Apache Web Server Hardening (Part-I)
Article By: prabin
Apache Web - VPS Server Hardening
Having a default configuration in Apache Web Server is highly vulnerable to exploitation as it supplies most sensitive information to attacker. So, hardening or having a custom web server enhances the VPS server security and prevents attacks on server that is caused by the exploitation of default setting of the apache web server. This tutorial explains basic steps for Apache web VPS server hardening. |
|
VPS Server Prerequisites
- Any Linux distribution but particularly the instruction presented here is for Ubuntu VPS Linux distribution.
- VPS server configured with LAMP stack or apache2 with operating system Ubuntu 14.04 or above
- root privilege to the system (sudo)
Important files and directories in apache2
1. Global configuration /etc/apache2/apache2.conf 2. Enabled Modules /etc/apache2/mods-enabled/ 3. Available Modules /etc/apache2/mods-available/ 4. Port configuration file /etc/apache2/ports.conf 5.Apache environment variables /etc/apache2/envvars 6.Error log file /var/log/apache2/error.log 7.Access log File /var/log/apache2/access.log
Above presented files and directory location are default value for apache2 web server.
Steps for hardening Your VPS Server:
1. Keep Updated
$ apache2 –v (Version check) Server version: Apache/2.4.7 (Ubuntu) Server built: Jan 14 2017 17:45:23 $ sudo apt-get install --only-upgrade apache2 (Upgrades apache2 package to latest version) Setting up apache2 (latestversion-number-1ubuntu4.13) Installing new version of config file /etc/apache2/mods-available/mpm_prefork.load ... Installing new version of config file /etc/apache2/mods-available/mpm_worker.load ... Installing new version of config file /etc/apache2/mods-available/mpm_event.load … * Restarting web server apache2 [OK]
With updated version we can have the security patches or security fix as well as the new features.
2.Change the default user and group for apache
$ sudo groupadd apacheuser $ sudo useradd -d /var/www/ -g apacheuser -s /bin/nologin apache(add new user and group) Find the default user for apache service $ ps -aux | grep apache www-data 29304 0.1 2.8 397064 14540 ? S 05:49 0:00 /usr/sbin/apache2 -k start www-data 29305 0.0 2.8 397068 14456 ? S 05:49 0:00 /usr/sbin/apache2 -k start www-data 29306 0.0 2.8 397032 14500 ? S 05:49 0:00 /usr/sbin/apache2 -k start www-data 29308 0.0 2.7 396668 13720 ? S 05:49 0:00 /usr/sbin/apache2 -k start www-data 29313 0.1 3.1 397548 15628 ? S 05:49 0:00 /usr/sbin/apache2 -k start $ sudo vi /etc/apache2/envvars (Replace www-data with recently created new user and group) export APACHE_RUN_USER=apacheuser export APACHE_RUN_GROUP=apacheuser $ sudo service apache2 restart Verify with $ ps -aux | grep apache apacheuser 29204 0.0 2.1 396400 10912 ? S 05:51 0:00 /usr/sbin/apache2 -k start apacheuser 29205 0.1 2.1 396400 10912 ? S 05:51 0:00 /usr/sbin/apache2 -k start apacheuser 29206 0.3 3.1 397616 15752 ? S 05:51 0:00 /usr/sbin/apache2 -k start apacheuser 29207 0.0 2.1 396400 10912 ? S 05:51 0:00 /usr/sbin/apache2 -k start apacheuser 29208 0.0 2.1 396400 10912 ? S 05:51 0:00 /usr/sbin/apache2 -k start apacheuser 29213 2.0 2.1 396400 10912 ? S 05:51 0:00 /usr/sbin/apache2 -k start
By default apache process runs as from default nobody, root, apache, and www-data depending on platform and listen to port 80 or 443 for http and https services. Using least privilege user and group to run the apache server will prevent the unnecessary access to other services.
3.Hide Apache Server Version and Os.
$ sudo vi /etc/apache2/conf-enabled/security.conf (add or edit following) ServerTokens Prod ServerSignature Off $ sudo service apache2 restart
By default apache web server shows the version and Os info hiding a information will restrict the attacker to gain the information about the web server and Os of the system.
4.Disable root directory browsing on your server
$ sudo vi /etc/apache2/apache2.conf Order Deny,Allow Deny from all Options None AllowOverride None Or Require all denied Order Allow,Deny Allow from all $ sudo service apache2 restart
Disabling the browsing outside web root will prevent public access to the server root file system. Here presented config assumes web root directory as /var/www/ to store contents of the website.
5.Limit the timeout value and request size
$ sudo vi /etc/apache2/apache2.conf (add or edit following directives inside Directory) Timeout 45 LimitRequestBody 512000 $ sudo service apache2 restart
By default there is no limit for http request in apache web server allowing a large request is prone to the Denial of Service attack. It is recommended to make as small as possible as per your requirement. You can set the request size value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body. The default timeout value for apache web server is 300secs i.e it will wait until 300 sec s to close the connection. By decreasing the timeout value we can minimize the chance of having DDOS attack significantly, but needs to be aware if there is CGI execution this value needs to be adjusted accordingly.
6.Disable the Directory Browsing and Symlinks
$ sudo vi /etc/apache2/apache2.conf (Add or edit following directives as follows) Options -Indexes -FollowSymLinks AllowOverride None Require all granted Or Options -Indexes -FollowSymLinks Order allow,deny Allow from all $ sudo service apache2 restart
Disabling the directory listing will restrict attacker to view the the files and directory and prevents the leakage of sensitive information.
7.Disable the unnecessary modules
$ apache2ctl -M (List all enabled modules) Loaded Modules: core_module (static) so_module (static) watchdog_module (static) http_module (static) log_config_module (static) logio_module (static) version_module (static) unixd_module (static) access_compat_module (shared) ... Disable all unnecessary module. $ a2dismod modulename $ sudo service apache2 restart
Disabling the unnecessary modules not only prevent the server from unknown vulnerability as well as smooth the server operation.
8.Disable Etag
$ sudo vi /etc/apache2/apache2.conf (add or edit following directive) Header unset ETag FileEtag None $ sudo service apache2 restart
With Etag enabled in the Apache web server, attackers can have the knowledge of sensitive information like like inode number, multipart MIME boundary, and child process through Etag header.
9.HTTP request methods
$ sudo vi /etc/apache2/apache2.conf (Add following directive inside Directory) Order allow,deny Allow from all Deny from all $ sudo service apache2 restart
By default apache can process number of request method like GET, HEAD, POST, OPTIONS, PUT, and DELETE HTTP. Disabling the unnecessary request method can restrict the attacker by exploiting the vulnerability posed by these methods.
10.Disable VPS Server Side Includes and CGI execution
$ sudo vi /etc/apache2/apache2.conf (Inside Directory add following line) Options -Includes -ExecCGI Order allow,deny Allow from all $ sudo service apache2 restart
Server sides includes is a useful apache feature even though it has some potential security risk like it allows anyone to execute any CGI scripts.
11.Disable .htaccess
$ sudo vi /etc/apache2/apache2.conf AllowOverride none $ sudo service apache2 restart
.htaccess can take full control over the server configuration attacker can access it to modify the server configuration by injecting the malicious code and many more.
12.Enable X-XSS Server Protection
$ sudo a2enmod headers $ sudo service apache2 restart Add the following codes to the apache configuration files $ sudo vi /etc/apache2/apache2.conf Header set X-XSS-Protection: "1; mode=block" Header unset Server Header set X-Content-Security-Policy "allow 'self';" Header set X-Frame-Options DENY Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Header always append X-Frame-Options SAMEORIGIN $ sudo service apache2 restart
XSS (Cross-Site Scripting) injects malicious scripts to the remote server and executes it to communicate with command and control server. Configuration can be added to individual virtual host files in the case of multiple hosting
13. Visit log file regularly
$ sudo cat /var/log/apache2/error.log $ sudo cat /var/log/apache2/access.log
Regular visit of log files provides the insight about the nature of traffic, errors, warning message it is highly recommended to fix all the warning and errors. Lastly, it is highly recommended to keep the configuration as simple as possible if you know what you are doing than you can just delete other unnecessary comments and lines from the configuration files. As, simple configuration file are more readable and understandable during troubleshooting.
Tags: apache, apache2, web server, Apache Hardening, Apache Security, Ubuntu Web Server hardening, Web Server Hardening
Welcome to the healthcare-only HIPAA - GDPR compliant cloud. Exclusively hosted on a HPC environment!
Learn more or start today by choosing your secure HIPAA - GDPR compliant server's Operating System bellow and pick the package that's best for you.
BIPmd makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine, thousand or more.
>
Looking for a custom solution?
Our technicians can provide you with the best custom-made solutionss on the market, no matter whether you're a small business or large enterprise.
Get in touch
Leave a Reply
Feedbacks
 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. |