Introduction
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server.
The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project.
Secure Apache Web Server
In this tutorial the principles on how to secure your Apache Web Server will be discussed. The Apache HTTP Server has a good record for security but there are some basic things that can be done to make Apache a more secure Web server.
(Note: For the Purpose of this tutorial BackBox (Based on Ubuntu) as OS and Apache2 will be used. There are no guarantees or absolutes for Apache security items, so proceed at your own risk.)
First, locate in which directory Apache is running by typing the following command:
ps -ef | grep apache
root 1443 1 0 16:57 ? 00:00:00 /usr/sbin/apache2 -k start root 2741 2118 0 18:21 pts/0 00:00:00 grep apache www-data 5569 1443 0 17:06 ? 00:00:00 /usr/sbin/apache2 -k start
By typing the above command Apache appears to be running in the following directory:
/usr/sbin/apache2
(Note: This directory may differ from yours, depending on whether you changed the destination folder during the installation process and on the OS that is used.)
Next, take some important information about Apache, such as version and which file will be modified (httpd.conf, apache2.conf, etc). There is a lot of ways to get a couple of items of information about the web server. So, on terminal, type one of the following commands:
curl -I www.example.com
or
/usr/sbin/apache2 -V
or
apache -V
or you can use nikto / nmap tools
nikto -h www.example.com
nmap -T4 -A -v www.example.com
(Note: With or without directory the information is the same. If -v is used instead of -V then only the Server Version/built information is obtained. Change the directory to yours if it differs from that above.)
Server version: Apache/2.2.16 (Debian)
Server built: Apr 1 2012 06:40:08
Servers Module Magic Number: 20051115:24
Server loaded: APR 1.4.2, APR-Util 1.3.9
Compiled using: APR 1.4.2, APR-Util 1.3.9
Architecture: 32-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"
As you can see the current version of Apache is 2.2.17; if not install/update to the latest one. Also the line -D HTTPD_ROOT=”/etc/apache2″ specifies the location of the httpd.conf file and on line -D SERVER_CONFIG_FILE=”apache2.conf” we can verify in which file the changes will be made.
(Note: If the file on line “-D SERVER_CONFIG_FILE=” differs from that shown, you will need to alter it accordingly)
(Note: The httpd.conf file may be empty if your try to open it)
Set the right User:Group
First, open the apache2.conf file and make sure that the lines
User Group
are set to
User apache Group apache
Hiding and modifying Apache server information
Next, an important thing is to disable a couple of information items such as Apache Version, OS configurations, Php configurations that appear on broken pages.
To hide this information we must add the following options.
# ServerSignature Off means that Apache will not display the server version # on error pages, or in other pages that it generates. ServerSignature Off # ServerTokens Prod tells apache to only return Apache in the Server header, # returned on every page request. ServerTokens Prod
(Note: If you are using Debian or Ubuntu as OS you must make the above changes to the file /etc/apache2/conf.d/security otherwise or in apache2.conf or in httpd.comf file, it depends which OS are you using)
Hide PHP Version
Next, modify the php.ini file. On the terminal type:
nano /etc/php5/apache2/php.ini
and find and change the expose_php to off
expose_php = Off
Protecting System Settings and Server Files
Stop users from setting up .htaccess files which can override security features you’ve configured by adding the following lines to the server configuration:
<Directory />
AllowOverride None
</Directory>
Next, disable access to the entire file system except for the directories that are explicitly allowed later.
<Directory />
Order Deny,Allow
Deny from all
</Directory>
Next, allow access to the specific directories prohibiting default access to the filesystem locations.
<Directory "/webdirectory"> Order Deny,Allow Allow from all </Directory>
<Directory "/var/www/*"> Order Allow,Deny Allow from all </Directory>
(Note: <Directory /*/public_html> will not match /home/user/public_html, but <Directory /home/*/public_html> will match.)
Restricting Access by IP
Order Deny,Allow Deny from all Allow from 127.0.0.1
Turn off .htaccess
You can do that by adding the following line inside a Directory blog.
AllowOverride None
Timeout Value
By default the Timeout directive is set to 300 seconds.
Timeout 45
Parameter Option
Inside the blog <Directory>..</Directory> some parameters may be added to avoid dictionary browsing, disable server to follow symbolic links, etc. Here the parameter “Option” will be analyzed.
// NAME Options // SYNOPSIS Options [PARAMETER] // DESCRIPTION All /* All options are enabled except MultiViews, IncludesNOEXEC, and SymLinksIfOwnerMatch */ ExecCGI /* Execution of CGI scripts is permitted -- and impossible if this is not set. The server follows symbolic links (i.e., file links made with the Unix ln -s utility). */ FollowSymLinks /* Web server followw so called symbolic links */ Includes /* Server-side includes are permitted */ IncludesNOEXEC /* Server-side includes are permitted, but #exec and #include of CGI scripts are disabled. */ Indexes /* Allows the suite of indexing commands to be used, and a formatted listing is reurned */ MultiViews /* Content-negotiated MultiViews are supported. This includes AddLanguage and image negotiation */ SymLinksIfOwnerMatch /* Symbolic links are followed and lead to files or directories owned by the same user */
The parameter can be preceded by + or -, which mean add (+) or remove (-). The following command, for example, adds Indexes but removes ExecCGI:
Options +Indexes -ExecCGI
If no options are set, and there is no <Limit> directive, the effect is as if All had been set, which means, of course, that MultiViews is not set. If any options are set, All is turned off.
If, for example, you have a file in a directory(/our/direvtory/htdoc) without an index.html file and you add the following options into the Dictionary tag.
Options ExecCGI
and try to access it again, you will see the following rather baffling message:
FORBIDDEN You don't have permission to access / on this server
The reason is that when Options is not mentioned, it is, by default, set to All. By switching ExecCGI on, you switch all the others off, including Indexes. To fix this, edit the lines to
Options +ExecCGI
ModSecurity
ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall.
We can do the following with ModSecurity:
- Simple filtering
- Regular Expression based filtering
- URL Encoding Validation
- Unicode Encoding Validation
- Auditing
- Null byte attack prevention
- Upload memory limits
- Server identity masking
- Built in Chroot support
Conclusion
There is a lot of ways and things that can be done to secure a web server. This tutorial describes the basic things that can be done to make the Apache web server more secure. The best way is to try every parameter in a localhost web server to figure out what the option does before proceeding to the main web server.
Designed and Created by Liatsis Fotis
© 2012 Liatsis Fotis
