Apache Web Server Hardening Security Guide. How To Update Iphone 4 To Ios 8 Youtube. A practical guide to secure and harden Apache Web Server. Introduction. The Web Server is a crucial part of web based applications. Apache Web Server is often placed at the edge of the network hence it becomes one of the most vulnerable services to attack. Having default configuration supply much sensitive information which may help hacker to prepare for an attack the web server. The majority of web application attacks are through XSS, Info Leakage, Session Management and PHP Injection attacks which are due to weak programming code and failure to sanitize web application infrastructure. According to the security vendor Cenzic, 9. Below chart from Cenzic shows the vulnerability trend report of 2. This practical guide provides you the necessary skill set to secure Apache Web Server. In this course, we will talk about how to Harden Secure Apache Web Server on Unix platform. Following are tested on Apache 2. I dont see any reason it wont work with Apache 2. This assumes you have installed Apache on UNIX platform. If not, you can go through Installation guide. You can also refer very free video about how to Install Apache, My. SQL PHP. We will call Apache installation directory optapache as WebServer throughout this course. You are advised to take a backup of existing configuration file before any modification. Audience. This is designed for Middleware Administrator, Application Support, System Analyst, or anyone working or eager to learn Hardening Security guidelines. Fair knowledge of Apache Web Server UNIX command is mandatory. Information Leakage. For investigating the SSLTLS behavior of your browser, Qualys also has a page for that. History. Since Im keeping this up to date, Im going to document changes. In default Apache configuration you would have much sensitive information disclosures, which can be used to prepare for an attack. Its one of the most critical tasks for an administrator to understand and secure them. As per report by Cenzic, 1. Info leakage. We require some tool to examine HTTP Headers for verification. Lets do this by install firebug add on in Firefox. Click on Install Now. Restart Firefox You can see firebug icon at right top bar. We will use this icon to open firebug console to view HTTP Headers information. There are many online tools also available which helps to check in HTTP header information. Remove Server Version Banner. I have the mycert. Now i need to extract and generate. SSLCertificateFile usrlocalapache2conf. I would say this is one of the first things to consider, as you dont want to expose what web server version you are using. Exposing version means you are helping hacker to speedy the reconnaissance process. The default configuration will expose Apache Version and OS type as shown below. Implementation Go to WebServerconf folder. Modify httpd. conf by using vi editor. Add the following directive and save the httpd. Server. Tokens Prod. Server. Signature Off. Server. Signature will remove the version information from the page generated like 4. Server. Tokens will change Header to production only, i. Apache. Verification Open Firefox Activate firebug by clicking firebug icon at top right side Click on Net tab. Hit the URL in address bar. Expand the GET request and you could see Server directive is just showing Apache, which is much better than exposing version and OS type. As expected in the world of Microsoft Windows Server 2012 and Active Directory, the interface and methods of managing certain functions changed. Installing Tomcat on Windows can be done easily using the Windows installer. Its interface and functionality is similar to other wizard based installers, with. R6m1UItV_D8/SYfqObw90bI/AAAAAAAAASE/trtsHFHOlO4/s800/IMGP0242.JPG' alt='Ssl Setup Apache Windows 10' title='Ssl Setup Apache Windows 10' />Disable directory browser listing. Disable directory listing in a browser so the visitor doesnt see what all file and folders you have under root or subdirectory. Lets test how does it look like in default settings. Go to WebServerhtdocs directory. Create a folder and few files inside that mkdir test. Now, lets try to access Apache by http localhosttest. As you could see it reveals what all filefolders you have which are certainly you dont want to expose. Implementation Go to WebServerconf directory Open httpd. Search for Directory and change Options directive to None or Indexeslt Directory optapachehtdocs. Order allow,deny. Directory orlt Directory optapachehtdocs. Options Indexes. Order allow,deny. Directory Note if you have multiple Directory directives in your environment, you should consider doing the same for all. Verification Now, lets try to access Apache by http localhosttest. As you could see, it displays forbidden error instead showing test folder listing. Etag. It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary, and child process through Etag header. To prevent this vulnerability, lets implement it as below. This is required to fix for PCI compliance. Implementation Go to WebServerconf directory. Add the following directive and save the httpd. File. ETag None. Verification Open Firefox and access your application. Check HTTP response headers in firebug, you should not see Etag at all. Authorization. 3. Run Apache from non privileged account. Default apache configuration is to run as nobody or daemon. Its good to use a separate non privileged user for Apache. The idea here is to protect other services running in case of any security hole. Implementation Create a user and group called apachegroupadd apache. G apache apache. Change apache installation directory ownership to newly created non privileged user  chown R apache apache optapache Go to WebServerconf Modify httpd. Search for User Group Directive and change as non privileged account apache. User apache. Group apache Save the httpd. Restart Apache. Verification grep for running http process and ensure its running with apache user ps ef grep http. Note You could see one process is running with root. Thats because Apache is listening on port 8. We will talk about how to change port number later in this course. Protect binary and configuration directory permission. By default, permission for binary and configuration is 7. You can disallow another user to get into conf and bin folder. Implementation Go to WebServer directory. Change permission of bin and conf folder  chmod R 7. Verification 3. 3 System Settings Protection. In a default installation, users can override apache configuration using. Allow. Override to None as shown below. This must be done at the root level. Implementation Go to WebServerconf directory Open httpd. Search for Directory at root levellt Directory. Options Indexes. Allow. Override Nonelt Directory Save the httpd. Restart Apache. 3. HTTP Request Methods. HTTP 1. 1 protocol support many request methods which may not be required and some of them are having potential risk. Typically you may just need GET, HEAD, POST request methods in a web application, which can be configured in the respective Directory directive. Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1. Implementation Go to WebServerconf directory Open httpd. Search for Directory and add followinglt Limit. Except GET POST HEAD deny from alllt Limit. Except 4. Web Application Security. Apache web server misconfiguration or not hardened properly can exploit web application. Its critical to harden your web server configuration. Cookies. 4. 1. 1 Disable Trace HTTP Request. By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Lets see how it looks like in default configuration. Do a telnet web server IP with listening port Make a TRACE request as shown belowtelnet localhost 8. Trying 1. 27. 0. 0. Connected to localhost. Escape character is. TRACE HTTP1. 1 Host test. HTTP1. 1 2. 00 OK. Date Sat, 3. 1 Aug 2. GMT. Transfer Encoding chunked. Content Type messagehttp 2. TRACE HTTP1. 1. Connection closed by foreign host. As you could see in above TRACE request it has responded my query. Lets disable it and test it. Implementation Go to WebServerconf directory. Add the following directive and save the httpd. Trace. Enable off. Verification Do a telnet web server IP with listen port and make a TRACE request as shown belowtelnet localhost 8. Trying 1. 27. 0. 0. Connected to localhost.