The Web Server is a crucial part of web-based applications. Apache Web Server is often placed at the edge of the network hence it becomes one of the most vulnerable services to attack.
Having default configuration supplies much sensitive information which may help hackers to prepare for an attack on the applications. The majority of web application attacks are through XSS, Info Leakage, Session Management, and SQL Injection attacks which are due to weak programming code and failure to sanitize web application infrastructure.
The following are tested on the Apache 2.4.x version.
This assumes you have installed Apache on the UNIX platform. If not, you can go through the Installation guide. https://geekflare.com/apache-2-4-6-installation-on-unix/
I will call the Apache installation directory /opt/apache as $Web_Server throughout this guide.
You are advised to take a backup of the existing configuration file before any modification.
Audience
This is designed for Middleware Administrators, Application Support, System analysts, or anyone working or eager to learn Hardening & Security guidelines.
Fair knowledge of Apache Web Server & UNIX commands is mandatory.
Notes
You require some tools to examine HTTP Headers for some of the implementation verification. There are two ways to do this.
Use browser-inbuilt developer tools to inspect the HTTP headers. Usually, it’s under the Network tab
Use an online HTTP response header checker tool i.e https://geekflare.com/tools/http-headers-test
Remove Server Version Banner
I would say this is one of the first things to consider, as you don’t want to expose what web server version you are using. Exposing the version means you are helping the hacker speed up the reconnaissance process.
The default configuration will expose Apache Version and OS type as shown below.
Go to $Web_Server/conf folder
Modify httpd.conf by using the vi editor
Add the following directive and save the httpd.conf
ServerTokens Prod
ServerSignature Off
ServerSignature will remove the version information from the page generated by Apache.
ServerTokens will change Header to production only, i.e., Apache
As you can see below, the version & OS information is gone.
Disable directory browser listing
Disable directory listing in a browser, so the visitor doesn’t see what all file and folders you have under root or subdirectory.
Let’s test how does it look like in default settings.
Go to $Web_Server/htdocs directory
Create a folder and few files inside that
# mkdir test
# touch hi
# touch hello
Now, let’s try to access Apache by http://localhost/test
As you could see it reveals what all file/folders you have and I am sure you don’t want to expose that.
Go to $Web_Server/conf directory
Open httpd.conf using vi
Search for Directory and change Options directive to None or –Indexes
<Directory /opt/apache/htdocs> Options -Indexes </Directory> (or) <Directory /opt/apache/htdocs> Options None </Directory>
- Restart Apache
Note: if you have multiple Directory directives in your environment, you should consider doing the same for all.
Now, let’s try to access Apache by http://localhost/test
As you could see, it displays a forbidden error instead of showing test folder listing.
Etag
It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary, and child process through Etag header.
To prevent this vulnerability, let’s implement it as below. This is required to fix for PCI compliance.
Go to $Web_Server/conf directory
Add the following directive and save the httpd.conf
FileETag None
Restart apache
Run Apache from a non-privileged account
A default installation runs as nobody or daemon. Using a separate non-privileged user for Apache is good.
The idea here is to protect other services running in case of any security holes.
Create a user and group called apache
groupadd apache
useradd –G apache apache
Change apache installation directory ownership to a newly created non-privileged user
# chown –R apache:apache /opt/apache
Go to $Web_Server/conf
Modify httpd.conf using vi
Search for User & Group Directive and change as non-privileged account apache
User apache Group apache
Save the httpd.conf
Restart Apache
grep for running http process and ensure it’s running with apache user
ps –ef |grep http
You should see one process is running with root. That’s because Apache is listening on port 80 and it has to be started with root.
Protect binary and configuration directory permission
By default, permission for binary and configuration is 755 that means any user on a server can view the configuration. You can disallow another user to get into conf and bin folder.
Go to $Web_Server directory
Change permission of bin and conf folder
chmod –R 750 bin conf
System Settings Protection
In a default installation, users can override apache configuration using .htaccess. If you want to stop users from changing your apache server settings, you can add AllowOverride to None as shown below.
This must be done at the root level.
Go to $Web_Server/conf directory
Open httpd.conf using vi
Search for Directory at a root level
<Directory />
Options -Indexes
AllowOverride None
</Directory>
Save the httpd.conf
Restart Apache
HTTP Request Methods
HTTP 1.1 protocol support many request methods which may not be required and some of them are having potential risk.
Typically you may need GET, HEAD, POST request methods in a web application, which can be configured in the respective Directory directive.
Default configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.
Go to $Web_Server/conf directory
Open httpd.conf using vi
Search for Directory and add the following
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
- Restart Apache
Disable Trace HTTP Request
By default Trace method is enabled in Apache web server.
Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Let’s see how it looks like in default configuration.
Do a telnet web server IP with listening port
Make a TRACE request as shown below
#telnet localhost 80
Trying 127.0.0.1...
Connected to
localhost
.
Escape character is '^]'.
TRACE / HTTP/1.1 Host: test
HTTP/1.1 200 OK
Date: Sat, 31 Aug 2013 02:13:24 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http 20
TRACE / HTTP/1.1
Host: test
0
Connection closed by foreign host.
#
As you could see in above TRACE request, it has responded my query. Let’s disable it and test it.
Go to $Web_Server/conf directory
Add the following directive and save the httpd.conf
TraceEnable off
- Restart apache
Do a telnet web server IP with listen port and make a TRACE request as shown below
#telnet localhost 80
Trying 127.0.0.1...
Connected to
localhost
.
Escape character is '^]'.
TRACE / HTTP/1.1 Host: test
HTTP/1.1 405 Method Not Allowed
Date: Sat, 31 Aug 2013 02:18:27 GMT
Server: Apache Allow:Content-Length: 223Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
<title>405 Method Not Allowed</title> </head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p> </body></html>
Connection closed by foreign host.
#
As you could see in above TRACE request, it has blocked my request with HTTP 405 Method Not Allowed.
Now, this web server doesn’t allow TRACE request and help in blocking Cross Site Tracing attack.
Set cookie with HttpOnly and Secure flag
You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies, and it’s dangerous.
Ensure mod_headers.so is enabled in your httpd.conf
Go to $Web_Server/conf directory
Add the following directive and save the httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
- Restart apache
Clickjacking Attack
Clickjacking is a well-known web application vulnerabilities.
Ensure mod_headers.so is enabled in your httpd.conf
Go to $Web_Server/conf directory
Add the following directive and save the httpd.conf
Header always append X-Frame-Options SAMEORIGIN
- Restart apache
Timeout value configuration
By default, Apache time-out value is 300 seconds, which can be a victim of Slow Loris attack and DoS. To mitigate this, you can lower the timeout value to maybe 60 seconds.
Go to $Web_Server/conf directory
Open httpd.conf using vi
Add the following in httpd.conf
Timeout 60
Disable SSL v2 & v3
SSL v2 & v3 has many security flaws, and if you are working towards penetration test or PCI compliance, then you are expected to close security finding to disable SSL v2/v3.
Any SSL v2/v3 communication may be vulnerable to a Man-in-The-Middle attack that could allow data tampering or disclosure.
Let’s implement apache web server to accept only latest TLS and reject SSL v2/v3 connection request.
Go to $Web_Server/conf/extra folder
Modify SSLProtocol directive in httpd-ssl.conf as below to accept only TLS 1.2+
SSLProtocol –ALL +TLSv1.2
Once you are done with SSL configuration, it’s a good idea to test your web application with online SSL/TLS Certificate tool to find any configuration error.