server (FTPS)
- Netplan: multi-NIC network configuration
Key Configurations
HTTPS VirtualHost with HSTS
<VirtualHost *:443>
ServerName extranet.rainbowbank.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/extranet.crt
SSLCertificateKeyFile /etc/ssl/private/extranet.key
Header always set Strict-Transport-Security "max-age=31536000"
</VirtualHost>
Fail2ban Protection
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
maxretry = 3
bantime = 3600
Deliverables
Web Services Configuration (ZIP)
Archive containing all web configuration files.
vsftpd Configuration
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/rainbowbank.com.crt
rsa_private_key_file=/etc/ssl/private/rainbowbank.com.key
pasv_enable=YES
pasv_min_port=10000
pasv_max_port=10100
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
xferlog_file=/var/log/vsftpd.log
dual_log_enable=YES
Fail2ban Configuration (jail.local)
[DEFAULT]
backend = auto
banaction = iptables-multiport
protocol = tcp
chain = INPUT
action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
[apache-custom]
enabled = true
port = http,https,5501,5502
filter = apache-custom
logpath = /var/log/apache2/*_access.log
maxretry = 3
findtime = 300
bantime = 300
[nginx-custom]
enabled = true
port = http,https,5501,5502
filter = nginx-custom
logpath = /var/log/nginx/access.log
maxretry = 3
findtime = 300
bantime = 300
[vsftpd-custom]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd-custom
logpath = /var/log/vsftpd.log
maxretry = 3
findtime = 300
bantime = 300
iptables Rules
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 18 18:27:58 2025
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:240]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens33 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens34 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens34 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 5501 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 5502 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 10000:10100 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LOG --log-prefix "IPTables-Dropped: "
-A FORWARD -i ens34 -o ens33 -j ACCEPT
-A FORWARD -i ens35 -o ens33 -j ACCEPT
-A FORWARD -i ens33 -o ens34 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens33 -o ens35 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o ens33 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Tue Feb 18 18:27:58 2025
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 18 18:27:58 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ens33 -j MASQUERADE
COMMIT
# Completed on Tue Feb 18 18:27:58 2025
Skills Acquired
- SSL/TLS certificate deployment
- Apache web server hardening
- Protection system configuration (IPS)
- Secure FTP service implementation
- Multi-interface network management