Securing Apache Web Server Configuration
Securing Apache web server is very important, it means allowing see only the intended info & protecting data and restricting access. Some hints and tips on security issues in setting up a web server. Some of the suggestions will be general, others specific to Apache.
10. Don’t allow .htaccess
1. First, make sure you've installed latest security patches
If you have obtained your version of the HTTP Server directly from Apache, we highly recommend you subscribe to the Apache HTTP Server Announcements List where you can keep informed of new releases and security updates. Similar services are available from most third-party distributors of Apache software.
2. Hide the Apache Version number, and other sensitive information.
By default many Apache installations tell the world what version of Apache you're running, what operating system/version you're running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.
There are two directives that you need to add, or edit in your httpd.conf file:
ServerSignature Off
ServerTokens Prod
The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:
Server: Apache
If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security
3. Run Apache as its own user account and group
Several apache installations have it run as the user nobody. So suppose both Apache, and your mail server were running as nobody an attack through Apache may allow the mail server to also be compromised, and vise versa.
User apache
Group apache
4. Ensure that files outside the web root are not served
We don't want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory, you would set it up as follows:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www/html>
Order Allow,Deny
Allow from all
</Directory>
Note that because we set Options None and AllowOverride None this will disable all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.
5. Disable Directory Browsing
You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes
Options -Indexes
6. Disable Server Side Includes
This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes
Options -Includes
7. Disable CGI execution
If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI
Options -ExecCGI
8. Don't allow apache to follow symbolic links
This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks
Options -FollowSymLinks
9. Disable multiple Options
Following are the available values for Options directive:
If you want to disable all Options simply use:
Options None
If you only want to disable some separate each option with a space in your Options directive:
Options -ExecCGI -FollowSymLinks -Indexes
- Options All– All options are enabled (except MultiViews). If you don’t specify Options directive, this is the default value.
- Options ExecCGI – Execute CGI scripts (uses mod_cgi)
- Options FollowSymLinks – If you have symbolic links in this directory, it will be followed.
- Options Includes – Allow server side includes (uses mod_include)
- Options IncludesNOEXEC – Allow server side includes without the ability to execute a command or cgi.
- Options Indexes – Disable directory listing
- Options MultiViews - Allow content negotiated multiviews (uses mod_negotiation)
- Options SymLinksIfOwnerMatch – Similar to FollowSymLinks. But, this will follow only when the owner is same between the link and the original directory to which it is linked.
Using .htaccess file inside a specific sub-directory under the htdocs (or anywhere ouside), users can overwrite the default apache directives. On certain situations, this is not good, and should be avoided. You should disable this feature.
You should not allow users to use the .htaccess file and override apache directives. To do this, set “AllowOverride None” in the root directory.
If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:
AccessFileName .httpdoverride
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
11. Using mod_security
Mod_Security is an open source web application firewall that can work either embedded in an Apache web server
You can do the following with mod_security:
- Simple filtering
- Regular Expression based filtering
- URL Encoding Validation
- Unicode Encoding Validation
- Auditing
- Null byte attack prevention
- Upload memory limits
- Server identity masking
- Built in Chroot support
- And more
12. Disable any unnecessary modules
Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.
Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line. To search for modules run:
grep LoadModule httpd.conf
Here are some modules that are typically enabled but often not needed: mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.
- mod_include – Server Side Includes
- mod_info – Displays server configuration
- mod_userdir – Mapping of requests to user-specific directories. i.e ~username in URL will get translated to a directory in the server
- mod_status – Displays server stats
- mod_autoindex – Displays directory listing when no index.html file is present
13. Make sure only root has read access to apache's config and binaries
This can be done assuming your apache installation is located at /usr/local/apache as follows:
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache
14. Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance, you allow only the 192.168.1.0/24 network to access server status or info:
<Directory /status>
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</Directory>
Comments
Post a Comment