Access Security: the apache webserver

The Apache web server has become a very popular choice to provide the basis of many technical solutions in any company. Becoming so wide-range extended there are obviously people who want to profit from any minor security breach.

The good news in this regard is that the configuration file of the service (located in / etc/httpd/conf/httpd.conf) is flexible and offers a range of options that can reduce security problems. Configuration changes are simple recommendations may not apply in any case practical results.

Before changing any parameter in the configuration file, the most useful is to update the version that runs on your system up-to-date. There are system utilities that do this automatically. For more information, check the documentation of the distribution that runs httpd service.

Once it was the latest version of Apache, you can make the following changes:

1. Hiding the  service identity

The Apache server reveals its version in the pages, which it serves (directory listings, error pages). This can be a portal of entry for attacker and should be avoided.

To hide the version in the pages mentioned above, use

ServerSignature Off

You can also limit the value that the web server a flag inside a HTTP response header. By setting

ServerTokens Prod

Thus, the answer is limited to “Server: Apache” without providing more information. Editing the application source or using mod_security can modify even this response.

2. Serving files from the web root

The files that the Apache server delivers will be maintained to provide an organized file structure, under the same directory. Force can only serve files in specific directory using:

<Directory />

Order Deny, Allow

Deny from all

Options None

AllowOverride None

</ Directory>

<Directory /mywebroot>

Order Allow, Deny

Allow from all

</ Directory>

This will close any configuration settings of “Options” or “Override” for the server. They must be added explicitly for each directory that needs such a configuration.

3. Process owner

It is preferable that the Apache configuration to have a clear specification of the user that runs to avoid running two critical processes under the same permission. Thus a possible successful attack may be limited. Configuration to implement such a restriction is:

User apache

Group apache

4. Directory browsing

This option can be used inside a directory (specified with <Directory>). Can be set as follows:

Options -Indexes

5. Server side includes (SSI)

If any page that serves a service does not use this option, the SSI can disable using:

Options -Includes

inside a tag directory.

6. Blocking execution of CGI

Unless it uses the CGI should be stopped. This is made explicit using

Options -ExecCGI

inside a tag directory.

7. Symlinks

It can stop tracking a connection through a directive placed inside a tag directory:

Options -FollowSymLinks

There are several methods of application of all these options, or by stopping their total:

Options None

or marking of multiple options in one line:

Options -Indexes -ExecCGI

8. Blocking of file permissions. Htaccess:

AllowOverride None

9. Block files by type .htaccess

If these permissions are used, it will be blocked files to not be downloaded:

<Files ~ “^\.ht”>

Order allow, deny

Deny from all

Satisfy all

</ Files>

10. Security Module

You can check the modules loaded in the configuration file by running the command

grep LoadModule httpd.conf

Using LoadModule syntax can load mod_security, which can run filters and the different mechanisms of prevention against attacks aiming at web applications.

11. Process jail

If you load the module mod_security, can opt to run the service in a protected (jail). Such an attack will have an impact on other services. To implement using mod_security chroot jail, you can use:

SecChrootDir /chroot/www

12. Access files

Can implement only the read access to root files to apache service:

chown-R root: root/usr/local/apache

chmod-R a-rwx/usr/local/apache

13. Timeout period

Dropping the timeout time can be useful in reducing an attack of Denial of Service. The value of the installation is 300 seconds, but may opt for a smaller value:

Timeout 30

14. Simultaneous processes (child)

It can deploy a maximum value of processes that are starting to make management competing sessions. This value can be used to limit the impact of a DDoS attack that exceed the capabilities of the hardware equipment host:

MaxClients <no>

This value should be assigned according to a study of logs and traffic normally supported by the httpd.

15. Limiting access

Configuration can allow access only from a certain network:

Order Deny, Allow

Deny from all

Allow from 192.168.10.0/24

For more references on editing httpd.conf you might want to visit http://httpd.apache.org/docs/

« (Română) IT Café – Episodul 3 | Home | IT Café – Episodul 4 »

• Autori

  • Ana-Maria Boldizsar
  • Ionuţ Boldizsar
  • Mihai Doboş

• Discuţii recente

  • Radu - Eosif Mihailescu on (Română) IT Café – episodul 1
  • Radu - Eosif Mihailescu on (Română) IT Café – Episodul 2
  • Dan Mica on (Română) IT Café – Episodul 3
  • Dan Mica on (Română) IT Café – Episodul 2

• Arhive

  Select Month August 2010  (2) June 2009  (1) March 2009  (2) February 2009  (6) January 2009  (1) December 2008  (2) November 2008  (2) October 2008  (5) September 2008  (11) August 2008  (2)