Home >> System Security >> Hardening webserver Apache

 APACHE WEB SERVER SECURITY CONFIGURATION
– Webserver Apache is the most famous in the world, but if you just default install don’t Hardening webserver Apache it will have many vulnerability attacker can exploit, and in my tutorial i will guide step by step how to hardening web server apache.

– For Apache on Linux has two different configuration files format is Apache2 and httpd. To see the list of default configuration files of different linux versions refering to this address:
http://wiki.apache.org/httpd/DistrosDefaultLayout#Debian.2C_Ubuntu_.28Apache_httpd_2.x.29

1. Apache version: 2.2.29 (or higher) for Apache 2.2.x and 2.4.12 (or higher) for Apache 2.4.x.

– Web Server must be installed on secure operation system that has been configured security particularly.
– The Web Server version don’t have vulnerability and is updated all security patches:
– With the system that is prepared to install: using the lastest Apache version (Reference: http://httpd.apache.org/download.cgi). At the moment, the lowest version is permited to install is 2.4.12 with Apache 2.4.x and 2.2.29 with version Apache 2.2.x.
– Don’t use the All-in-one platform like: xampp, wampp, appserver.

2. Create a separate account to run Apache

– Purpose: Permit minimum access right for Apache Web Server service.

2.1 On Linux/Unix

– Step 1: Create user to run Apache:

 Do not permit log in OS by Apache Web Server account:

 Permit only user www-data and group www-data has permission to change /var/www directory.

Note: Directory (/var/www) may be different depend on Apache config.
– Step 2: Assign account to run Apache.
 In case of Apache2 configuration file.
Change the account used to run Apache in envvars file.

Find the following section.

Save file and restart Apache.
 In case of httpd configuration file.
Change the account used to run Apache in file httpd.conf.
/etc/httpd/conf/httpd.conf
Find the following section.

Save file and restart Apache.

2.2 On Windows

– Step 1: Create www-data user which is member of group Guests only.
– Step 2: Grant read, write, execute, change right to account www-data for Apache log directory.
– Step 3: Access to Control Panel -> Administrative Tools -> Services
Select Apache services/Log On tab -> Click Browser button to find user www-data.

apache hardening 1
Note: Grant read, write and execute right to install php directory for www-data account.

3. Hide the Apache version

– Description: By default configuration of Apache installation, HTTP response header will include information about Apache version. For example:

apache hardening 2
– Solution: Open the file apache2.conf or httpd.conf file and adding at the end of files this content:

Save and restart Apache.
Results: After that, the result of the request made to the following file does not exist, so information on the Apache was not so anymore:

apache hardening 3

4. Remove/Turn off unneccesary modules

– Implementation: To check which modules are being loaded, use the following commands:

Or

apache hardening 4

apache hardening 5

The result will show which modules are loaded. To remove unnecessary modules, follow these steps:
– Open the httpd.conf file, insert # char at the beginning of the line unused modules or remove unused modules in the directory /etc/apache2/mods-enabled/
– On Windows, open httpd.conf file, insert # char at the beginning of the line unused modules.
Some modules can remove for example: mod_info, mod_status, mod_version, mod_autoindex.

5. Disable execution CGI commands (Common Gateway Interface) and SSI (Server Side Include).

– Add the following attribute to the tag (directory) of the file httpd.conf or apache2.conf:

6. Disable directory listing in the web directory

– Description: This error may disclose information see the list of files in the directory sites, such as below:

apache hardening 6
Solution: Open apache2.conf or httpd.conf file and add this content:

Note: The path to the site directory “/var/www/web” folder depending on the website located on the server.
Results after adding content and restart Apache as follows:

apache hardening 7

7. Secure Apache configuration directory

– Allow only root has write permissions to the directory webserver configuration.
For example, web server configuration directory is. /etc/httpd/conf / .. execute the following command:

– Do not allow other users are allowed to read the configuration file of the web server and web server log files, execute the following command.

8. Only allow methods (GET, POST, HEAD)

– For example: By using the TRACE method an attacker can get information about the web server as follows:

– So we need to turn off unnecessary method. To do this, open the httpd.conf or apache2.conf set to add the following attributes LimitExcept and restart Apache.

9. Chang the Web Server error message

– Insert the following in the httpd.conf or apache2.conf file.

Note: Create error.html file located in the root directory of the website.

10. Delete the default page of Apache installation

– To remove the default page of apache installation folder /var/www/html/

11. Install and configure mod_security in monitor mode

– Step 1: Install mod_security with Core Rule Set.
– Step 2: Config ModSecurity at monitor mode. Edit file modsecurity.conf set value for SecRuleEngine is DetectionOnly:
SecRuleEngine DetectionOnly
– Step 3: Access to folder content audit_log of ModSecurity, Open audit_log to determine the cause of the request is marked as invalid, analyze log information in conjunction with professional web application’s functionality to determine ModSecurity request was marked in the log file is correct requet valid or not. In the case, it is valid, the request made to refine the rules of Core rules set for all functions, Web applications can operate in a stable manner, and don’t activation of ModSecurity rules.

12. Using secure encrypt method.

• Using secure encrypt library:
– With the system that is prepared to install: Using the lastest version of OpenSSL. At the moment, the lowest version of OpenSSL are 1.0.2d and1.0.1p (release on 09/07/2015).
– With the systems that are using OpenSSL library need to upgrade and install the patches that have been warned by VISC.
• Do not use SSL version 2.0, SSL version 3.0.
– Step 1: Find the SSL configuration file of Apache: Using command:

apache hardening 8

– With /etc/httpd is the install directory of httpd. The result is the path of SSL configuration file: /etc/httpd/conf.d/ssl.conf.
– Step 2: Open file /etc/httpd/conf.d/ssl.conf and change from: SSLProtocol all (maybe have –SSLv2) to:

– Restart Apache.
• Configure SSLCipherSuite security for webserver.
– In SSL configuration file of Apache, configure SSLCipherSuite that only use secure ciphers and remove insecure ciphers:

– Restart Apache.

13. Configure write log WebServer

• Synchronize the time of Web Server with NTP Server (Following by the guideline of hardening Operation System)
• Log format must have enough information.
– Open file httpd.conf, locate to LogFormat section, add new LogFormat that named is ”vt_combined” for Apache:

apache hardening 9

– Restart Apache.
• Web Server must be configured to turn on logging feature and rotate log by days.
– To configure rotate log, find to log access, log error section of Apache (keywords are CustomLog, ErrorLog), change to:

apache hardening 10

– Restart Apache.

14. PHP security

14.1 Prevent Remote code Execute

– Some function create this vulerability if use not right (file_get_contents(), include(), require ()).
For example:

– Prevent by config in php.ini set value following.
allow_url_fopen = Off

14.2 Limit folder access by php.

– For example: Limit PHP only access to the directory /var/www/ config in php.ini file as follows.

14.3 Disable unessesary system function(Exception for framwork symfony).

Disable the function as follows: Open the php.ini file to insert the disable_function as shown below.

14.4 Removing unnecessary modules,

Use the following command to show all module has been loaded.

After that use this command.
Locate name_module (to determine the location of the module)

 

the author

Leave a Reply

Your email address will not be published. Required fields are marked *

Top