Tuesday, 26 June 2018

Apache web server best practices

Apache web server best practices

Disable Directory Listing

Disable Signature

Remove server Signature

Etag

Protect binary and configuration directory permission

HTTP Request Methods

Disable Trace HTTP Request

Set cookie with HttpOnly and Secure flag

Clickjacking Attack

Server Side Include

X-XSS Protection

Disable HTTP 1.0 Protocol

Timeout value configuration

SSL Key

Disabling php execution in /image folder

Disable Directory Listing

If you don’t have index.html under your WebSite Directory, client will see all files and sub-directories listed in ths browser (like ls –l output).

Solution: –

To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”

Options 1

<Directory />

Options None

Order allow,deny

Allow from all

</Directory>

Options 2

<Directory />

Options -Indexes

Order allow,deny

Allow from all

</Directory>

Should be done to all apache DocumentRoot Directory.

<Directory />

Options -Indexes

AllowOverride None

</Directory>

Disable Signature

The Off setting, which is the default, suppresses the footer line. The On setting simply adds a line with the server version number and ServerName of the serving virtual host.

Solution: –

It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.

# vi httpd.conf

ServerSignature Off

Remove server Signature

ServerSignature will remove the version information from the page generated like 403, 404, 502, etc. by apache web server. ServerTokens will change Header to production only, i.e. Apache.

ServerTokens Prod
ServerSignature Off

Etag

It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary and child process through Etag header. To prevent this vulnerability, let’s implement it as below. This is required to fix for PCI compliance.

FileETag None

Protect binary and configuration directory permission

By default, permission for binary and configuration is 755 that mean any user on server can view the configuration. You can disallow other user to get into conf and bin folder.

Go to $Web_Server directory

Change permission of bin and conf folder

# chown –R 750 bin conf

HTTP Request Methods

HTTP 1.1 protocol support many request methods which may not be required and some of them are having potential risk. Typically you may just need GET, HEAD, POST request methods in web application, which can be configured in respective Directory directive. Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.

Implementation:

Go to $Web_Server/conf directory

Open httpd.conf using vi

Search for Directory and add following

<LimitExcept GET POST HEAD>

deny from all

</LimitExcept>

Disable Trace HTTP Request

By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to hacker to steal cookie information. Let’s see how it looks like in default configuration.

Do a telnet web server IP with listen port

Make a TRACE request as shown below

#telnet localhost 80

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

TRACE / HTTP/1.1 Host: test

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2013 02:13:24 GMT

Server: Apache

Transfer-Encoding: chunked

Content-Type: message/http 20

TRACE / HTTP/1.1

Host: test 0

Connection closed by foreign host.

#

As you could see in above TRACE request it has responded my query. Let’s disable it and test it.

Implementation:

Go to $Web_Server/conf directory

Add following directive and save the httpd.conf

TraceEnable off

Restart apache

Set cookie with HttpOnly and Secure flag

You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies and it’s dangerous.

Implementation:

Ensure mod_headers.so is enabled in your httpd.conf

Go to $Web_Server/conf directory

Add following directive and save the httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Restart apache

Clickjacking Attack

Clickjacking is well known web application vulnerabilities. You can refer my previous post Secure Your Web Site from Clickjacking Attack.

Implementation:

Ensure mod_headers.so is enabled in your httpd.conf

Go to $Web_Server/conf directory

Add following directive and save the httpd.conf

Header always append X-Frame-Options SAMEORIGIN

Restart apache

Verification:

Open Firefox and access your application

Check HTTP response headers in firebug, you should see X-Frame-Options as shown below.

Server Side Include

Server Side Include (SSI) has a risk in increasing load on the server. If you have shared environment and heavy traffic web applications you should consider disable SSI by adding Includes in Options directive. SSI attack allows the exploitation of a web application by injecting scripts in HTML pages or executing codes remotely.

Implementation:

Go to $Web_Server/conf directory

Open httpd.conf using vi

Search for Directory and add Includes in Options directive

<Directory /opt/apache/htdocs>

Options –Indexes -Includes

Order allow,deny

Allow from all

</Directory>

Restart Apache

X-XSS Protection

Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can force apply this protection for web application if it was disabled by the user. This is used by majority of giant web companies like Facebook, twitter, Google, etc.

Implementation:

Go to $Web_Server/conf directory

Open httpd.conf using vi and add following Header directive

Header set X-XSS-Protection “1; mode=block”

Restart Apache

Disable HTTP 1.0 Protocol

When we talk about security, we should protect as much we can. So why do we use older HTTP version of protocol, let’s disable them as well. HTTP 1.0 has security weakness related to session hijacking. We can disable this by using mod_rewrite module.

Implementation:

Ensure to load mod_rewrite module in httpd.conf file

Enable RewriteEngine directive as following and add Rewrite condition to allow only HTTP 1.1

RewriteEngine On

RewriteCond %{THE_REQUEST} !HTTP/1.1$

RewriteRule .* - [F]

Timeout value configuration

By default Apache timed-out value is 300 seconds, which can be victim of Slow Loris attack and DoS. To mitigate this you can lower the timeout value to maybe 60 seconds.

Implementation:

Go to $Web_Server/conf directory

Open httpd.conf using vi

Add following in httpd.conf

Timeout 60

SSL Key

Breaching SSL key is hard, but not impossible. Its just matter of computational power and time. As you might know using a 2009-era PC cracking away for around 73 days you can reverse engineer a 512-bit key. So the higher key length you have, the more complex it becomes to break SSL key. Majority of giant Web Companies use 2048 bit key, as below so why don’t we?

Outlook.com

Microsoft.com

 Live.com

Skype.com

Apple.com

Yahoo.com

Bing.com

Hotmail.com

Twitter.com

Implementation:

You can use openssl to generate CSR with 2048 bit as below.

Generate self-signed certificate

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt

Generate new CSR and private key

openssl req -out localhost.csr -new -newkey rsa:2048 -nodes -keyout localhost.key

Add Personal Cert, Signer Cert and Key file in httpd-ssl.conf file under below directive

SSLCertificateFile # Personal Certificate

SSLCertificateKeyFile # Key File

SSLCACertificateFile # Signer Cert file

Verification:

Execute sslscan utility with following parameter. Change localhost to your actual domain name.

sslscan localhost | grep –i key

As you can see current ssl key is 2048 bit, which is stronger.

Disabling php execution in /image folder

Well, it’s simple. In fact – it’s very simple! Here’s what needs to be done:

If your Joomla website runs under Plesk:

Create an .htaccess file with the following content:

php_flag engine off

AddType text/plain .php

AddType text/plain .php5

RemoveHandler .php

Upload the above .htaccess file to the images directory.

Change the permissions of the .htaccess file to 444.

If your Joomla website runs under WHM/cPanel

Create an .htaccess file with the following content:

RemoveType .php

Upload the above .htaccess file to the images directory and change its permissions to 444 as nobody needs to write to it.

Below link might help to understand the attack.

http://phpsense.com/2006/php-email-injection-attacks/

By :- Mr.L!nxr00t