Apache Web Server

Having a default configuration in Apache Web Server is highly vulnerable to exploitation as it supplies most sensitive information to attacker. So, hardening a web server enhances the server security and prevents attacks on server that is caused by the exploitation of default setting of the apache web server. This tutorial explains basic steps for Apache web server hardening.

Apache web server logo

Prerequisites

  • Any Linux distribution but particularly the instruction presented here is for Ubuntu distribution of Linux.
  • VPS configured with LAMP stack or apache2  with operating system Ubuntu 14.04 or above
  • root privilege to the system (sudo) 

Important files and directories in apache2

1. Global configuration
/etc/apache2/apache2.conf
2. Enabled Modules
/etc/apache2/mods-enabled/
3. Available Modules
/etc/apache2/mods-available/
4. Port configuration file
/etc/apache2/ports.conf
5.Apache environment variables
/etc/apache2/envvars
6.Error log file
/var/log/apache2/error.log
7.Access log File
/var/log/apache2/access.log

Above presented files and directory location are default value for apache2 web server.

Steps for hardening:

1. Keep Updated

$ apache2 –v (Version check)
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jan 14 2017 17:45:23
$ sudo apt-get install --only-upgrade apache2 (Upgrades apache2 package to latest version)
Setting up apache2 (latestversion-number-1ubuntu4.13)
Installing new version of config file /etc/apache2/mods-available/mpm_prefork.load ...
Installing new version of config file /etc/apache2/mods-available/mpm_worker.load ...
Installing new version of config file /etc/apache2/mods-available/mpm_event.load …
* Restarting web server apache2                                        [OK]               

With updated version we can have the security patches or security fix as well as the new features.

2.Change the default user and group for apache

$ sudo groupadd apacheuser
$ sudo useradd -d /var/www/ -g apacheuser -s /bin/nologin apache(add new user and group)
Find the default user for apache service
$ ps -aux | grep apache
www-data 29304  0.1  2.8 397064 14540 ?     S 05:49   0:00 /usr/sbin/apache2 -k start
www-data 29305  0.0  2.8 397068 14456 ?     S 05:49   0:00 /usr/sbin/apache2 -k start
www-data 29306  0.0  2.8 397032 14500 ?     S 05:49   0:00 /usr/sbin/apache2 -k start
www-data 29308  0.0  2.7 396668 13720 ?     S 05:49   0:00 /usr/sbin/apache2 -k start
www-data 29313  0.1  3.1 397548 15628 ?     S    05:49   0:00 /usr/sbin/apache2 -k start
$ sudo vi /etc/apache2/envvars
(Replace www-data with recently created new user and group)
export APACHE_RUN_USER=apacheuser
export APACHE_RUN_GROUP=apacheuser
$ sudo service apache2 restart
Verify with
$ ps -aux | grep apache
apacheuser 29204  0.0  2.1 396400 10912 ?    S 05:51   0:00 /usr/sbin/apache2 -k start
apacheuser 29205  0.1  2.1 396400 10912 ?    S 05:51   0:00 /usr/sbin/apache2 -k start
apacheuser 29206  0.3  3.1 397616 15752 ?    S 05:51   0:00 /usr/sbin/apache2 -k start
apacheuser 29207  0.0  2.1 396400 10912 ? S 05:51   0:00 /usr/sbin/apache2 -k start
apacheuser 29208  0.0  2.1 396400 10912 ?    S 05:51   0:00 /usr/sbin/apache2 -k start
apacheuser 29213  2.0  2.1 396400 10912 ?    S 05:51   0:00 /usr/sbin/apache2 -k start

By default apache process runs as from default nobody, root, apache, and www-data depending on platform and listen to port 80 or 443 for http and https services. Using least privilege user and group to run the apache server will prevent the unnecessary access to other services.

3.Hide Apache Server Version and Os.

$ sudo vi  /etc/apache2/conf-enabled/security.conf
(add or edit following)
ServerTokens Prod
ServerSignature Off
$ sudo service apache2 restart

By default apache web server shows the version and Os info hiding a information will restrict the attacker to gain the information about the web server and Os of the system.

4.Disable root directory browsing

$ sudo vi /etc/apache2/apache2.conf
<Directory />
 Order Deny,Allow
 Deny from all
 Options None
 AllowOverride None
</Directory>
Or
<Directory />
 Require all denied
</Directory>
<Directory /var/www/>  
Order Allow,Deny  
Allow from all 
</Directory>
$ sudo service apache2 restart 

Disabling the browsing outside web root will prevent public access to the root file system. Here presented config assumes web root directory as /var/www/ to store contents of the website.

5.Limit the timeout value and request size

$ sudo vi /etc/apache2/apache2.conf
(add or edit following directives inside Directory)
Timeout 45
LimitRequestBody 512000
$ sudo service apache2 restart

By default there is no limit for http request in apache web server allowing a large request is prone to the Denial of Service attack. It is recommended to make as small as possible as per your requirement. You can set the request size value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body.
The default timeout value for apache web server is 300secs i.e it will wait until 300 sec s to close the connection. By decreasing the timeout value we can minimize the chance of having DDOS attack significantly, but needs to be aware if there is CGI execution this value needs to be adjusted accordingly.

6.Disable the Directory Browsing and Symlinks

 $ sudo vi /etc/apache2/apache2.conf
(Add or edit following directives as follows)
<Directory /var/www>
Options -Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Or
<Directory /var/www>
Options -Indexes -FollowSymLinks
Order allow,deny
Allow from all
</Directory>
$ sudo service apache2 restart

Disabling the directory listing will restrict attacker to view the the files and directory and prevents the leakage of sensitive information.

7.Disable the unnecessary modules

$ apache2ctl -M (List all enabled modules)
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
...
Disable all unnecessary module.
$ a2dismod modulename
$ sudo service apache2 restart

Disabling the unnecessary modules not only prevent the server from unknown vulnerability as well as smooth the server operation.

8.Disable Etag

$ sudo vi /etc/apache2/apache2.conf
(add or edit following directive)
Header unset ETag
FileEtag None
$ sudo service apache2 restart

With Etag enabled in the Apache web server, attackers can have the knowledge of sensitive information like  like inode number, multipart MIME boundary, and child process through Etag header.

9.HTTP request methods

$ sudo vi /etc/apache2/apache2.conf
(Add following directive inside Directory)
<Location />
 Order allow,deny
   Allow from all
   <LimitExcept GET POST HEAD>
       Deny from all
   </LimitExcept>
$ sudo service apache2 restart

By default apache can process number of request method like GET, HEAD, POST, OPTIONS, PUT, and DELETE HTTP. Disabling the unnecessary request method can restrict the attacker by  exploiting the vulnerability posed by these methods.

10.Disable Server Side Includes and CGI execution

 $ sudo vi /etc/apache2/apache2.conf
(Inside Directory add following line)
 <Directory /var/www>
 Options -Includes -ExecCGI
 Order allow,deny
 Allow from all
 </Directory>
 $ sudo service apache2 restart

Server sides includes is a useful apache feature even though it has some potential security risk like it allows anyone to execute any CGI scripts.

11.Disable .htaccess

 $ sudo vi /etc/apache2/apache2.conf
<Directory />
AllowOverride none
</Directory>
$ sudo service apache2 restart

.htaccess can take full control over the server configuration attacker can access it to modify the server configuration by injecting the malicious code and many more.

12.Enable X-XSS Protection

$ sudo a2enmod headers
$ sudo service apache2 restart
Add the following codes to the apache configuration files
$ sudo vi /etc/apache2/apache2.conf
<IfModule mod_headers.c>
Header set X-XSS-Protection: "1; mode=block"
Header unset Server
Header set X-Content-Security-Policy "allow 'self';"
Header set X-Frame-Options DENY
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
$ sudo service apache2 restart  

XSS (Cross-Site Scripting)  injects malicious scripts to the remote server and executes it to communicate with command and control server. Configuration can be added to individual virtual host files in the case of multiple hosting

13. Visit log file regularly

$ sudo cat /var/log/apache2/error.log
$ sudo cat /var/log/apache2/access.log

Regular visit of log files provides the insight about the nature of traffic, errors, warning message it is highly recommended to fix all the warning and errors.

Lastly, it is highly recommended to keep the configuration as simple as possible if you know what you are doing than you can just delete other unnecessary comments and lines from the configuration files. As, simple configuration file are more readable and understandable during troubleshooting.



Tags: , , , , , ,

Spin up a cloud server in no time flat

Simple setup. Full root access. Straightforward pricing.


DEPLOY SERVER




Leave a Reply