Secure Apache 1.3

General Information

Apache is the most popular web server in use today. But, not everybody that sets up their Apache server takes the necessary steps to secure it properly from intruders. This guide will show you some good security changes to make to your Apache installation.

Requirements

  1. Local root access on the box or be able to su to root.
  2. A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren’t on the box).
  3. Your favorite text editor (I prefer nano).
  4. Apache already installed.

Configuration

These are a few changes to make to your Apache configuration file. Open httpd.conf in your favorite editor.

# nano -w /usr/local/etc/apache/httpd.conf

It’s a good idea to hide what version of Apache you are running. If you change ServerTokens to Prod then only “Apache” will be returned when polled by netcraft. This limits fingerprinting.

ServerTokens Prod

Another tip to limit fingerprinting is to turn off the server signature on server-generated error pages.

ServerSignature Off

By default, users may have access to the root directory of the server. We should restrict this access in case of any potential attacks. Change your to the following:


    Options None
    AllowOverride None
    Order deny,allow
    Deny from all

It is a good idea to disable TRACE and TRACK methods. These are HTTP methods used to debug web server connections. An attacker can trick legitimate web users to give him their credentials through cross-site-scripting attacks.


        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]

mod_userdir can be convienent by accessing a user’s homepage through http://my.domain.com/~user. But using mod_userdir can pose a security risk because attackers can find out valid system users. It is recommended that you disable the userdir module. There are two methods of disabling mod_userdir.

The first method is to comment out the following lines:

LoadModule userdir_module     libexec/apache/mod_userdir.so

AddModule mod_userdir.c

The second method is to disable it through IfModule.


    UserDir disabled
    UserDir public_html

Note: If you must allow some users to have UserDir directories, use the following:

    UserDir disabled
    UserDir enabled user1 user2
    UserDir public_html

Make sure /server-status is disable so people cannot see your current Apache status. It is disabled by default.

#
#    SetHandler server-status
#    Order deny,allow
#    Deny from all
#    Allow from .example.com
#

Make sure /server-info is disabled so people cannot see your current Apache configuration. It is disabled by default.

#
#    SetHandler server-info  
#    Order deny,allow
#    Deny from all
#    Allow from .example.com
#

Now your Apache installation is all the more secure. Happy web serving!

Speak Your Mind

*