Bonus Rules
- Disabling server signatures
nano -w /etc/apache2/mods-enabled/security2.conf
# Manipulating server signaturte
ServerTokens Min
SecServerSignature "null"
systemctl restart apache2
Server: null
- Now lets think if need something like this :) Imagine we host the content which doesnt have a direct link to it. This means that we can take a crawler and look for HTTP 200 returned looking for such content.
- So how can we not allow that ? Described situation assumes that the crawler will get a certain number of HTTP 404s before it gets HTTP 200, so we can work with that.
- IMPORTANT MOMENT: There is a risk that doing so will break search engine bots (I'll omit the details on why here), but here is a solution:
- All our content is served from either /shelves/ or /books/ so we can use REQUEST_URI and write up something like this
#
# Block content harvesting
#
# SRC IP Whitelist
SecRule TX:REAL_IP|REMOTE_ADDR "@ipMatchFromFile http_404_whitelist.txt" \
"id:001003001,\
phase:1,\
pass,\
nolog,\
msg:'IP Whitelisted for HTTP 404',\
ctl:ruleRemoveById=001003002,\
ctl:ruleRemoveById=001003003,\
ctl:ruleRemoveById=001003004"
# Bypass for published resources
SecRule REQUEST_URI "@rx (\/shelves(|\/).*|\/books(|\/).*)" \
"id:001003002,\
phase:1,\
pass,\
nolog,\
msg:'URI Whitelisted for HTTP 404',\
ctl:ruleRemoveById=001003003,\
ctl:ruleRemoveById=001003004"
SecRule RESPONSE_STATUS "@streq 404" \
"id:001003003,\
phase:3,\
pass,\
setvar:IP.bad_http_request=+1,\
expirevar:IP.bad_http_request=86400,\
log,\
msg:'Page Not Found - HTTP 404 - Count %{IP.bad_http_request}'"
SecRule IP:BAD_HTTP_REQUEST "@gt 10" \
"id:001003004,\
phase:3,\
drop,\
log,\
msg:'Client Exceeded HTTP 404 Request Limit of 10 - Banned For a Day'"
