



Web server security is an important factor, especially if this server lives in the World Wide Web. The Internet is populated with inter-related risks, that are nowadays common : botnets, malwares, trojans, hackers, ...Some groups of people have really no barriers and feroce willingness to break into systems using advanced technology. It is therefore important to implement countermeasures and risk mitigations on your Web Server.





How to secure my Web server ?

Most Common Attacks Types on Web Servers Apache and their countermeasures. These are especially valid for Apache servers running on Windows and Linux/Unix. In our case, the systems runs In this article, we will see an overview ofand their countermeasures. These are especially valid for Apache servers running onand. In our case, the systems runs Apache HTTPD and risks mitigations measures are done on System Level with preventive actions on the Operating System, and on an Application Level with modifications of the Configuration File options (httpd.conf in /etc/httpd/conf) and the installation of module mod_security.





We have repertoried around 20 measures and tips for securing a web server Apache . Note that these are applicable to the last version of HTTPD 2.4.10. which contains already numerous fixes against security breaches.





Apache server tweaks tips and best practices





Configure Apache Listen for IP and port

We recommand to have Listen directive in httpd.conf configured with a dedicated IP and port number. This specifies the target and avoid some traffic redirection.





Listen 10.10.10.1:80





A More Verbose Apache Log

Httpd logs are often located /var/log/httpd and contains 2 files : an access_log file and an error_log file. We can add more fields in the logs, for example the important SESSION ID and Request Service Time by prototyping the Log Format. Add %T & %sessionID in httpd.conf under LogFormat directive





LogFormat “%h %l %u %t \”

%{sessionID}C

\” \”%r\” %>s %b

%T

” common

More information you can find on Log formats on Apache Web Server Documentation http://httpd.apache.org/docs

Disable Loading Apache unwanted modules

When you install Apache it comes with modules that are not always necessary, so you can disable their loading with httpd.conf by commenting the directive LoadModule.

Examples :

- webdav (Web-based Distributed Authoring and Versioning). Allows FILE property to clients and subject to DOS attacks. Recommandation :





#LoadModule dav_module modules/mod_dav.so

#LoadModule dav_fs_module modules/mod_dav_fs.so

#Include conf/extra/httpd-dav.conf





- Info Module. This module can use .htaccess once loaded





#LoadModule info_module modules/mod_info.so





Remove Server Version Banner

Minimal information exposure is likely to avoid reconnaissance scans, therefore we should remove if possible the banner sent from the Apache in response to HTTP requests.





ServerTokens Prod

ServerSignature Off





ServerSignature Off removes the version message from the generated page for common errors 403, 404, etc..ServerTokens Type=Prod or Minimal defines the content of the Header.





HTTP TRACE TOOLS :

https://addons.mozilla.org/en-US/firefox/addon/firebug/

Disable Directory browsing listing

In order to protect the access to files located in other directories than your Web Server Root Directory, disable browsing and listing from the other directories with the Options directive

None

or

–Indexes





The user will have a Forbidden Error Message on his browser.

<Directory /

var/www/html

>

Options None

Order allow,deny

Allow from all

</Directory>



(or)

<Directory /opt/apache/htdocs>

Options -Indexes

Order allow,deny

Allow from all

</Directory>





Remove Etags from HTTP Headers

With the ETAG header, leaks and inode number which can be used with PCI and File System attacks.





FileETag None

Header unset ETag





Run Apache as Apache user

Apache should not run as root, it should run as a separate user. Create a group apache and a user apache and add lines to httpd.conf

Linux/Unix commands :

#

groupadd apache

#

useradd –G apache apache

#

chown –R /opt/apache

httpd.conf modifications :

User apache

Group apache





Protect binary and configuration files

The defaults permissions for /bin and /etc/httpd/conf are 755 but you may change it to 750 :

#

chown –R 750 bin conf





Apache Override System Settings Protection

In default installation, users can override apache configuration by using .htaccess. You may add AllowOverride to None in the different directories :





<Directory />

AllowOverride None

</Directory>





Limit Apache available HTTP Methods

Most of the time in web applications, you only need HEAD, GET and POST. This can be configured as a Directory Directive . The default methods packed with a fresh apache installation are HTTP 1.1 protocol support many request methods which may not be required and some of them are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT in HTTP 1.1.

In the D

irectory

Directive,

add

the

following :





<LimitExcept GET POST HEAD>

deny from all

</LimitExcept>





Defines Content Security Policy

Set the following rules in http.conf :





Header set X-Content-Type-Options "nosniff"

Header set X-XSS-Protection "1; mode=block"

Header set X-Frame-Options "SAMEORIGIN"

Header set Strict-Transport-Security "max-age=631138519"

Header unset x-webkit-csp

Header unset x-ob_mode





Disable Trace/Track HTTP Requests

XST or Cross Site Tracing attacks are possible if Trace or Track is enabled in Apache configuration. Cross-Site Scripting (XSS) are then possible to steal cookies for example. Method Not Allowed is the only message back to Trace/Track methods.

TraceEnable off

The

other

thing is

to

make sure that mod_rewrite is loaded

LoadModule rewrite_module "/usr/local/apache/modules/mod_rewrite.so"





RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]





Set cookie with HttpOnly and Secure flag

Having correct cookies less vulnerable to XSS attacks needs to set cookie production and use to HttpOnly and Secure Flag. Do the folowing modification of httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure





Measure against Clickjacking Attack

Clickjacking

is using user clicks for another purpose that they intent to be used for launching programs that the attackers wants to launch on the server. Ensure m

od_headers.so is enabled

and add

following directive

to h

ttpd.conf





Header always append X-Frame-Options SAMEORIGIN





Disable Server Side Include

Server Side Include (SSI)

allows to inject scripts and remote code execution in HTML pages or in the application and should be avoided by adding Includes in the folder Directives.





<Directory /var/www/html>

Options –Indexes -

Includes

Order allow,deny

Allow from all

</Directory>





Protect your server against X-XSS Attacks

X-XSS attacks can bypass the XSS-Protection of many browsers therefore it's required to block the protection on :





Header set X-XSS-Protection “1; mode=block”





Disable HTTP 1.0 Protocol

HTTP 1.0 has evolved in HTTP 1.1 and was subject to session hijacking so we can rewrite requests that were forged in HTTP 1.0 to HTTP 1.1 by using mod_rewrite





RewriteEngine On

RewriteCond %{THE_REQUEST} !HTTP/1\.1$

RewriteRule .* – [F]





Apache Timeout value configuration

The default value of timeout for apache httpd is 300 seconds which is big, and enough for amplifying DOS attacks so you can change this timeout to 30 seconds.





Timeout 30





Configure Apache SSL/TLS

SSL today TLS bring a very important level of encryption in the communication processes and is to be considered as an important security factor. OpenSSL is an open Source SSL provider and should be installed along with mod_ssl.





Installation . On Red/Hat systems : yum install mod_ssl openssl

This will create the mod_ssl configuration file at /etc/httpd/conf.d/ssl.conf





Free SSL analysis tools for Linux : SSL Scan http://sourceforge.net/projects/sslscan/ or a windows version : http://code.google.com/p/sslscan-win/





SSL Key discovery

:

sslscan localhost | grep –i key

SSL Cipher

discovery (MD5, SHA, RC4, ...) :

sslscan –no-failed localhost





SSL Keys can be breaked especially if forged under 1024 bits. Generate keys at 2048 like Google :





Generate self-signed certificate

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt





Generate new CSR and private key

openssl req -out localhost.csr -new -newkey rsa:2048 -nodes -keyout localhost.key





In

/etc/httpd/conf.d/ssl.conf

include the d

efinition of secured SS

L

/TLS protocols,

disable SSLv2 for example .

SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

Ciphers have to be over 256bits.

SSLRandomSeed startup file:/dev/urandom 512

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4

or even better because RC4 was cracked,

and can be considered as a weak cipher

only MD5 :

SSLCipherSuite HIGH:!aNULL:!MD5

SSLHonorCipherOrder on

Save your configuration file for SSH, restart sshd and r

estart apache server.





WEB TOOL :

ssh cipher vulnerability scanner





Install Mod Security in Apache

Open-source Web Application Firewall module for Apache that has many features including :

HTTP DOS Denial of Service Protection, Common Web Attacks Protection, Antivirus integration, Google Safe Browsing API checkup

,

electronic discretion...





You will need eventually the following packages :

libpcre libxml2 libcurl libapr libapr-util

and the module loaded in apache :

mod_unique_id , bundled with Apache web server





Download it from : http://www.modsecurity.org/download/ then Install it





Add following lines to load module for Mod Security in httpd.conf

LoadModule unique_id_module modules/mod_unique_id.so

LoadModule security2_module modules/mod_security2.so





Then download

OWASP

M

od Security

C

ore

R

Unzip it to /etc/httpd/conf. OWASP

has rules defined as base_rules, optional_rules and experimental_rules. Base Rules are typcial attacks.





R

ename

modsecurity_crs1

1

_setup.conf.example

to

modsecurity_crs1

1

_setup.conf

Add in

httpd.conf

<IfModule security2_module>

Include conf/crs/modsecurity_crs_11_setup.conf

Include conf/crs/base_rules/*.conf

</IfModule>

then in

/

etc

/

httpd

/conf/modsecurity_crs_1

1

_setup.conf

SecAuditLog /

var

/

logs/httpd

/modsec_audit.log

SecRuleEngine On





Now web server is ready to protect against common attacks types like X-XSS, SQL Injection, Directory traversal Attack, Protocol Manipulation, etc..





Change Server Banner

i

n order to use Mod Security to manipulate Server Banner from header, you must set ServerToken to Full in httpd.conf of Apache web server.





SecServerSignature YourServerName



