This document provides steps for hardening an Apache web server. It discusses creating a web server group/user, downloading and patching Apache, configuring httpd.conf for security settings like access controls and attack signatures, changing file permissions, cleaning unnecessary files, and advanced security enhancements. Potential problems like denial of service attacks and exploits are also covered. The goal is to guide system administrators on securely configuring Apache to prevent hacking and protect sensitive data.
8. Problems & Risks
• Type of Web Attacking
– Placement of Malicious Software
such as trojan horse or worm
9. Problems & Risks
• Risks of Apache
– From System Administrator
• Think “Apache is the best!!”
• Ignore Hardening
– From Apache (itself)
• Apache is not secure
• Website Apache.org was hacked in May
2000
11. Hardening Apache Step-by-Step
Create the Web Server Group/User
Download the Appropriate Apache
Distribution
Apply Latest Web Server Patches
Configure/Compile/Install the Apache
Distribution
Edit the Apache Configuration file -
httpd.conf
12. Hardening Apache Step-by-Step (Cont.)
Change Ownership/Permissions on
Directories and Files
Clean Out Unneeded Files and
Directories
Update Apache Start Script for
Notification
Advanced Settings - Miscellaneous
Security Enhancements
13. Step 1: Create the Web Server Group/User
1.1 Create Groups for Web Server Content
>> webmaster:webmaster
1.2 Create a Specific User for Web Server
>> nobody:nobody
1.3 Create Quota for Web Server
1.4 Verify Quota
1.5 Lock Down the New Account
14. Step 1: Create the Web Server Group/User
user conf tools logs CGI Content
webmaster
RW R R RW RW
>>webmaster
web
- - - RW RW
developer
web author - - - R RW
Webserver
- - - R R
>>nobody
15. Step 1: Create the Web Server Group/User
http
nobody
fork
start root
http
fork
root execute
fork http
nobody
fork fork (nobody)
user
http
nobody
http
nobody http
nobody
16. Step 2: Download the Appropriate Apache Distribution
2.1 Download the Apache Source
2.2 Verify the PGP Signatures
2.3 Verify the MD5 Checksums
17. Step 3: Apply Latest Web Server Patch
• For Latest Patch of Apache
http://www.apache.org/dist/httpd/patches/
• Apply Patch
# cd apache_source_directory
# patch –p0
</tmp/proxy_http1.1_chunking.patch
18. Step 4: Configure/Compile/Install the Apache Distribution
4.1 Configure the Apache Distribution
4.2 Edit the httpd.h File
#define SERVER_BASEVENDOR “Apache Group”
#define SERVER_BASEPRODUCT “My-Server”
#define SERVER_BASEREVISION “4.0”
4.3 Compile Apache
4.4 Install the Software
19. Step 5: Edit the Apache Configuration file - httpd.conf
5.1 Basic Web Server Settings
o ServerType
o HostnameLookups on
o User & Group
o Port
o ServerAdmin
o ServerRoot
o ServerName
20. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.2 Security Related Settings
o LogLevel notice
o CustomLog ... Combined
o ErrorLog ...
21. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
Some of Error Messages in ErrorLog
• File does not exist: access a URL that does not exist
• File permissions deny server access: access a
document that does not have sufficient privileges to
read it.
• Password mismatch: access a protected document
with an incorrect password
• Client denied by server configuration: access to a
directory is restricted to certain IP addresses
• Malformed header from script: This is a warning
message showing that a bad output cannot be
interpreted correctly.
22. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.2 Security Related Settings (Cont.)
o <Directory>
o Options
o AllowOverride None
o IncludesNoExec
o SymLinksIfOwnerMatch
o Order and Allow/Deny from (Use IP)
23. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.2 Security Related Settings (Cont.)
o ServerSignature Off
o ServerTokens ProductOnly
o CoreDumpDirectory ...
o Error Responses
o 401/403 Errors
o Other Status Codes
o LimitExcept
24. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.3 Access Control
–Restrict Access to File or Directory
• Host-based Authentication
Is it in allow list?
request authenticate
compare
IP Address
/ Hostname
Is it in deny list?
Server
25. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.3 Access Control
–Restrict Access to File or Directory
(Cont.)
• HTTP-specified Basic Authentication
request
authenticate check
require .htpasswd
username&passwd
send
username&passwd
Server
26. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.4 Common Attack Signatures
– Mod_Rewrite Voodoo
– Robots
32. Step 6: Change Ownership/Permissions on Directories and Files
6.5 Bin Directory
# chown –R root <Bin_Dir>
# chgrp –R webmaster <Bin_Dir>
# chmod –R 770 <Bin_Dir>
33. Step 7: Clean Out Unneeded Files and Directories
7.1 Src Directory
7.2 Default HTML Documents
34. Step 8: Update Apache Start Script for Notification
• To let the System Administrator know
that Apache Web Server has been
restarted
35. Step 9: Advanced Settings - Miscellaneous Security Enhancements
9.1 Worms At War such as CodeRed and
Nimda
9.2 Swatch
9.3 Monitor Changes in Web Content
9.4 Secure Index Pages
9.5 Chroot
9.6 Secure Socket Layer (SSL)
36. Bug/ Exploit
• CERT® Advisory CA-2002-17
Apache Web Server Chunk Handling
Vulnerability
June 17, 2002
• CERT® Advisory CA-2002-27
Apache/mod_ssl Worm
September 14, 2002
• Related Link:
http://httpd.apache.org/security_report.html
37. Hardening Dedicated Server & Network Diagram
• Download and Install the latest versions of
the Daemon
• No user login account
• All update do from internal network
• Audit and Penetration Testing on your Server
• Carefully Check your CGI Scripts
• Prevent other from running their CGI Scripts
• DO NOT send confidential info., etc back to
the user via e-mail