March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Categories

March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Harden the Apache Web Server on CentOS 7

Harden the Apache Web Server on CentOS 7

[root@clusterserver1 conf]# yum install httpd
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.vodien.com
* epel: mirrors.hustunique.com
* extras: mirror.vodien.com
* updates: mirror.vodien.com
Resolving Dependencies
–> Running transaction check
—> Package httpd.x86_64 0:2.4.6-40.el7.centos will be installed
–> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================
Package                  Arch                      Version                                 Repository               Size
==========================================================================================================================
Installing:
httpd                    x86_64                    2.4.6-40.el7.centos                     base                    2.7 M

Transaction Summary
==========================================================================================================================
Install  1 Package

Total download size: 2.7 M
Installed size: 9.4 M
Is this ok [y/d/N]: y
Downloading packages:
httpd-2.4.6-40.el7.centos.x86_64.rpm                                                               | 2.7 MB  00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : httpd-2.4.6-40.el7.centos.x86_64                                                                       1/1
Verifying  : httpd-2.4.6-40.el7.centos.x86_64                                                                       1/1

Installed:
httpd.x86_64 0:2.4.6-40.el7.centos

Complete!

Hide the Apache version

Visit your web server in Firefox. Activate Firebug by clicking the Firebug icon on the top right side.

If you check the HTTP response headers in Firebug, it will show the Apache version along with your operating system name and version, as shown in this screenshot:

[root@clusterserver1 test]# curl -I http://localhost/tetete
HTTP/1.1 404 Not Found
Date: Sun, 03 Jan 2016 17:20:18 GMT
Server: Apache/2.4.6 (CentOS)
Content-Type: text/html; charset=iso-8859-1

echo “Change Apache Security”

sed -i “s/^ServerTokens OS$/ServerTokens Prod/” /etc/httpd/conf/httpd.conf
sed -i “s/^ServerSignature On$/ServerSignature Off/” /etc/httpd/conf/httpd.conf

echo “ServerTokens Prod”  >> /etc/httpd/conf/httpd.conf
echo “ServerSignature Off”  >> /etc/httpd/conf/httpd.conf
echo “UseCanonicalName On” >> /etc/httpd/conf/httpd.conf
echo “TraceEnable Off” >> /etc/httpd/conf/httpd.conf

systemctl restart httpd

cat /etc/httpd/conf/httpd.conf | egrep ‘ServerTokens|ServerSignature’

[root@clusterserver1 test]# curl -I http://localhost/tetete
HTTP/1.1 404 Not Found
Date: Sun, 03 Jan 2016 17:22:35 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

[root@clusterserver1 test]#

Turn off directory listing

Directory listing in the absence of an index file is enabled by default in Apache.

Directory listing displays all the files from the Apache web root directory. If this is enabled,
then a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.

turn off this setting by using the Options directive in the Apache configuration file for a specific web directory.
vi /etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html and add -Indexes in the Options directive:
<Directory /var/www/html/>
Options -Indexes
AllowOverride None
Require all granted
</Directory>

Save the file and restart Apache service to reflect these changes.
systemctl restart httpd

Disable Apache directory indexes

sed -i \
-e ‘s~^IndexOptions \(.*\)$~#IndexOptions \1~g’ \
-e ‘s~^IndexIgnore \(.*\)$~#IndexIgnore \1~g’ \
-e ‘s~^AddIconByEncoding \(.*\)$~#AddIconByEncoding \1~g’ \
-e ‘s~^AddIconByType \(.*\)$~#AddIconByType \1~g’ \
-e ‘s~^AddIcon \(.*\)$~#AddIcon \1~g’ \
-e ‘s~^DefaultIcon \(.*\)$~#DefaultIcon \1~g’ \
-e ‘s~^ReadmeName \(.*\)$~#ReadmeName \1~g’ \
-e ‘s~^HeaderName \(.*\)$~#HeaderName \1~g’ \
/etc/httpd/conf/httpd.conf

Disable unnecessary modules

By default Apache comes with lots of unnecessary installed modules. It is a good policy to disable any unnecessary modules that are not in use.

You can list all enabled modules on your server using the following command

/etc/httpd/conf.modules.d

mv 00-dav.conf 00-dav.conf.bk

mv 00-lua.conf 00-lua.conf.bk

systemctl restart httpd

sed -i \
-e ‘s~^LanguagePriority \(.*\)$~#LanguagePriority \1~g’ \
-e ‘s~^ForceLanguagePriority \(.*\)$~#ForceLanguagePriority \1~g’ \
-e ‘s~^AddLanguage \(.*\)$~#AddLanguage \1~g’ \
/etc/httpd/conf/httpd.conf

sed -i \
-e ‘s~^\(LoadModule .*\)$~#\1~g’ \
-e ‘s~^#LoadModule mime_module ~LoadModule mime_module ~g’ \
-e ‘s~^#LoadModule log_config_module ~LoadModule log_config_module ~g’ \
-e ‘s~^#LoadModule setenvif_module ~LoadModule setenvif_module ~g’ \
-e ‘s~^#LoadModule status_module ~LoadModule status_module ~g’ \
-e ‘s~^#LoadModule authz_host_module ~LoadModule authz_host_module ~g’ \
-e ‘s~^#LoadModule dir_module ~LoadModule dir_module ~g’ \
-e ‘s~^#LoadModule alias_module ~LoadModule alias_module ~g’ \
-e ‘s~^#LoadModule expires_module ~LoadModule expires_module ~g’ \
-e ‘s~^#LoadModule deflate_module ~LoadModule deflate_module ~g’ \
-e ‘s~^#LoadModule headers_module ~LoadModule headers_module ~g’ \
-e ‘s~^#LoadModule alias_module ~LoadModule alias_module ~g’ \
/etc/httpd/conf.modules.d/00-base.conf

Disable Apache language based content negotiation

# sed -i \
-e ‘s~^LanguagePriority \(.*\)$~#LanguagePriority \1~g’ \
-e ‘s~^ForceLanguagePriority \(.*\)$~#ForceLanguagePriority \1~g’ \
-e ‘s~^AddLanguage \(.*\)$~#AddLanguage \1~g’ \
/etc/httpd/conf/httpd.conf

Turn off server-side includes (SSI) and CGI execution

Server-side includes (SSI) are directives present on Web applications that are placed in HTML pages. An SSI attack allows a web application to be exploited by remotely executing arbitrary codes. The attacker can access sensitive information like password files, and execute shell commands. It is recommended that you disable server side includes and CGI execution if they are not needed.

To do this, edit the main Apache config file:

/etc/httpd/conf/httpd.conf</code></pre>

Find the section that begins with Directory /var/www/html, Add -ExecCGI and -Includes in option directive:
<Directory /var/www/html/>
Options -Indexes -FollowSymLinks -ExecCGI -Includes
AllowOverride None
Require all granted
</Directory>

nano /etc/httpd/conf/httpd.conf

Add the following line:
<Directory /var/www/html/www.vhost1.com/>
Options -Includes -ExecCGI
</Directory>

Save the file and restart Apache.

Limit request size

By default Apache has no limit on the size of the HTTP request. This can allow hackers to send large number of data.

You can limit the requests size by using the Apache directive LimitRequestBody in combination with the Directory tag. This can help protect your web server from a denial of service (DOS) attack.

Suppose you have a site (www.example.com), where you allow uploads, and you want to limit the upload size on this site.

You can set value from 0 (unlimited) to 2147483647 (2GB) in the main Apache config file.

For example, to limit the request size for the /var/www/html/www.example.com directory to 200K:

/etc/httpd/conf/httpd.conf

Add the following line:
<Directory /var/www/html/www.example.com>
LimitRequestBody 204800
</Directory>

Disallow browsing outside the document root

Unless you have a specific need, it is recommended to restrict Apache to being only able to access the document root.

You can secure the root directory / with Allow and Deny options in the httpd.conf file.

/etc/httpd/conf/httpd.conf

Add/edit the following line:
<Directory />
Options None
Order deny,allow
Deny from all
</Directory>

Save the file and restart Apache:
sudo apachectl restart

•Options None : This will turn off all options
•Order deny,allow : The order in which the allow and deny commands are applied
•Deny from all : This will deny request from all to the root directory

Secure Apache from clickjacking attacks

Clickjacking, also known as “User Interface redress attack,” is a malicious technique to collect an infected user’s clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site.

To avoid this, you need to use X-FRAME-OPTIONS to prevent your website from being used by clickjackers.

You can do this by editing the httpd.conf file:
sudo nano /etc/httpd/conf/httpd.conf

Add the following line:
Header append X-FRAME-OPTIONS “SAMEORIGIN”

Disable ETag

ETags (entity tags) are a well-known point of vulnerability in Apache web server.
ETag is an HTTP response header that allows remote users to obtain sensitive information like inode number, child process ids, and multipart MIME boundary. ETag is enabled in Apache by default.

To prevent this vulnerability, disabling ETag is recommended.

You can do this by editing httpd.conf file:

/etc/httpd/conf/httpd.conf

Add the following line:
FileETag None

HTTP request methods

Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol.
Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.

You can do this by editing the httpd.conf file:

/etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html. Add the following lines under this section:
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>

Save the file and restart Apache:

Secure Apache from XSS attacks

Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.

You can do this by editing the httpd.conf file:

/etc/httpd/conf/httpd.conf

Add the following line:
<IfModule mod_headers.c>
Header set X-XSS-Protection “1; mode=block”
</IfModule>

HTTP request methods

Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol. Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.

You can do this by editing the httpd.conf file:
sudo nano /etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html. Add the following lines under this section:
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>

Save the file and restart Apache:

sudo apachectl restart

Secure Apache from XSS attacks

Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.

You can do this by editing the httpd.conf file:

/etc/httpd/conf/httpd.conf

Add the following line:
<IfModule mod_headers.c>
Header set X-XSS-Protection “1; mode=block”
</IfModule>

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>