10 Apache Security and Hardening Tips

apache_logo

 

The Apache web server is a crucial part of the website infrastructure. It has a number of built in features that can improve your website resistance to attacks. The following document covers a number of steps that will help you to achieve this goal. This document is largely based on the knowledge gathered by our security team and by statistics information revealed by security scanner.

Tip No. 1: Disable Apache Signature and/or Apache Banner

Apache Signature or Apache Banner is basically the same thing. It is an application name together with version name that is printed when performing a web request. Nobody actually needs this information at all, but it is enabled by default. You need to alter the Apache configuration file to disable it.

  • ServerSignature Off
  • ServerTokens ProductOnly

In Ubuntu, you need to change the following file: /etc/apache2/apache2.conf

Double check that ServerSignature and ServerTokens configuration settings are not enabled in some other parts of the configuration file.

Tip No. 2: The Trace HTTP Request

HTTP TRACE request is used to echo back all received information. It can be tricked to print HTTP cookies and as a result steal HTTP session. Basically this request can be used as part of the Cross Site Scripting attack, or XSS. It is recommended to disable it as a security precaution.

Add the following to the web-server’s configuration file. For example alter the following file in Ubuntu: /etc/apache2/apache2.conf .

  • TraceEnable off

Tip 3: Remove PHP scripts that print debug info using phpinfo()

The built-in PHP function phpinfo() prints a lot of interesting internal information about the PHP environment. It can include list of which PHP modules are enabled, and the location of various files on the web-server and other sensitive information. Our web security scanner finds a lot of such files. It is recommended to remove these test files from a production website.

Here is a tip hpw to find such files. Look for the files with the following name: test.php, info.php, i.php and phpinfo.php in your website directory and remove them.

Tip 4: Disable directory indexing

Directory indexing is a features found in every web-server by default. When directory indexing is enabled, the web-site prints a list of files found in the website directories when the default page does not exists (for example index.php). Directories reported can be viewed by any visitor. It is vulnerable in the sense that these directories can contain configuration, private and backup files which can be used by the attackers to take your server under control.

You can fix this problem by disabling the Apache autoindex module. In some Apache installations it is called mod_autoindex.so. In Ubuntu, you just need to remove the following files:

  • /etc/apache2/mods-enabled/autoindex.load
  • /etc/apache2/mods-enabled/autoindex.conf

So you can do it running the following commands:

  • rm -f /etc/apache2/mods-enabled/autoindex.load
  • rm -f /etc/apache2/mods-enabled/autoindex.conf

Tip 5: Disable WebDAV

WebDAV is a file access protocol created over HTTP protocol. It allows you to upload and download files, and change file contents from the website. This service is required only in very rare cases. From our experience, this feature was only required to run SVN server (link). Make sure that WebDAV is disabled in production websites. When WebDAV is enabled, the following commands are supported by Apache: OPTIONS, PROPFIND, etc. These commands are sensitive from computer security point of view.

You can fix this problem by disabling Apache dav, dav_fs and dav_lock modules. In Ubuntu you just need to remove the following files:

  • /etc/apache2/mods-enabled/dav.load
  • /etc/apache2/mods-enabled/dav_fs.conf
  • /etc/apache2/mods-enabled/dav_fs.load
  • /etc/apache2/mods-enabled/dav_lock.load

So you can do it running the following commands:

  • rm -f /etc/apache2/mods-enabled/dav.load
  • rm -f /etc/apache2/mods-enabled/dav_fs.conf
  • rm -f /etc/apache2/mods-enabled/dav_fs.load
  • rm -f /etc/apache2/mods-enabled/dav_lock.load

Tip 6: Create a chroot’ed Apache environment

Chroot is a kind of virtual environment supported operating systems such as Linux and FreeBSD. When an application is executed in chrooted environment it has no access to the parent disk and to other recources.

This is a good solution if you want to protect your website from malicious users. The action steps required to create chroot Apache was already covered in a number of websites. For example: http://www.linux.com/archive/feed/36331

The main hidden issue with chrooted environment is that this environment protects the websites from accessing the operating system’s files. It does not protect one site from another. In other words, if a malicious script located in one site it can access files located on other site because they are located on the same chrooted environment.

A solution to this problem is the following. Create a number of apache instances, each one hosting one website running each one if different chrooted directory. These apache instances will not be able to share IP addresses. You will have to configure different IP for each Apache instance you run.

Tip 7: Enable PHP basedir

PHP has built in a kind of chroot environment. It is called “basedir”. You can configure PHP scripts to access files only in specific directory similar to chroot. Basically you can configure each site to access only files located in that site directory which is a very good idea from the security point of view.

You can add the following lines to the website configuration file or to .htaccess file to enable PHP basedir:

  • Php_value open_basedir /var/www/foo.bar/:/usr/local/php/

This will specify that your PHP scripts can access only specified directories.

Tip 8: Web Stats

Some webmasters install open source tools on their website that analyze web requests and create statistical reports. Access to these webstat scrips is almost never secured with a password. So any visitor can basically view such reports. For example some webmasters install in in the /stats directory accessible by http://www.my-site.com/stats .

Statistical reports contain a lot of sensitive information. For example it can contain hidden file names and directory names, full web requests, search engine keywords, etc… All this information can be used by the malicious users and/or your competitors.

Instead of running a statistics script on your website we recommend that you use Google Analytics. It is a free-of-charge and quality service.

Tip 9: Use Google

Most of the webmasters use common web scripts and CMS or blog software. We recommend you to frequently search for security updates using Google and register for security news at your blog/CMS website.

Tip 10: Additional Steps

If your webserver runs together with MySQL server it brings additional potential security problem. MySQL can read any files located on you server including the one located in different chrooted environments. It happens because of the FILE permission. By default only MySQL root has it. For more info about MySQL security take a look at this article ( link to GreenSQL) .

Install a Database Firewall

Download GreenSQL Express which is a free version of the GreenSQL database firewall.

Install a Web Firewall

Mod_security is a good open source product.

Additional links

  • http://httpd.apache.org/docs/2.2/misc/security_tips.html
  • http://shiflett.org/articles/the-truth-about-sessions
  • http://www.hardened-php.net/suhosin/a_feature_list.html