---
sidebar_position: 5
---

# Web Services Security

## Context

Securing Rainbow Bank's web infrastructure: HTTPS implementation, attack protection, and encrypted FTP server configuration.

## Objectives

- Configure Apache with SSL/TLS (HTTPS)
- Implement attack protection (Fail2ban, mod_evasive)
- Deploy a secure FTP server (vsftpd)
- Document security configurations

## Technologies Used

- **Apache**: web server with mod_ssl, mod_evasive
- **Let's Encrypt / SSL Certificates**: HTTPS encryption
- **Fail2ban**: brute-force protection
- **vsftpd**: secure FTP server (FTPS)
- **Netplan**: multi-NIC network configuration

## Key Configurations

### HTTPS VirtualHost with HSTS
```apache
<VirtualHost *:443>
    ServerName extranet.rainbowbank.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/extranet.crt
    SSLCertificateKeyFile /etc/ssl/private/extranet.key
    Header always set Strict-Transport-Security "max-age=31536000"
</VirtualHost>
```

### Fail2ban Protection
```ini
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
maxretry = 3
bantime = 3600
```

## Deliverables

<details>
<summary>Web Services Configuration (ZIP)</summary>

Archive containing all web configuration files.

[Download configuration archive](/assets/projets-oc/p05/bene_mael_1_config_service_web_022025.zip)

</details>

<details>
<summary>vsftpd Configuration</summary>

```ini
listen=YES
listen_ipv6=NO


anonymous_enable=NO
local_enable=YES
write_enable=YES


chroot_local_user=YES


ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/rainbowbank.com.crt
rsa_private_key_file=/etc/ssl/private/rainbowbank.com.key


pasv_enable=YES
pasv_min_port=10000
pasv_max_port=10100

log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
xferlog_file=/var/log/vsftpd.log
dual_log_enable=YES
```

</details>

<details>
<summary>Fail2ban Configuration (jail.local)</summary>

```ini
[DEFAULT]
backend = auto
banaction = iptables-multiport
protocol = tcp
chain = INPUT
action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

[apache-custom]
enabled  = true
port     = http,https,5501,5502
filter   = apache-custom
logpath  = /var/log/apache2/*_access.log
maxretry = 3
findtime = 300
bantime  = 300

[nginx-custom]
enabled  = true
port     = http,https,5501,5502
filter   = nginx-custom
logpath  = /var/log/nginx/access.log
maxretry = 3
findtime = 300
bantime  = 300

[vsftpd-custom]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd-custom
logpath  = /var/log/vsftpd.log
maxretry = 3
findtime = 300
bantime  = 300
```

</details>

<details>
<summary>iptables Rules</summary>

```bash
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 18 18:27:58 2025
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:240]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens33 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens34 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens34 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 5501 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 5502 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 10000:10100 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LOG --log-prefix "IPTables-Dropped: "
-A FORWARD -i ens34 -o ens33 -j ACCEPT
-A FORWARD -i ens35 -o ens33 -j ACCEPT
-A FORWARD -i ens33 -o ens34 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens33 -o ens35 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o ens33 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Tue Feb 18 18:27:58 2025
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 18 18:27:58 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ens33 -j MASQUERADE
COMMIT
# Completed on Tue Feb 18 18:27:58 2025
```

</details>

## Skills Acquired

- SSL/TLS certificate deployment
- Apache web server hardening
- Protection system configuration (IPS)
- Secure FTP service implementation
- Multi-interface network management