Hardening guide for Apache
From:
ServerSignature OnTo:
ServerSignature Off
HostnameLookups Off
From:
# ServerTokensTo:
ServerTokens Prod
From:
ServerAdmin you@yourhost.comTo:
ServerAdmin webmaster@yourcompany.com
From:
LogLevel warnTo:
LogLevel notice
From:
IndexOptions FancyIndexing VersionSortTo:
# IndexOptions FancyIndexing VersionSort
#
To:
# AddIcon
From:
DefaultIcon /icons/unknown.gifTo:
# DefaultIcon /icons/unknown.gif
From:
Alias /icons/ “/var/apache2/icons/”To:
# Alias /icons/ “/var/apache2/icons/”
From:
AliasMatchTo:
# AliasMatch
From:
ScriptAliasTo:
# ScriptAlias
From:
LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo:
# LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
From
LoadModule imap_module libexec/mod_imap.soTo:
# LoadModule imap_module libexec/mod_imap.so
From:
LoadModule cgi_module libexec/mod_cgi.soTo:
# LoadModule cgi_module libexec/mod_cgi.so
From:
LoadModule suexec_module libexec/mod_suexec.soTo:
# LoadModule suexec_module libexec/mod_suexec.so
From:
LoadModule autoindex_module libexec/mod_autoindex.soTo:
# LoadModule autoindex_module libexec/mod_autoindex.so
From:
LoadModule info_module libexec/mod_info.soTo:
# LoadModule info_module libexec/mod_info.so
From:
LoadModule status_module libexec/mod_status.soTo:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule status_module libexec/mod_status.soTo:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule userdir_module libexec/mod_userdir.soTo:
# LoadModule userdir_module libexec/mod_userdir.so
From:
LoadModule cern_meta_module modules/mod_cern_meta.soTo:
# LoadModule cern_meta_module modules/mod_cern_meta.so
From:
LoadModule dav_module modules/mod_dav.soTo:
# LoadModule dav_module modules/mod_dav.so
From:
Options FollowSymLinks
AllowOverride None
To:
Options None
AllowOverride None
Order deny,allow
deny from all
From:
<Directory “/var/apache2/htdocs”>To:
<Directory “/www”>
deny from all
From:
Options Indexes FollowSymLinksTo:
Options -FollowSymLinks -Includes -Indexes -MultiViews
# Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
# Remove the sections bellow from the file httpd.conf
<Directory “/usr/apache2/manual”>
<Directory “/var/apache2/cgi-bin”>
# Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR “Apache Software Foundation”To:
#define AP_SERVER_BASEVENDOR “Restricted server”
From:
#define AP_SERVER_BASEPRODUCT “Apache”To:
#define AP_SERVER_BASEPRODUCT “Secure Web Server”
# Starting Apache from command line:
/usr/apache2/bin/apachectl start
# Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2
Security Testing your Apache Configuration with Nikto
Nikto: Scan Apache for Security Holes
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
including over 3500 potentially dangerous files/CGIs,
versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and
can be automatically updated (if desired).”
Nikto does require the LibWhisker Perl module, but this is built into the program so it does not need to be installed.
You will want to install the Net::SSLeay Perl module if you want to test SSL.
Install mod_security Apache Intrusion Detection And Prevention Engine
ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella – shielding web applications from attacks
mod_security configuration files
1. /etc/httpd/conf.d/mod_security.conf – main configuration file for the mod_security Apache module.
2. /etc/httpd/modsecurity.d/ – all other configuration files for the mod_security Apache.
3. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf – Configuration contained in this file should be customized for your specific requirements before deployment.
4. /var/log/httpd/modsec_debug.log – Use debug messages for debugging mod_security rules and other problems.
5. /var/log/httpd/modsec_audit.log – All requests that trigger a ModSecurity events (as detected) or a serer error are logged (“RelevantOnly”) are logged into this file.
cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf
vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
There are five rules directories:
* activated_rules
* base_rules
* experimental_rules
* optional_rules
* slr_rules
Make sure SecRuleEngine set to “On” to protect webserver for the attacks:
SecRuleEngine On
Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart
Make sure everything is working:
# tail -f /var/log/httpd/error_log
mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities. This guide assumes you already have your LAMP server configured.
Guides for setting up a LMAP stack can be found under our LAMP guides section.
disable TRACE and TRACK in the main scope of httpd.conf
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* – [F]
ServerTokens Prod ServerSignature Off TraceEnable Off 1.2 ModSecurity 1.3 ModSecurity Core Rules Overview Performance Quality Regression tests Real traffic testing Generic Detection Event Information Plug and Play Protocol compliance: Attack Detection: ## For RHEL/CentOS 6.2/6.1/6/5.8 ## # cd /usr/src # wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz # tar xzf modsecurity-apache_2.6.6.tar.gz # cd modsecurity-apache_2.6.6 # ./configure # make install # cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf CentOS 6.x 32-bit (x86/i386): rpm -Uvh http://mirror.overthewire.com.au/pub/epel/6/i386/epel-release-6-7.noarch.rpm CentOS 6.x 64-bit (x64): rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm CentOS 5.x 32-bit (x86/i386): rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm CentOS 5.x 64-bit (x64): rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm yum install mod_security Downloading OWASP Mod_Security Core Rule Set ## For RHEL/CentOS 6.2/6.1/6/5.8 ## # cd /etc/httpd/ # wget http://downloads.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.5.tar.gz # tar xzf modsecurity-crs_2.2.5.tar.gz # mv modsecurity-crs_2.2.5 modsecurity-crs # cd modsecurity-crs # cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf CentOS / Redhat (RHEL) / Fedora Linux disable a module Under Redhat based Linux distributions you need to modify *.conf file stored in /etc/httpd/conf.d/ directory. Apache scans for files with the .conf suffix at start up. So if the system does not need to use mod_python, rename 'python.conf' to 'python.bak' and restart Apache with the command 'service httpd restart in order to disable that particular module and save memory. # cd /etc/httpd/conf.d/ # mv perl.conf no.perl.bak # /etc/init.d/httpd restart Enable a module To re-enable modules, simply rename them to their original names and restart Apache to get back module functionality: # cd /etc/httpd/conf.d/ # mv no.perl.bak perl.conf # /etc/init.d/httpd restart More about /etc/httpd/conf.d/ directory This directory holds Apache 2.0 module-specific configuration files; any files in this directory which have the ".conf" extension will be processed as Apache configuration files. Files are processed in alphabetical order, so if using configuration directives which depend on, say, mod_perl being loaded, ensure that these are placed in a filename later in the sort order than "perl.conf". manual.conf : This configuration file allows the manual to be accessed at http://localhost/manual/ perl.conf : mod_perl incorporates a Perl interpreter into the Apache web server, so that the Apache web server can directly execute Perl code. php.conf : php5 module for php proxy_ajp.conf : When loaded, the mod_proxy_ajp module adds support for proxying to an AJP/1.3 backend server such as Tomcat. python.conf : mod_python is a module that embeds the Python language interpreter within the server, allowing Apache handlers to be written in Python. squid.conf : Access to squid cache manager ssl.conf : Apache SSL server configuration webalizer.conf : Webalizer stats configuration welcome.conf : This configuration file enables the default "Welcome" page if there is no default index page present for the root URL. mod_dav_svn mod_perl-devel mod_auth_kerb mod_nss mod_auth_kerb mod_auth_mysql mod_auth_pgsql mod_authz_ldap mod_dnssd mod_revocator mod_wsgi grep -v '\#' /etc/httpd/conf/httpd.conf yum install httpd-devel mod_security mod_ssl php #LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so #LoadModule logio_module modules/mod_logio.so #LoadModule logio_module modules/mod_logio.so #LoadModule env_module modules/mod_env.so #LoadModule ext_filter_module modules/mod_ext_filter.so #LoadModule mime_magic_module modules/mod_mime_magic.so #LoadModule dav_module modules/mod_dav.so #LoadModule info_module modules/mod_info.so #LoadModule dav_fs_module modules/mod_dav_fs.so #LoadModule speling_module modules/mod_speling.so #LoadModule userdir_module modules/mod_userdir.so #LoadModule substitute_module modules/mod_substitute.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so #LoadModule cache_module modules/mod_cache.so #LoadModule disk_cache_module modules/mod_disk_cache.so #LoadModule cgi_module modules/mod_cgi.so #LoadModule version_module modules/mod_version.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule include_module modules/mod_include.so LoadModule log_config_module modules/mod_log_config.so LoadModule expires_module modules/mod_expires.so LoadModule deflate_module modules/mod_deflate.so LoadModule headers_module modules/mod_headers.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_connect_module modules/mod_proxy_connect.so http://www.thegeekstuff.com/2011/03/apache-hardening/ http://hackathology.blogspot.sg/2007/11/basics-of-modsecurity.html http://www.tecmint.com/protect-apache-using-mod_security-and-mod_evasive-on-rhel-centos-fedora/ Here’s what I’ve added to tune the Linux TCP stack in /etc/sysctl.conf: net.ipv4.tcp_abort_on_overflow = 1 net.ipv4.tcp_fin_timeout = 15 net.ipv4.tcp_low_latency = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 3 net.ipv4.tcp_sack = 0 net.ipv4.ip_conntrack_max = 65535 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 4 net.ipv4.tcp_keepalive_time = 1800
i wish i could find such informative sites more often. i regularly spend much time on just looking for some worthy sites when i can find something to think about…
thanks.
unlike additional blogs i have read which are really not good. i also found your posts very interesting.
great read.
hey, thanks for that.
i don’t know if it is suitable but you could make some tips for writing in a blog. that would help a lot.
looking forward to another great article. good luck to the author! all the best
i would like to thank you for the efforts you have made in writing this article. thanks for your blog, big help.
thanks for sharing in the above preview.
might be very hard to write good articles, so i have to congratulate you for that.
you are a great writer, i hope someday i will write as well as you do.
thanks for sharing…
just started a blog, and looking for all the information i can get. very nice blog, and great information.
thanks for sharing the post.
great and educative content, thanks for being so important for the education.
this is very helpful information delivered with wit and style.
good encouraging comment, keep it up.
i was looking for such easy task from a long time it will help me in increasing my knowledge. thanks a lot.
this content is extremely important to me, i’ve learnt a lot here.