Apache web server best practices
Protect binary and configuration directory permission
Set cookie with HttpOnly and Secure flag
Disabling php execution in /image folder
Disable Directory Listing
If you don’t have index.html under your WebSite Directory, client will see all files and sub-directories listed in ths browser (like ls –l output).
Solution: –
To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”
Options 1
<Directory />
Options None
Order allow,deny
Allow from all
</Directory>
Options 2
<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>
Should be done to all apache DocumentRoot Directory.
<Directory />
Options -Indexes
AllowOverride None
</Directory>
Disable Signature
The Off setting, which is the default, suppresses the footer line. The On setting simply adds a line with the server version number and ServerName of the serving virtual host.
Solution: –
It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.
# vi httpd.conf
ServerSignature Off
Remove server Signature
ServerSignature will remove the version information from the page generated like 403, 404, 502, etc. by apache web server. ServerTokens will change Header to production only, i.e. Apache.
ServerTokens Prod
ServerSignature Off
Etag
It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary and child process through Etag header. To prevent this vulnerability, let’s implement it as below. This is required to fix for PCI compliance.
FileETag None
Protect binary and configuration directory permission
By default, permission for binary and configuration is 755 that mean any user on server can view the configuration. You can disallow other user to get into conf and bin folder.
Go to $Web_Server directory
Change permission of bin and conf folder
# chown –R 750 bin conf
HTTP Request Methods
HTTP 1.1 protocol support many request methods which may not be required and some of them are having potential risk. Typically you may just need GET, HEAD, POST request methods in web application, which can be configured in respective Directory directive. Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.
Implementation:
Go to $Web_Server/conf directory
Open httpd.conf using vi
Search for Directory and add following
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
Disable Trace HTTP Request
By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to hacker to steal cookie information. Let’s see how it looks like in default configuration.
Do a telnet web server IP with listen port
Make a TRACE request as shown below
#telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1 Host: test
HTTP/1.1 200 OK
Date: Sat, 31 Aug 2013 02:13:24 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http 20
TRACE / HTTP/1.1
Host: test 0
Connection closed by foreign host.
#
As you could see in above TRACE request it has responded my query. Let’s disable it and test it.
Implementation:
Go to $Web_Server/conf directory
Add following directive and save the httpd.conf
TraceEnable off
Restart apache
Set cookie with HttpOnly and Secure flag
You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies and it’s dangerous.
Implementation:
Ensure mod_headers.so is enabled in your httpd.conf
Go to $Web_Server/conf directory
Add following directive and save the httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Restart apache
Clickjacking Attack
Clickjacking is well known web application vulnerabilities. You can refer my previous post Secure Your Web Site from Clickjacking Attack.
Implementation:
Ensure mod_headers.so is enabled in your httpd.conf
Go to $Web_Server/conf directory
Add following directive and save the httpd.conf
Header always append X-Frame-Options SAMEORIGIN
Restart apache
Verification:
Open Firefox and access your application
Check HTTP response headers in firebug, you should see X-Frame-Options as shown below.
Server Side Include
Server Side Include (SSI) has a risk in increasing load on the server. If you have shared environment and heavy traffic web applications you should consider disable SSI by adding Includes in Options directive. SSI attack allows the exploitation of a web application by injecting scripts in HTML pages or executing codes remotely.
Implementation:
Go to $Web_Server/conf directory
Open httpd.conf using vi
Search for Directory and add Includes in Options directive
<Directory /opt/apache/htdocs>
Options –Indexes -Includes
Order allow,deny
Allow from all
</Directory>
Restart Apache
X-XSS Protection
Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can force apply this protection for web application if it was disabled by the user. This is used by majority of giant web companies like Facebook, twitter, Google, etc.
Implementation:
Go to $Web_Server/conf directory
Open httpd.conf using vi and add following Header directive
Header set X-XSS-Protection “1; mode=block”
Restart Apache
Disable HTTP 1.0 Protocol
When we talk about security, we should protect as much we can. So why do we use older HTTP version of protocol, let’s disable them as well. HTTP 1.0 has security weakness related to session hijacking. We can disable this by using mod_rewrite module.
Implementation:
Ensure to load mod_rewrite module in httpd.conf file
Enable RewriteEngine directive as following and add Rewrite condition to allow only HTTP 1.1
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
Timeout value configuration
By default Apache timed-out value is 300 seconds, which can be victim of Slow Loris attack and DoS. To mitigate this you can lower the timeout value to maybe 60 seconds.
Implementation:
Go to $Web_Server/conf directory
Open httpd.conf using vi
Add following in httpd.conf
Timeout 60
SSL Key
Breaching SSL key is hard, but not impossible. Its just matter of computational power and time. As you might know using a 2009-era PC cracking away for around 73 days you can reverse engineer a 512-bit key. So the higher key length you have, the more complex it becomes to break SSL key. Majority of giant Web Companies use 2048 bit key, as below so why don’t we?
Outlook.com
Microsoft.com
Live.com
Skype.com
Apple.com
Yahoo.com
Bing.com
Hotmail.com
Twitter.com
Implementation:
You can use openssl to generate CSR with 2048 bit as below.
Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt
Generate new CSR and private key
openssl req -out localhost.csr -new -newkey rsa:2048 -nodes -keyout localhost.key
Add Personal Cert, Signer Cert and Key file in httpd-ssl.conf file under below directive
SSLCertificateFile # Personal Certificate
SSLCertificateKeyFile # Key File
SSLCACertificateFile # Signer Cert file
Verification:
Execute sslscan utility with following parameter. Change localhost to your actual domain name.
sslscan localhost | grep –i key
As you can see current ssl key is 2048 bit, which is stronger.
Disabling php execution in /image folder
Well, it’s simple. In fact – it’s very simple! Here’s what needs to be done:
If your Joomla website runs under Plesk:
Create an .htaccess file with the following content:
php_flag engine off
AddType text/plain .php
AddType text/plain .php5
RemoveHandler .php
Upload the above .htaccess file to the images directory.
Change the permissions of the .htaccess file to 444.
If your Joomla website runs under WHM/cPanel
Create an .htaccess file with the following content:
RemoveType .php
Upload the above .htaccess file to the images directory and change its permissions to 444 as nobody needs to write to it.
Below link might help to understand the attack.
http://phpsense.com/2006/php-email-injection-attacks/
By :- Mr.L!nxr00t