configuring firewall and securing apache

[skiddieleet]

In light of recent events I have been trying to make my apache web server more secure, so I turned to google. I found a few really good articles on securing apache and configuring your firewall. Here they are:
http://www.securityfocus.com/infocus/1531
http://www.securityfocus.com/infocus/1694
http://www.linux-firewall-tools.com/...3-4.html#ss4.1
http://www.linuxjournal.com/article.php?sid=4410
The first two are more focused on the security part and I believe are a good read for anyone thinking about setting up an apache web server, I didn't really understand the third one. The last one focuses on setting up apache with php and mysql, not too much about security though.

[phishphreek]

Nice links.

Something I've found that saves me tons of time when configuring the firewall on my network is fwbuilder @ www.fwbuilder.org

http://www.fwbuilder.org/archives/cat_screenshots.html

Those are some screenshots. I've been told it closely resembles Firewall1 but I've never used it... so I don't know. That is one expensive firewall.

It isn't too hard to figure out after about 10 min of tinkering.

[Phat_Penguin]

If you have MATCH_STRING enabled in the kernel for iptables, gShield found at (http://muse.linuxmafia.org/gshield/) is a good firewall script that allows you to add the strings you want to drop very easily by adding them to a conf file.

example of /etc/firewall/conf/http_string_drop on my machine using gShield .....

# drop strings here which you want to -DROP-
# if found in the packet stream (such as IIS exploit
# nonsense) - this file is specific for web services
# and must have that feature enabled in gShield.conf
cmd.exe

Just add to this file to suit the occasion ...

[lucktsm]

Thanks for the info I want to be able to secure my apache using iptables, but I want to automatically update the firewall rules based on the snort alerts. I am having a hard time with it..

[skiddieleet]

The first article seems to have what you want:

Another great suggestion from Bill Stearns (author of Mason firewall building script) is to convert your Snort network IDS rules into iptables rules with string support. Snort IDS attack signature database contains about 1200 signatures and appears to be the biggest publicly available attack database suitable for instant deployment. The ability to use the ready-made signatures for iptables is of immense value. The page that describes his experimental software is at http://www.stearns.org/snort2iptables/. There, you can find the shell script to convert a standard Snort ruleset into iptables rules. Here are a couple of examples for well-known Linux attacks against mountd and bind network daemons:

Check out the link within there, it has a shell script to convert the snort rules to iptable rules as mentioned in the quote above. Hope that does it for you.

edit
I have tried to make the rules with the strings and I don't have the libipt_string.so. If someone attached it would it work if I just copied it into the iptables lib directory?