Apache Web Server Hardening and Security Guide

·

7 min read

Apache Web Server Hardening and Security Guide

The Web Server is a crucial part of web-based applications. Apache Web Server is often placed at the edge of the network hence it becomes one of the most vulnerable services to attack.

Having default configuration supplies much sensitive information which may help hackers to prepare for an attack on the applications. The majority of web application attacks are through XSS, Info Leakage, Session Management, and SQL Injection attacks which are due to weak programming code and failure to sanitize web application infrastructure.

The following are tested on the Apache 2.4.x version.

  • This assumes you have installed Apache on the UNIX platform. If not, you can go through the Installation guide. https://geekflare.com/apache-2-4-6-installation-on-unix/

  • I will call the Apache installation directory /opt/apache as $Web_Server throughout this guide.

  • You are advised to take a backup of the existing configuration file before any modification.

    Audience

    This is designed for Middleware Administrators, Application Support, System analysts, or anyone working or eager to learn Hardening & Security guidelines.

    Fair knowledge of Apache Web Server & UNIX commands is mandatory.

    Notes

    You require some tools to examine HTTP Headers for some of the implementation verification. There are two ways to do this.

    1. Use browser-inbuilt developer tools to inspect the HTTP headers. Usually, it’s under the Network tab

    2. Use an online HTTP response header checker tool i.e https://geekflare.com/tools/http-headers-test

Remove Server Version Banner

I would say this is one of the first things to consider, as you don’t want to expose what web server version you are using. Exposing the version means you are helping the hacker speed up the reconnaissance process.

The default configuration will expose Apache Version and OS type as shown below.

  • Go to $Web_Server/conf folder

  • Modify httpd.conf by using the vi editor

  • Add the following directive and save the httpd.conf

ServerTokens Prod

ServerSignature Off

ServerSignature will remove the version information from the page generated by Apache.

ServerTokens will change Header to production only, i.e., Apache

As you can see below, the version & OS information is gone.

Disable directory browser listing

Disable directory listing in a browser, so the visitor doesn’t see what all file and folders you have under root or subdirectory.

Let’s test how does it look like in default settings.

  • Go to $Web_Server/htdocs directory

  • Create a folder and few files inside that

# mkdir test

# touch hi

# touch hello

Now, let’s try to access Apache by http://localhost/test

As you could see it reveals what all file/folders you have and I am sure you don’t want to expose that.

  • Go to $Web_Server/conf directory

  • Open httpd.conf using vi

  • Search for Directory and change Options directive to None or –Indexes

  •   <Directory /opt/apache/htdocs>
      Options -Indexes
      </Directory>
      (or)
      <Directory /opt/apache/htdocs>
      Options None
      </Directory>
    
    • Restart Apache

Note: if you have multiple Directory directives in your environment, you should consider doing the same for all.

Now, let’s try to access Apache by http://localhost/test

As you could see, it displays a forbidden error instead of showing test folder listing.

Etag

It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary, and child process through Etag header.

To prevent this vulnerability, let’s implement it as below. This is required to fix for PCI compliance.

  • Go to $Web_Server/conf directory

  • Add the following directive and save the httpd.conf

FileETag None

  • Restart apache

    Run Apache from a non-privileged account

    A default installation runs as nobody or daemon. Using a separate non-privileged user for Apache is good.

    The idea here is to protect other services running in case of any security holes.

  • Create a user and group called apache

groupadd apache
useradd –G apache apache
  • Change apache installation directory ownership to a newly created non-privileged user

    # chown –R apache:apache /opt/apache

    • Go to $Web_Server/conf

    • Modify httpd.conf using vi

    • Search for User & Group Directive and change as non-privileged account apache

  •   User apache
      Group apache
    
    • Save the httpd.conf

    • Restart Apache

grep for running http process and ensure it’s running with apache user

  •   ps –ef |grep http
    

    You should see one process is running with root. That’s because Apache is listening on port 80 and it has to be started with root.

    Protect binary and configuration directory permission

    By default, permission for binary and configuration is 755 that means any user on a server can view the configuration. You can disallow another user to get into conf and bin folder.

    • Go to $Web_Server directory

    • Change permission of bin and conf folder

    chmod –R 750 bin conf

System Settings Protection

In a default installation, users can override apache configuration using .htaccess. If you want to stop users from changing your apache server settings, you can add AllowOverride to None as shown below.

This must be done at the root level.

  • Go to $Web_Server/conf directory

  • Open httpd.conf using vi

  • Search for Directory at a root level

    <Directory />
    Options -Indexes
    AllowOverride None
    </Directory>
  • Save the httpd.conf

  • Restart Apache

HTTP Request Methods

HTTP 1.1 protocol support many request methods which may not be required and some of them are having potential risk.

Typically you may need GET, HEAD, POST request methods in a web application, which can be configured in the respective Directory directive.

Default configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.

  • Go to $Web_Server/conf directory

  • Open httpd.conf using vi

  • Search for Directory and add the following

<LimitExcept GET POST HEAD>

deny from all

</LimitExcept>

  • Restart Apache

Disable Trace HTTP Request

By default Trace method is enabled in Apache web server.

Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Let’s see how it looks like in default configuration.

  • Do a telnet web server IP with listening port

  • Make a TRACE request as shown below

#telnet localhost 80

Trying 127.0.0.1...

Connected tolocalhost.

Escape character is '^]'.

TRACE / HTTP/1.1 Host: test

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2013 02:13:24 GMT

Server: Apache

Transfer-Encoding: chunked

Content-Type: message/http 20

TRACE / HTTP/1.1

Host: test

0

Connection closed by foreign host.

#

As you could see in above TRACE request, it has responded my query. Let’s disable it and test it.

  • Go to $Web_Server/conf directory

  • Add the following directive and save the httpd.conf

TraceEnable off

  • Restart apache

Do a telnet web server IP with listen port and make a TRACE request as shown below

#telnet localhost 80

Trying 127.0.0.1...

Connected tolocalhost.

Escape character is '^]'.

TRACE / HTTP/1.1 Host: test

HTTP/1.1 405 Method Not Allowed

Date: Sat, 31 Aug 2013 02:18:27 GMT

Server: Apache Allow:Content-Length: 223Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>

<title>405 Method Not Allowed</title> </head><body>

<h1>Method Not Allowed</h1>

<p>The requested method TRACE is not allowed for the URL /.</p> </body></html>

Connection closed by foreign host.

#

As you could see in above TRACE request, it has blocked my request with HTTP 405 Method Not Allowed.

Now, this web server doesn’t allow TRACE request and help in blocking Cross Site Tracing attack.

You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies, and it’s dangerous.

  • Ensure mod_headers.so is enabled in your httpd.conf

  • Go to $Web_Server/conf directory

  • Add the following directive and save the httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

  • Restart apache

Clickjacking Attack

Clickjacking is a well-known web application vulnerabilities.

  • Ensure mod_headers.so is enabled in your httpd.conf

  • Go to $Web_Server/conf directory

  • Add the following directive and save the httpd.conf

Header always append X-Frame-Options SAMEORIGIN

  • Restart apache

Timeout value configuration

By default, Apache time-out value is 300 seconds, which can be a victim of Slow Loris attack and DoS. To mitigate this, you can lower the timeout value to maybe 60 seconds.

  • Go to $Web_Server/conf directory

  • Open httpd.conf using vi

  • Add the following in httpd.conf

Timeout 60

Disable SSL v2 & v3

SSL v2 & v3 has many security flaws, and if you are working towards penetration test or PCI compliance, then you are expected to close security finding to disable SSL v2/v3.

Any SSL v2/v3 communication may be vulnerable to a Man-in-The-Middle attack that could allow data tampering or disclosure.

Let’s implement apache web server to accept only latest TLS and reject SSL v2/v3 connection request.

  • Go to $Web_Server/conf/extra folder

  • Modify SSLProtocol directive in httpd-ssl.conf as below to accept only TLS 1.2+

SSLProtocol –ALL +TLSv1.2

Once you are done with SSL configuration, it’s a good idea to test your web application with online SSL/TLS Certificate tool to find any configuration error.

Thanks for reading the article.

Hope it will help you.

Keep learning and hustling.

Stay tuned for the next project.

Did you find this article valuable?

Support Rahul wath by becoming a sponsor. Any amount is appreciated!