Category Archives: Apache

Protect wp-login.php with .htaccess

Brute force attack aims at being the simplest kind of method to gain access to a site (wordpress or not). It combines usernames and passwords, over and over again, until it gets in. That is the main reason why you should always use secure passwords and avoid common usernames (admin, siteadmin, etc…)

The simple way to protect your WordPress site from brute force is to lock the access to wp-login.php file with htaccess.

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from x.x.x.x
Allow from y.y.y.y
</Files>

You can add as much as you want IPs inside the Files block and all other IPs will be blocked with Error 403 (Forbidden error).

Unfortunately this is not the nicest way because IPs you’re accessing from are not always static…

CentOS server – basic Apache settings

It is recommended to set up a few things before you go live with your web server.

Remove the welcome page

Open /etc/httpd/conf.d/welcome.conf file and comment all lines.

# This configuration file enables the default "Welcome"
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

Restart Apache with service httpd restart.

Basic httpd config

Open /etc/httpd/conf/httpd.conf and find the line

Options Indexes FollowSymLinks

inside <Directory “/var/www/html”> section. Add – before Indexes as shown below.

Options -Indexes FollowSymLinks

(If you leave this line as it was, your files and directory list inside /var/www/html dir will be shown to anyone)

Line “LogLevel warn” do not change while you’re testing your web apps. Later, when you want to fire up your server for production use, replace warn with crit.

For security reasons, it is good idea to remove the server signature. To achieve this, find the line ServerSignature On and replace the On with Off

ServerSignature Off

Also, if you want to hide the web server version, OS, etc,… Check the ServerTokens parameter. Default CentOS is ServerTokens OS
All available options are:

ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full

phpMyAdmin with mod_fcgid – http auth with CGI

One of the mod_fcgid benefit is using different user for executing scripts in different directories (for example every hosted virtual domain has its own system user which can only execute his own scripts). This is a some kind of protection so one exploited site can’t harm other hosted domains (of course, chmod 600 on config files is a MUST).

Unf. phpmyadmin has problems with php in CGI mode. When using HTTP basic authentication, phpMyAdmin kept popping up the authentication dialog over and over again. The solution is to create .htaccess file inside phpmyadmin web dir with next content

RewriteEngine On
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

According to phpmyadmin documentation, when using PHP in CGI mode, the authentication data is not passed over to the script by default and the lines in .htaccess shown above should fix this problem.

Problem with apache – Address already in use… Unable to open logs

This morning I had a problem with apache. The httpd was stopped and the #service httpd restart didn’t work.

Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:80
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs

The port 80 was already in use.

# fuser -k -n tcp 80

was the solution…