@agatestudio
Hardening Apache Web
Server Security
Aswin
Knight
Agate Studio
HARDENING APACHE WEB
SERVER SECURITY
Aswin Juari
INTRODUCTION
 Security Aspect
 Application Level
 XSS
 SQL Injection
 Etc
 HTTPD Service & Machine
 Exposing Apache...
We will learn Security at the
Server Machine
SERVER SECURITY
 SSH Authentication
 Edit SSH Configuration:
 Don’t Permit RootLogin
 Recommended:
 Use Private Key A...
APACHE CONFIGURATION HARDENING
 Update Apache/SSL Version if any
 Hide Apache Version
ServerSignature Off
ServerTokens P...
APACHE CONFIGURATION HARDENING
 Restrict Directory Access
<Directory /var/www/html/Admin>
Order allow, deny
Allow from xx...
APACHE CONFIGURATION HARDENING
 Mod_security
 Can scan all messages received by your website
 Can help prevent SQL Inje...
APACHE CONFIGURATION HARDENING
 Mod_evasive
 If so many requests come to a same page in a few
times per second.
 If any...
ANOTHER TOOLS
 Fail2Ban
 Fail2ban scans log files (e.g.
/var/log/apache/error_log) and bans IPs that show the
malicious ...
FURTHER READING
 http://silverdire.com/2013/08/12/haproxy-
fail2ban/
 http://systembash.com/content/how-to-stop-an-
apac...
Upcoming SlideShare
Loading in …5
×

Hardening Apache Web Server by Aswin

633 views

Published on

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
633
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Hardening Apache Web Server by Aswin

  1. 1. @agatestudio Hardening Apache Web Server Security Aswin Knight Agate Studio
  2. 2. HARDENING APACHE WEB SERVER SECURITY Aswin Juari
  3. 3. INTRODUCTION  Security Aspect  Application Level  XSS  SQL Injection  Etc  HTTPD Service & Machine  Exposing Apache Configuration  DOS/DDOS  Etc  Etc
  4. 4. We will learn Security at the Server Machine
  5. 5. SERVER SECURITY  SSH Authentication  Edit SSH Configuration:  Don’t Permit RootLogin  Recommended:  Use Private Key Authorization  Not Use Default Port  Limit Database Access  Authentication  IP WhiteList
  6. 6. APACHE CONFIGURATION HARDENING  Update Apache/SSL Version if any  Hide Apache Version ServerSignature Off ServerTokens Prod  Disable Directory Listing <Directory /var/www/html> Options -Indexes </Directory>  Disable Unnecessary Module  Turn Off CGI Executions
  7. 7. APACHE CONFIGURATION HARDENING  Restrict Directory Access <Directory /var/www/html/Admin> Order allow, deny Allow from xx.xx.xx.xx/24 Deny from all </Directory>  Use Non Root for Run Httpd User apache Group apache  Limit Request Size <Directory /var/www/html/user_uploads> LimitRequestBody 512000 </Directory>
  8. 8. APACHE CONFIGURATION HARDENING  Mod_security  Can scan all messages received by your website  Can help prevent SQL Injection  Return 406 error if user entries URL http://www.webapp.com/login.php?username=admin'">D ROP%20TABLE%20users--  However:  There is additional load on server  The configuration must be done manually
  9. 9. APACHE CONFIGURATION HARDENING  Mod_evasive  If so many requests come to a same page in a few times per second.  If any child process trying to make more than 50 concurrent requests.  If any IP still trying to make new requests when its temporarily blacklisted.  Prevent DOS Attack  Enable Apache Logging  Error Log/Access Log
  10. 10. ANOTHER TOOLS  Fail2Ban  Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.  Feature:  Running as a daemon  Can use various methods to block attack  Iptables  Tcp wrappers (/etc/hosts.deny)  Can handle more than one service: ssh, apache  Can send email notifications  Can ban IP permanent/limited time
  11. 11. FURTHER READING  http://silverdire.com/2013/08/12/haproxy- fail2ban/  http://systembash.com/content/how-to-stop-an- apache-ddos-attack-with-mod_evasive/  http://www.fail2ban.org/wiki/index.php/Main_Pa ge  http://www.tecmint.com/apache-security-tips/

×