Apache hardening checklist

How to secure Apache web server?

Hardening to the web server is a very challenging in day to day life. Some useful techniques to minimize the risk of being a victim of hacked.

The following checklist to secure Apache web server

1. Upgrade Apache web server
2. Prevent Apache web server version display
3. Prevent Directory Listing
4. Running an Apache web server with non-privileges user and group.
5. Deny directory access
6. Disable unwanted modules in Apache configuration file httpd.conf
7. Protect conf and bin directories
8. Securing web server using Apache modules ” mod_security and mod_evasive”
9. The Apache web server from http request method Protect
10. Disable the  http trace method by adding directive “TraceEnable off” in the httpd.conf file
11. Limit the request size to avoid denial of service attack.
12. Disable Server Side Include
13. Cross Site Scripting protection
14. Timeout value configuration
15. Protect Apache web server using iptables chains
16. Disable / remove Apache web sever test page

1. Upgrade Apache web server whenever a patch released by Apache foundation.

Centos / Redhat & Fedora

#yum update httpd

Debian

#apt-get update
&
#apt-get install apache

 

2. Apache web server version display protection  by editing an httpd.conf.

 

#vi /etc/httpd/httpd.conf

#Configures the footer on server-generated documents, useful for debug purpose
ServerSignature Off
#the details of the server version number presented are controlled by the ServerTokens directive
ServerTokenS Prod

Save & Exit!

Reload or restart the Apache service, the changes take effect.

#service httpd reload

OR

#service httpd restart

Note :
ServerTokens = Full (or not specified)
Server Sends :e.g :-Aapache/2.4.x (unix) PHP/4.2.X
ServerTokens = Prod
Server Sends :e.g:- Apache
ServerTokens = Major
ServerTokens = Min
ServerSignature Off #Configures the footer on server-generated documents , useful for debug purpose

 

3. Prevent Directory Listing

The Apache web server, lists all the files and folder of the root web document directory if the default page doesn’t exist.

You can avoid directory listing by adding an Options directive in httpd. conf file.

#vi /etc/httpd/conf/httpd.conf

<Directory /var/www/html>
Options -Indexes
</Directory>

Save & Exit!

Note:
Also, you can use “Options None ” = disable
-Indexes = no index

Reload or restart the Apache service, the changes take effect.

#service httpd reload

OR

#service httpd restart

 

4. Running an Apache web server with none privileges user and group.

If Apache is running as privilege account, it’s on high risk.  Create a non privilege user and group account.

#groupadd apache-web
#useradd -d /var/www -G apache-web -s /bin/nologin apache-web

Now change the Apache service owner and group by editing httpd.conf file.

#vi /etc/httpd/conf/httpd.conf

User apache-web
Group apache-web

Save & Exit!

Change the owner and group permissions to Web document root folder

#chown -R apache-web:apache-web /var/www/

Reload or restart the apache service, the changes take effect.

#service httpd reload

OR

#service httpd restart

 

5. Deny directory access

The directory can be allowed or denied using an option directive.

#vi /etc/httpd/conf/httpd.conf

<Directory /sites/abc.com/somedirectory>
Options None
Order deny,allow
allow from 192.168.0.0/24
deny from all
<Directory>

Save & Exit!

Note :

Optione = None : disable this feature.
Order deny, allow: set the order, this will be processed accordingly.
Deny from all: this will deny everybody or you can deny selectively
Allow from 192.168.0.0/24: allow from known network.

 

6. Disable unwanted modules in Apache configuration file httpd.conf

This will reduce the risk of being a victim of a web attack.  It also minimize  the load on the server.

#grep “LoadModule” /etc/httpd/conf/httpd.conf

Below Apache modules can be disabled.

mod_proxy_ftp.so,mod_proxy_http.so,mod_proxy_ajp.so,mod_userdir.so,mod_proxy_balancer.so,mod_autoindex.so,ldap_module.so,info_module.so,actions_module.so,speling_module.so,substitute_module.so,cgi_module.so,version_module,suexec_module

Note:
Prefix the # to the line in order to disable the module.

 

7. Protect “conf” and “bin” directories

The default permissions for conf and bin are 755, this will allow others in server to view.

Switch to /etc/httpd/ and change the permission of bin and conf

#cd /etc/httpd

#chmod -R 750 bin conf

OR use absolute path

#chmod -R 750 /etc/httpd/conf /etc/httpd/bin

Note:

-R: Recursively

 

8. Securing a web server using Apache modules ” mod_security and mod_evasive”

mod_security is a free web server or web application firewall to project your webserver from attackers, mod_security modules support for apache & IIS
This consists of some set of rules to prevent SQL injection, cross site scripting, session hijacking, and many more.

mod_evasive is a module to protect web server from DoS, DDoS  & brute force attack and it uses  iptables chains to filter.

  • Request from a single IP address in massive numbers
  • Massive child process trying to make above 50 concurrent requests
  • Temporarily black list of such IP in case of continuation of attack.
  • Report the alert to SYSLOG server

Install mod_security &  mod_evasive

#yum install mod_secuirty
#yum install mod_evasive

Reload or restart the Apache service, the changes take effect.

#service httpd reload

OR

#service httpd restart

 

9.Apache web server protection for http method vulnerabilities.

vulnerable : PUT,DELETE,TRACE & OPTIONS

#vi /etc/httpd/conf/httpd.conf

<Directory /sites/abc.com>
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
</Directory>

Save & Exit!

Note:

LimitExcept : allowed only GET,POST & HEAD method for the given website folder
The directive of LimitExcept must be within the directive

Reload or restart the apache service, the changes take effect.

#service httpd reload

 

10. Disable  http trace  method by adding directive “TraceEnable off” in the httpd.conf file.

#vi /etc/httpd/conf/httpd.conf

TraceEnable off

Save & Exit!

Reload or restart the apache service, the changes take effect.

#service httpd reload

 

11. Limit the request size to avoid denial of service attack.

LimitRequestBody is the directive used to limit the request body size in bytes sent by a client, you can set it to ’0′  as unlimited bytes, and up to 2GB max.

LimitRequestBody limit the client request within the base line ,  otherwise it will throw an error.  This will give you greater control over web attacks by limiting request header size.

Let’s assume that you have a web portal which will allow users to upload files to a folder under web root structure, with this example we are going to restrict upload size to 100k

100k X 1024 = 102400

Add below directive in Apache configuration file

#vi /etc/httpd/conf/httpd.conf

<Directory “/sites/abc.com/uploads”>
LimitRequestBody 102400
</Directory>

Save & Exit!

Reload or restart the Apache service, the changes take effect.

#service httpd reload

 

12. Disable Server Side Include (SSI)

SSI (server Side Include), this will increase the load on the web server in case server shared or heavy traffic on the web portal.

It’s strongly recommended to disable server side include using options directive. Add below entry within the directive <Directory> </Directory>.

#vi /etc/httpd/conf/httpd.conf

<Directory /sites/abc.com>
Options -Includes
</Directory>

Save & Exit!

Reload or restart the Apache service, the changes take effect.

#service httpd reload

 

13. Cross Site Scripting protection.

CSS is a major risk for web applications, most of the web attacker try to hit using cross site scripting vulnerability.

Add below directive in Apache configuration file to project CSS attacks

#vi /etc/httpd/conf/httpd.conf

<IfModule mod_headers.c>
Header set X-XSS-Protection: “1; mode=block”
</IfModule>

Save & Exit!

Reload or restart the Apache service, the changes take effect.

#service httpd reload

 

14. Timeout value configuration

The default time-out value in Apache is 300 seconds, this can lead to a web attack. Reduce the time-out value to lower which can reduce the risk .
Modify the time-out value by editing httpd.conf

#vi /etc/httpd/conf/httpd.conf

Timeout 60

Save & Exit!

Reload or restart the Apache service, the changes take effect.

#service httpd reload

 

15. Protect , Apache web server using iptables chains

It’s a firewall built into with your Linux box, IPTABLES is very powerful firewall to control network traffic.

The filters can be applied on the source and destination IP address / protocol like TCP, UDP and ICMP.
Allow limited session to a service port per host.

#iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 3 -j REJECT

Prevent DoS attack by limiting session to service port 80, this will 25 session per minute .

#iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT

For more details refer : http://demo.com/what-is-iptables/

 

16. Disable / remove apache web sever test page

The default Apache test page resides under /var/www/error/ with the name “noindex.html” and it can be disabled by editing /etc/httpd/conf.d/welcome.conf

The default directive enabled, to disable the same you can comment by prefixing hash at the beginning of each line as indicated below.

# vi /etc/httpd/conf.d/welcome.conf

#
# This configuration file enables the default “Welcome”
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch “^/+$”>
# Options -Indexes
# ErrorDocument 403 /error/noindex.html
#</LocationMatch>

Save & Exit!

Reload or restart the Apache service, the changes take effect.

#service httpd restart

Both comments and pings are currently closed.

Comments are closed.

Copyright ©Solutions@Experts.com
Copyright © NewWpThemes Techmark Solutions - www.techmarksolutions.co.uk