Your SlideShare is downloading. ×

Hardening Apache Web Server by Aswin

191

Published on

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
191
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. @agatestudio Hardening Apache Web Server Security Aswin Knight Agate Studio
  • 2. HARDENING APACHE WEB SERVER SECURITY Aswin Juari
  • 3. INTRODUCTION  Security Aspect  Application Level  XSS  SQL Injection  Etc  HTTPD Service & Machine  Exposing Apache Configuration  DOS/DDOS  Etc  Etc
  • 4. We will learn Security at the Server Machine
  • 5. SERVER SECURITY  SSH Authentication  Edit SSH Configuration:  Don’t Permit RootLogin  Recommended:  Use Private Key Authorization  Not Use Default Port  Limit Database Access  Authentication  IP WhiteList
  • 6. APACHE CONFIGURATION HARDENING  Update Apache/SSL Version if any  Hide Apache Version ServerSignature Off ServerTokens Prod  Disable Directory Listing <Directory /var/www/html> Options -Indexes </Directory>  Disable Unnecessary Module  Turn Off CGI Executions
  • 7. APACHE CONFIGURATION HARDENING  Restrict Directory Access <Directory /var/www/html/Admin> Order allow, deny Allow from xx.xx.xx.xx/24 Deny from all </Directory>  Use Non Root for Run Httpd User apache Group apache  Limit Request Size <Directory /var/www/html/user_uploads> LimitRequestBody 512000 </Directory>
  • 8. APACHE CONFIGURATION HARDENING  Mod_security  Can scan all messages received by your website  Can help prevent SQL Injection  Return 406 error if user entries URL http://www.webapp.com/login.php?username=admin'">D ROP%20TABLE%20users--  However:  There is additional load on server  The configuration must be done manually
  • 9. APACHE CONFIGURATION HARDENING  Mod_evasive  If so many requests come to a same page in a few times per second.  If any child process trying to make more than 50 concurrent requests.  If any IP still trying to make new requests when its temporarily blacklisted.  Prevent DOS Attack  Enable Apache Logging  Error Log/Access Log
  • 10. ANOTHER TOOLS  Fail2Ban  Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.  Feature:  Running as a daemon  Can use various methods to block attack  Iptables  Tcp wrappers (/etc/hosts.deny)  Can handle more than one service: ssh, apache  Can send email notifications  Can ban IP permanent/limited time
  • 11. FURTHER READING  http://silverdire.com/2013/08/12/haproxy- fail2ban/  http://systembash.com/content/how-to-stop-an- apache-ddos-attack-with-mod_evasive/  http://www.fail2ban.org/wiki/index.php/Main_Pa ge  http://www.tecmint.com/apache-security-tips/

×