{"id":113,"date":"2012-06-11T02:48:05","date_gmt":"2012-06-11T02:48:05","guid":{"rendered":"http:\/\/rmohan.com\/?p=113"},"modified":"2012-09-07T10:32:40","modified_gmt":"2012-09-07T02:32:40","slug":"hardening-guide-for-apache","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=113","title":{"rendered":"Hardening guide for Apache"},"content":{"rendered":"

Hardening guide for Apache <\/strong><\/p>\n

From:
ServerSignature OnTo:
ServerSignature Off
HostnameLookups Off<\/p>\n

From:
# ServerTokensTo:
ServerTokens Prod<\/p>\n

From:
ServerAdmin you@yourhost.comTo:
ServerAdmin webmaster@yourcompany.com<\/p>\n

From:
LogLevel warnTo:
LogLevel notice<\/p>\n

From:
IndexOptions FancyIndexing VersionSortTo:
# IndexOptions FancyIndexing VersionSort
#<\/p>\n

To:
# AddIcon<\/p>\n

From:
DefaultIcon \/icons\/unknown.gifTo:
# DefaultIcon \/icons\/unknown.gif<\/p>\n

From:
Alias \/icons\/ “\/var\/apache2\/icons\/”To:
# Alias \/icons\/ “\/var\/apache2\/icons\/”<\/p>\n

From:
AliasMatchTo:
# AliasMatch<\/p>\n

From:
ScriptAliasTo:
# ScriptAlias<\/p>\n

From:
LoadModule proxy_ftp_module libexec\/mod_proxy_ftp.soTo:
# LoadModule proxy_ftp_module libexec\/mod_proxy_ftp.so<\/p>\n

From
LoadModule imap_module libexec\/mod_imap.soTo:
# LoadModule imap_module libexec\/mod_imap.so<\/p>\n

From:
LoadModule cgi_module libexec\/mod_cgi.soTo:
# LoadModule cgi_module libexec\/mod_cgi.so<\/p>\n

From:
LoadModule suexec_module libexec\/mod_suexec.soTo:
# LoadModule suexec_module libexec\/mod_suexec.so<\/p>\n

From:
LoadModule autoindex_module libexec\/mod_autoindex.soTo:
# LoadModule autoindex_module libexec\/mod_autoindex.so<\/p>\n

From:
LoadModule info_module libexec\/mod_info.soTo:
# LoadModule info_module libexec\/mod_info.so<\/p>\n

From:
LoadModule status_module libexec\/mod_status.soTo:
# LoadModule status_module libexec\/mod_status.so<\/p>\n

From:
LoadModule status_module libexec\/mod_status.soTo:
# LoadModule status_module libexec\/mod_status.so<\/p>\n

From:
LoadModule userdir_module libexec\/mod_userdir.soTo:
# LoadModule userdir_module libexec\/mod_userdir.so<\/p>\n

From:
LoadModule cern_meta_module modules\/mod_cern_meta.soTo:
# LoadModule cern_meta_module modules\/mod_cern_meta.so<\/p>\n

From:
LoadModule dav_module modules\/mod_dav.soTo:
# LoadModule dav_module modules\/mod_dav.so<\/p>\n

From:<\/p>\n

Options FollowSymLinks
AllowOverride None<\/p>\n

To:<\/p>\n

Options None
AllowOverride None
Order deny,allow
deny from all<\/p>\n

From:
<Directory “\/var\/apache2\/htdocs”>To:
<Directory “\/www”><\/p>\n

deny from all<\/p>\n

From:
Options Indexes FollowSymLinksTo:
Options -FollowSymLinks -Includes -Indexes -MultiViews
# Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
# Remove the sections bellow from the file httpd.conf
<Directory “\/usr\/apache2\/manual”>
<Directory “\/var\/apache2\/cgi-bin”>
# Edit using VI the file \/usr\/apache2\/include\/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR “Apache Software Foundation”To:
#define AP_SERVER_BASEVENDOR “Restricted server”
From:
#define AP_SERVER_BASEPRODUCT “Apache”To:
#define AP_SERVER_BASEPRODUCT “Secure Web Server”
# Starting Apache from command line:
\/usr\/apache2\/bin\/apachectl start
# Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2<\/p>\n

\n

Security Testing your Apache Configuration with Nikto<\/p>\n<\/blockquote>\n

Nikto: Scan Apache for Security Holes<\/strong><\/p>\n

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
including over 3500 potentially dangerous files\/CGIs,
versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and
can be automatically updated (if desired).\u201d<\/p>\n

Nikto does require the LibWhisker Perl module, but this is built into the program so it does not need to be installed.
You will want to install the Net::SSLeay Perl module if you want to test SSL.<\/p>\n


Install mod_security Apache Intrusion Detection And Prevention Engine<\/strong><\/p>\n

ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella – shielding web applications from attacks<\/p>\n

mod_security configuration files<\/p>\n

1. \/etc\/httpd\/conf.d\/mod_security.conf – main configuration file for the mod_security Apache module.
2. \/etc\/httpd\/modsecurity.d\/ – all other configuration files for the mod_security Apache.
3. \/etc\/httpd\/modsecurity.d\/modsecurity_crs_10_config.conf – Configuration contained in this file should be customized for your specific requirements before deployment.
4. \/var\/log\/httpd\/modsec_debug.log – Use debug messages for debugging mod_security rules and other problems.
5. \/var\/log\/httpd\/modsec_audit.log – All requests that trigger a ModSecurity events (as detected) or a serer error are logged (“RelevantOnly”) are logged into this file.<\/p>\n

cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf<\/p>\n

vi \/etc\/httpd\/modsecurity.d\/modsecurity_crs_10_config.conf<\/p>\n

There are five rules directories:<\/p>\n

* activated_rules
* base_rules
* experimental_rules
* optional_rules
* slr_rules<\/p>\n

Make sure SecRuleEngine set to “On” to protect webserver for the attacks:<\/p>\n

SecRuleEngine On<\/p>\n

Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart
Make sure everything is working:
# tail -f \/var\/log\/httpd\/error_log<\/p>\n

mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities. This guide assumes you already have your LAMP server configured.
Guides for setting up a LMAP stack can be found under our LAMP guides section.<\/p>\n

disable TRACE and TRACK in the main scope of httpd.conf<\/strong><\/p>\n

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* – [F]<\/p>\n

ServerTokens Prod\r\nServerSignature Off\r\nTraceEnable Off\r\n\r\n\r\n\r\n1.2 ModSecurity\r\n\r\n1.3 ModSecurity Core Rules Overview\r\n\r\nPerformance\r\nQuality\r\nRegression tests\r\nReal traffic testing\r\nGeneric Detection\r\nEvent Information\r\nPlug and Play\r\nProtocol compliance:\r\nAttack Detection:\r\n\r\n## For RHEL\/CentOS 6.2\/6.1\/6\/5.8 ##\r\n# cd \/usr\/src\r\n# wget http:\/\/www.modsecurity.org\/download\/modsecurity-apache_2.6.6.tar.gz\r\n# tar xzf modsecurity-apache_2.6.6.tar.gz\r\n# cd modsecurity-apache_2.6.6\r\n# .\/configure\r\n# make install\r\n# cp modsecurity.conf-recommended \/etc\/httpd\/conf.d\/modsecurity.conf\r\n\r\nCentOS 6.x 32-bit (x86\/i386):\r\n\r\nrpm -Uvh http:\/\/mirror.overthewire.com.au\/pub\/epel\/6\/i386\/epel-release-6-7.noarch.rpm\r\n\r\nCentOS 6.x 64-bit (x64):\r\n\r\nrpm -Uvh http:\/\/download.fedoraproject.org\/pub\/epel\/6\/x86_64\/epel-release-6-7.noarch.rpm\r\n\r\nCentOS 5.x 32-bit (x86\/i386):\r\n\r\nrpm -Uvh http:\/\/dl.fedoraproject.org\/pub\/epel\/5\/i386\/epel-release-5-4.noarch.rpm\r\n\r\nCentOS 5.x 64-bit (x64):\r\n\r\nrpm -Uvh http:\/\/dl.fedoraproject.org\/pub\/epel\/5\/x86_64\/epel-release-5-4.noarch.rpm\r\n\r\n\r\nyum install mod_security\r\n\r\n\r\n\r\n\r\n\r\nDownloading OWASP Mod_Security Core Rule Set\r\n\r\n\r\n## For RHEL\/CentOS 6.2\/6.1\/6\/5.8 ##\r\n# cd \/etc\/httpd\/\r\n# wget http:\/\/downloads.sourceforge.net\/project\/mod-security\/modsecurity-crs\/0-CURRENT\/modsecurity-crs_2.2.5.tar.gz\r\n# tar xzf modsecurity-crs_2.2.5.tar.gz\r\n# mv modsecurity-crs_2.2.5 modsecurity-crs\r\n# cd modsecurity-crs\r\n# cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nCentOS \/ Redhat (RHEL) \/ Fedora Linux disable a module\r\n\r\nUnder Redhat based Linux distributions you need to modify *.conf file stored in \/etc\/httpd\/conf.d\/ directory. Apache scans for files with the .conf suffix at start up.\r\n\r\nSo if the system does not need to use mod_python, rename 'python.conf' to 'python.bak' and restart Apache with the command 'service httpd restart in order to disable that particular module and save memory.\r\n# cd \/etc\/httpd\/conf.d\/\r\n# mv perl.conf no.perl.bak\r\n# \/etc\/init.d\/httpd restart\r\nEnable a module\r\n\r\nTo re-enable modules, simply rename them to their original names and restart Apache to get back module functionality:\r\n# cd \/etc\/httpd\/conf.d\/\r\n# mv no.perl.bak perl.conf\r\n# \/etc\/init.d\/httpd restart\r\n\r\n\r\n\r\nMore about \/etc\/httpd\/conf.d\/ directory\r\n\r\nThis directory holds Apache 2.0 module-specific configuration files; any files in this directory which have the \".conf\" extension will be processed as Apache configuration files. Files are processed in alphabetical order, so if using configuration directives which depend on, say, mod_perl being loaded, ensure that\r\nthese are placed in a filename later in the sort order than \"perl.conf\".\r\n\r\n\u00a0\u00a0\u00a0 manual.conf : This configuration file allows the manual to be accessed at http:\/\/localhost\/manual\/\r\n\u00a0\u00a0\u00a0 perl.conf : mod_perl incorporates a Perl interpreter into the Apache web server, so that the Apache web server can directly execute Perl code.\r\n\u00a0\u00a0\u00a0 php.conf : php5 module for php\r\n\u00a0\u00a0\u00a0 proxy_ajp.conf : When loaded, the mod_proxy_ajp module adds support for proxying to an AJP\/1.3 backend server such as Tomcat.\r\n\u00a0\u00a0\u00a0 python.conf : mod_python is a module that embeds the Python language interpreter within the server, allowing Apache handlers to be written in Python.\r\n\u00a0\u00a0\u00a0 squid.conf : Access to squid cache manager\r\n\u00a0\u00a0\u00a0 ssl.conf : Apache SSL server configuration\r\n\u00a0\u00a0\u00a0 webalizer.conf : Webalizer stats configuration\r\n\u00a0\u00a0\u00a0 welcome.conf : This configuration file enables the default \"Welcome\" page if there is no default index page present for\r\n\u00a0\u00a0\u00a0 the root URL.\r\n\r\n\r\nmod_dav_svn\r\nmod_perl-devel\r\nmod_auth_kerb\r\nmod_nss\r\nmod_auth_kerb\r\nmod_auth_mysql\r\nmod_auth_pgsql\r\nmod_authz_ldap\r\nmod_dnssd\r\nmod_revocator\r\nmod_wsgi\r\n\r\n\r\ngrep -v '\\#' \/etc\/httpd\/conf\/httpd.conf\r\n\r\n\r\nyum install\u00a0 httpd-devel mod_security mod_ssl php\r\n\r\n#LoadModule ldap_module modules\/mod_ldap.so\r\n#LoadModule authnz_ldap_module modules\/mod_authnz_ldap.so\r\n#LoadModule logio_module modules\/mod_logio.so\r\n#LoadModule logio_module modules\/mod_logio.so\r\n#LoadModule env_module modules\/mod_env.so\r\n#LoadModule ext_filter_module modules\/mod_ext_filter.so\r\n#LoadModule mime_magic_module modules\/mod_mime_magic.so\r\n#LoadModule dav_module modules\/mod_dav.so\r\n#LoadModule info_module modules\/mod_info.so\r\n#LoadModule dav_fs_module modules\/mod_dav_fs.so\r\n#LoadModule speling_module modules\/mod_speling.so\r\n#LoadModule userdir_module modules\/mod_userdir.so\r\n#LoadModule substitute_module modules\/mod_substitute.so\r\n#LoadModule proxy_ftp_module modules\/mod_proxy_ftp.so\r\n#LoadModule cache_module modules\/mod_cache.so\r\n#LoadModule disk_cache_module modules\/mod_disk_cache.so\r\n#LoadModule cgi_module modules\/mod_cgi.so\r\n#LoadModule version_module modules\/mod_version.so\r\n\r\n\r\n\r\nLoadModule auth_basic_module modules\/mod_auth_basic.so\r\nLoadModule auth_digest_module modules\/mod_auth_digest.so\r\nLoadModule authn_file_module modules\/mod_authn_file.so\r\nLoadModule authn_alias_module modules\/mod_authn_alias.so\r\nLoadModule authn_anon_module modules\/mod_authn_anon.so\r\nLoadModule authn_dbm_module modules\/mod_authn_dbm.so\r\nLoadModule authn_default_module modules\/mod_authn_default.so\r\nLoadModule authz_host_module modules\/mod_authz_host.so\r\nLoadModule authz_user_module modules\/mod_authz_user.so\r\nLoadModule authz_owner_module modules\/mod_authz_owner.so\r\nLoadModule authz_groupfile_module modules\/mod_authz_groupfile.so\r\nLoadModule authz_dbm_module modules\/mod_authz_dbm.so\r\nLoadModule authz_default_module modules\/mod_authz_default.so\r\nLoadModule include_module modules\/mod_include.so\r\nLoadModule log_config_module modules\/mod_log_config.so\r\nLoadModule expires_module modules\/mod_expires.so\r\nLoadModule deflate_module modules\/mod_deflate.so\r\nLoadModule headers_module modules\/mod_headers.so\r\nLoadModule usertrack_module modules\/mod_usertrack.so\r\nLoadModule setenvif_module modules\/mod_setenvif.so\r\nLoadModule mime_module modules\/mod_mime.so\r\nLoadModule status_module modules\/mod_status.so\r\nLoadModule autoindex_module modules\/mod_autoindex.so\r\nLoadModule vhost_alias_module modules\/mod_vhost_alias.so\r\nLoadModule negotiation_module modules\/mod_negotiation.so\r\nLoadModule dir_module modules\/mod_dir.so\r\nLoadModule actions_module modules\/mod_actions.so\r\nLoadModule alias_module modules\/mod_alias.so\r\nLoadModule rewrite_module modules\/mod_rewrite.so\r\nLoadModule proxy_module modules\/mod_proxy.so\r\nLoadModule proxy_balancer_module modules\/mod_proxy_balancer.so\r\nLoadModule proxy_http_module modules\/mod_proxy_http.so\r\nLoadModule proxy_ajp_module modules\/mod_proxy_ajp.so\r\nLoadModule proxy_connect_module modules\/mod_proxy_connect.so\r\n\r\n\r\n\r\nhttp:\/\/www.thegeekstuff.com\/2011\/03\/apache-hardening\/\r\nhttp:\/\/hackathology.blogspot.sg\/2007\/11\/basics-of-modsecurity.html\r\nhttp:\/\/www.tecmint.com\/protect-apache-using-mod_security-and-mod_evasive-on-rhel-centos-fedora\/\r\n\r\nHere\u2019s what I\u2019ve added to tune the Linux TCP stack in \/etc\/sysctl.conf:\r\n\r\n\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_abort_on_overflow = 1\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_fin_timeout = 15\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_low_latency = 1\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_syncookies = 1\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_max_syn_backlog = 2048\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_synack_retries = 3\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_sack = 0\r\n\u00a0\u00a0\u00a0 net.ipv4.ip_conntrack_max = 65535\r\n\u00a0\u00a0\u00a0 net.core.rmem_max = 16777216\r\n\u00a0\u00a0\u00a0 net.core.wmem_max = 16777216\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_rmem = 4096 87380 16777216\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_wmem = 4096 65536 16777216\r\n\u00a0\u00a0\u00a0 net.ipv4.ip_local_port_range = 1024 65000\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_keepalive_intvl = 15\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_keepalive_probes = 4\r\n\u00a0\u00a0\u00a0 net.ipv4.tcp_keepalive_time = 1800<\/pre>\n","protected":false},"excerpt":{"rendered":"
Hardening guide for Apache <\/p>\n
From: ServerSignature OnTo: ServerSignature Off HostnameLookups Off<\/p>\n
From: # ServerTokensTo: ServerTokens Prod<\/p>\n
From: ServerAdmin you@yourhost.comTo: ServerAdmin webmaster@yourcompany.com<\/p>\n
From: LogLevel warnTo: LogLevel notice<\/p>\n
From: IndexOptions FancyIndexing VersionSortTo: # IndexOptions FancyIndexing VersionSort #<\/p>\n
To: # AddIcon<\/p>\n
From: DefaultIcon \/icons\/unknown.gifTo: # DefaultIcon \/icons\/unknown.gif<\/p>\n
From: Alias \/icons\/ “\/var\/apache2\/icons\/”To: # Alias \/icons\/ “\/var\/apache2\/icons\/”<\/p>\n
From: AliasMatchTo: […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/113"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=113"}],"version-history":[{"count":7,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/113\/revisions"}],"predecessor-version":[{"id":832,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/113\/revisions\/832"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}