Dear Unspawn,
I saw two more modules called as mod_evasive and mod_rewrite? What are you opinion about both of it any experience trying them?

IMHO you should keep your mod_security config as simple as possible. Only tweak things when the log file indicates users are denied access to what they should have. http://httpd.apache.org/docs/2.2/mod/ explains if you need mod_rewrite. And IIRC your web server should not see much traffic anyway so if you need to limit access I'd favor a network layer approach iptables (-m limit) over an application layer one.

Dear Unspawn,
When you say log which log are you referring to the httpd log I guess or any other related logs? Yes my traffic is limited to just to 2 ports only. The rest all closed even the for ssh is closed from outside.

error_log more likely. With limiting I mean '/sbin/iptables -m limit --help'.

Dear Unspwan,
Ok I will look into the error_log files. Besides that when you said /sbin/iptables -m limit --help is regarding the iptables setup right. But looking deeper into iptables it just blocking the access to limited ports. For instance port 80 have to be open for web communication what else steps can be taken to further secure this port from being used for hacking purposes.

No, the other way around: it's limiting access, the amount of times somebody can access a port (best used in conjunction with --state).


Firewall, sane Apache configuration, mod_security, logs you parse for anomalies / hacking attempts / errors (you do use something like Logwatch + fail2ban, right?), local integrity verification (Samhain, AIDE, etc, etc), so then it boils down to what apps you run. For example you can't expect any benefits if you run crappy homebrewn scripts or say a version of Joomla or WordPress a year old...

Dear Unspawn,
Yes we do have firewall, will follow the apache configuration as per your suggestion,have installed mod_security and left as default settings. Time to time will look into logwatch log files to see if something not right. Planning to move to ossec as we find it easier to understand and gives email alerts too. Back on the app its purely php and mysql db based application. Should we do more security on the logic page itself beside sql injection protection?

It kind of depends what you exactly run. If you run a common off-the-shelf application like for example WordPress, Joomla or suchlike, you should follow their recommendations for securing the application and keep the application, themes, plugins et cetera up to date. If you run homebrewn scripts then you're responsible for adhering to coding standards. While there's more to implement like a database firewall and a reverse proxy the next quickest wins IMHO would be to limit access (after all you run your web server for very specific clientele only) which could be done quickly and painlessly with ipset and watch your logs for errors (fail2ban?).

Dear Unspawn,
It is a homebrewn scripts. What database firewall do you suggest for Linux machines. Yes we will have limited clients but how to determine their ipset if they use different machines or mobile phones to login. Will fail2ban will be part of logwatch?

In essence none: review your PHP code instead.


White listing allows you to add any amount of IP ranges to an ipset. They will have to supply you with the necessary ranges. Obviously you could facilitate that with a page that takes the clients current IP address and returns the right range. Just be creative.


If configured so Logwatch output will include both /var/log/secure (or equivalent) output and fail2ban logging, yes.

Dear Unspawn,
When you review the codes I dont get you on that but we have not put the db behind firewall and is never accessible from public ip only local ip as per your previous suggestions. Thank you for the idea on the ipset will look further on that. I will try to configure the logwatch and get back incase stuck here.