Projects

By default, apache might run as nobody or daemon. It is good to run apache in its own non-privileged account. For example: apache.

Create apache group and user.

groupadd apache
useradd -d /usr/local/apache2/htdocs -g apache -s /bin/false apache

Modify the httpd.conf, and set User and Group appropriately.

# vi httpd.conf
User apache
Group apache

After this, if you restart apache, and do ps -ef, you’ll see that the apache is running as “apache” (Except the 1st httpd process, which will always run as root).

# ps -ef | grep -i http | awk '{print $1}'
root
apache
apache
apache
apache
apache

Secure the root directory by setting the following in the httpd.conf

<Directory />
    Options None
    Order deny,allow
    Deny from all
</Directory>

In the above:

• Options None – Set this to None, which will not enable any optional extra features.
• Order deny,allow – This is the order in which the “Deny” and “Allow” directivites should be processed. This processes the “deny” first and “allow” next.
• Deny from all – This denies request from everybody to the root directory. There is no Allow directive for the root directory. So, nobody can access it.

bin and conf directory should be viewed only by authorized users. It is good idea to create a group, and add all users who are allowed to view/modify the apache configuration files to this group.

Let us call this group: apacheadmin

Create the group.

groupadd apacheadmin

Allow access to bin directory for this group.

chown -R root:apacheadmin /usr/local/apache2/bin
chmod -R 770 /usr/local/apache2/bin

Allow access to conf directory for this group.

chown -R root:apacheadmin /usr/local/apache2/conf
chmod -R 770 /usr/local/apache2/conf

Add appropriate members to this group. In this example, both ramesh and john are part of apacheadmin

# vi /etc/group
apacheadmin:x:1121:ramesh,john

If you don’t do this, users will be able to see all the files (and directories) under your root (or any sub-directory).

For example, if they go to http:{your-ip}/images/ and if you don’t have an index.html under images, they’ll see all the image files (and the sub-directories) listed in the browser (just like a ls -1 output). From here, they can click on the individual image file to view it, or click on a sub-directory to see its content. To disable directory browsing, you can either set the value of Options directive to “None” or “-Indexes”. A – in front of the option name will remove it from the current list of options enforced for that directory. Indexes will display a list of available files and sub-directories inside a directory in the browser (only when no index.html is present inside that folder). So, Indexes should not be allowed. <Directory /> Options None Order allow,deny Allow from all </Directory> (or) <Directory /> Options -Indexes Order allow,deny Allow from all </Directory> ==== 6. Don’t allow .htaccess ==== Using .htaccess file inside a specific sub-directory under the htdocs (or anywhere ouside), users can overwrite the default apache directives. On certain situations, this is not good, and should be avoided. You should disable this feature. You should not allow users to use the .htaccess file and override apache directives. To do this, set “AllowOverride None” in the root directory. <Directory /> Options None AllowOverride None Order allow,deny Allow from all </Directory> ==== 7. Disable other Options ==== Following are the available values for Options directive: * Options All – All options are enabled (except MultiViews). If you don’t specify Options directive, this is the default value. * Options ExecCGI – Execute CGI scripts (uses mod_cgi) * Options FollowSymLinks – If you have symbolic links in this directory, it will be followed. * Options Includes – Allow server side includes (uses mod_include) * Options IncludesNOEXEC – Allow server side includes without the ability to execute a command or cgi. * Options Indexes – Disable directory listing * Options MultiViews - Allow content negotiated multiviews (uses mod_negotiation) * Options SymLinksIfOwnerMatch – Similar to FollowSymLinks. But, this will follow only when the owner is same between the link and the original directory to which it is linked. Never specify ‘Options All’. Always specify one (or more) of the options mentioned above. You can combine multiple options in one line as shown below. Options Includes FollowSymLinks The + and – in front of an option value is helpful when you have nested direcotires, and would like to overwrite an option from the parent Directory directive. In this example, for /site directory, it has both Includes and Indexes: <Directory /site> Options Includes Indexes AllowOverride None Order allow,deny Allow from all </Directory> For /site/en directory, if you need Only Indexes from /site (And not the Includes), and if you want to FollowSymLinks only to this directory, do the following. <Directory /site/en> Options -Includes +FollowSymLink AllowOverride None Order allow,deny Allow from all </Directory> * /site will have Includes and Indexes * /site/en will have Indexes and FollowSymLink ==== 8. Remove unwanted DSO modules ==== If you have loaded any dynamic shared object modules to the apache, they’ll be present inside the httpd.conf under “LoadModule” directive. Please note that the statically compiled apache modules will not be listed as “LoadModule” directive. Comment out any unwanted “LoadModules” in the httpd.conf grep LoadModule /usr/local/apache2/conf/httpd.conf ==== 9. Restrict access to a specific network (or ip-address) ==== If you want your site to be viewed only by a specific ip-address or network, do the following: To allow a specific network to access your site, give the network address in the Allow directive. <Directory /site> Options None AllowOverride None Order deny,allow Deny from all Allow from 10.10.0.0/24 </Directory> To allow a specific ip-address to access your site, give the ip-address in the Allow directive. <Directory /site> Options None AllowOverride None Order deny,allow Deny from all Allow from 10.10.1.21 </Directory> ==== 10. Don’t display or send Apache version (Set ServerTokens) ==== By default, the server HTTP response header will contains apache and php version. Something similar to the following. This is harmful, as we don’t want an attacker to know about the specific version number. Server: Apache/2.2.17 (Unix) PHP/5.3.5 To avoid this, set the ServerTokens to Prod in httpd.conf. This will display “Server: Apache” without any version information. # vi httpd.conf ServerTokens Prod Following are possible ServerTokens values: * ServerTokens Prod displays “Server: Apache” * ServerTokens Major displays “Server: Apache/2″ * ServerTokens Minor displays “Server: Apache/2.2″ * ServerTokens Min displays “Server: Apache/2.2.17″ * ServerTokens OS displays “Server: Apache/2.2.17 (Unix)” * ServerTokens Full displays “Server: Apache/2.2.17 (Unix) PHP/5.3.5″ (If you don’t specify any ServerTokens value, this is the default) Apart from all the above 10 tips, make sure to secure your UNIX / Linux operating system. There is no point in securing your apache, if your OS is not secure. Also, always keep your apache version upto date. The latest version of the apache contains fixes for all the known security issues. Make sure to review your apache log files frequently. ==== Additional reading on apache ==== * __How To Install Apache 2 with SSL on Linux (with mod_ssl, openssl)__
==== 3. Enable SSL in httpd.conf ==== Apache configuration file httpd.conf is located under /usr/local/apache2/conf. Uncomment the httpd-ssl.conf Include line in the /usr/local/apache2/conf/httpd.conf file. # vi /usr/local/apache2/conf/httpd.conf Include conf/extra/httpd-ssl.conf View the httpd-ssl.conf to review all the default SSL configurations. For most cases, you don’t need to modify anything in this file. vi /usr/local/apache2/conf/extra/httpd-ssl.conf The SSL certificate and key are required before we start the Apache. The server.crt and server.key file mentioned in the httpd-ssl.conf needs to be created before we move forward. # egrep 'server.crt|server.key' httpd-ssl.conf SSLCertificateFile “/usr/local/apache2/conf/server.crt” SSLCertificateKeyFile “/usr/local/apache2/conf/server.key” ==== 4. Create server.crt and server.key file ==== First, Generate the server.key using openssl. cd ~ openssl genrsa -des3 -out server.key 1024 The above command will ask for the password. Make sure to remember this password. You need this while starting your Apache later. If you don’t provide a password, you’ll get the following error message. 2415:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters Next, generate a certificate request file (server.csr) using the above server.key file. openssl req -new -key server.key -out server.csr Finally, generate a self signed ssl certificate (server.crt) using the above server.key and server.csr file. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt For more details refer to: __How To Generate SSL Key, CSR and Self Signed Certificate For Apache__ ==== 5. Copy the server.key and server.crt ==== Copy the server.key and server.crt file to appropriate Apache configuration directory location. cd ~ cp server.key /usr/local/apache2/conf/ cp server.crt /usr/local/apache2/conf/ ==== 6. Start the apache and verify SSL ==== Start the Apache as shown below. /usr/local/apache2/bin/apachectl start This will prompt you to enter the password for your private key. Apache/2.2.17 mod_ssl/2.2.17 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server www.example.com:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. By default Apache SSL runs on 443 port. Open a web browser and verify that you can access your Apache using https:{your-ip-address}

HOWTO : Hardening your Apache and PHP on Ubuntu 9.04 Server You have installed LAMP and OpenSSH on your Ubuntu 9.04 Server. The first thing to do is to harden it in order to avoid some kind of attacks.

You can do the following steps in front of your Ubuntu 9.04 Server or remote access it via OpenSSH.

For OpenSSH, your Ubuntu 9.04 Server is at 192.168.0.10 :

ssh 192.168.0.10 -l samiux

Step 1 :

The avoid someone to list your files on your Apache directory, you should do the following step.

sudo nano /etc/apache2/sites-available/default

Add a minus “-” in the front of “Indexes” and it will looking like this :

<Directory /var/www/>     Options -Indexes FollowSymLinks MultiViews     AllowOverride None     Order allow,deny     allow from all </Directory>

Step 2 :

To enable the rewrite module of Apache.

sudo a2enmod rewrite

To avoid Cross-Site-Tracing attack. Add the following lines within “ <VirtualHost *:80>” :

<IfModule mod_rewrite.c>     RewriteEngine On     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)     RewriteRule .* - [F] </IfModule>

Step 3 :

To avoid HTTP DoS, DDoS or Brute Force attack, you should install this module.

sudo apt-get install libapache2-mod-evasive

Step 4 :

To screen out bad URL requests, such as /etc/shadow or MySQL injection and etc. You should install mod_security module. If you installed a amd64 (64-bit) version of Ubuntu Server, please replaced i386 with amd64 for the following commands.

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/libapache-mod-security_2.5.9-1_i386.deb

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/mod-security-common_2.5.9-1_all.deb

sudo dpkg -i libapache-mod-security_2.5.9-1_i386.deb mod-security-common_2.5.9-1_all.deb

Step 5 :

Do not allow any Apache and Ubuntu Server information to be print on the error pages.

sudo nano /etc/apache2/conf.d/security

Change the following lines as the following :

ServerToken Prod ServerSignature Off

Step 6 :

Now, it is time to harden the PHP.

sudo nano /etc/php5/apache2/php.ini

Change the following lines as the following :

display_errors = Off log_errors = On allow_url_fopen = Off safe_mode = On expose_php = Off enable_dl = Off disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

Step 7 :

Final step is to restart Apache server.

sudo /etc/init.d/apache2 restart

Step 8 :

sudo nano /etc/sysctl.conf Uncomment the following line and make it look like this.

#Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1

Make the change active.

sudo /sbin/sysctl -p