20 Tips Tweaks and Vulnerability fixes for securing & hardening Apache HTTPD

Web server security is an important factor, especially if this server lives in the World Wide Web. The Internet is populated with inter-related risks, that are nowadays common : botnets, malwares, trojans, hackers, ...Some groups of people have really no barriers and feroce willingness to break into systems using advanced technology. It is therefore important to implement countermeasures and risk mitigations on your Web Server.

How to secure my Web server ?

In this article, we will see an overview of Most Common Attacks Types on Web Servers Apache and their countermeasures. These are especially valid for Apache servers running on Windows and Linux/Unix. In our case, the systems runs Apache HTTPD and risks mitigations measures are done on System Level with preventive actions on the Operating System, and on an Application Level with modifications of the Configuration File options (httpd.conf in /etc/httpd/conf) and the installation of module mod_security.

We have repertoried around 20 measures and tips for securing a web server Apache. Note that these are applicable to the last version of HTTPD 2.4.10. which contains already numerous fixes against security breaches.

Apache server tweaks tips and best practices

Table List of 20 vulnerabilities fixes of Apache Server

1. Configure Apache Listen for IP and port
2. A More Verbose Apache Log
3. Disable Loading Apache unwanted modules
4. Remove Server Version Banner
5. Disable Directory browsing listing
6. Remove Etags from HTTP Headers
7. Run Apache as Apache user
8. Protect binary and configuration files
9. Apache Override System Settings Protection
10. Limit Apache available HTTP Methods
11. Defines Content Security Policy
12. Disable Trace/Track HTTP Requests
13. Set cookie with HttpOnly and Secure flag
14. Measure against Clickjacking Attack
15. Disable Server Side Include
16. Protect your server against X-XSS Attacks
17. Disable HTTP 1.0 Protocol
18. Apache Timeout value configuration
19. Configure Apache SSL/TLS
20. Install Mod Security in Apache

Configure Apache Listen for IP and port

We recommand to have Listen directive in httpd.conf configured with a dedicated IP and port number. This specifies the target and avoid some traffic redirection.

Listen 10.10.10.1:80

A More Verbose Apache Log

Httpd logs are often located /var/log/httpd and contains 2 files : an access_log file and an error_log file. We can add more fields in the logs, for example the important SESSION ID and Request Service Time by prototyping the Log Format. Add %T & %sessionID in httpd.conf under LogFormat directive

LogFormat “%h %l %u %t \”%{sessionID}C\” \”%r\” %>s %b%T” common

More information you can find on Log formats on Apache Web Server Documentation http://httpd.apache.org/docs

Disable Loading Apache unwanted modules

When you install Apache it comes with modules that are not always necessary, so you can disable their loading with httpd.conf by commenting the directive LoadModule.
Examples :
- webdav (Web-based Distributed Authoring and Versioning). Allows FILE property to clients and subject to DOS attacks. Recommandation :

#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#Include conf/extra/httpd-dav.conf

- Info Module. This module can use .htaccess once loaded

#LoadModule info_module modules/mod_info.so

Remove Server Version Banner

Minimal information exposure is likely to avoid reconnaissance scans, therefore we should remove if possible the banner sent from the Apache in response to HTTP requests.

ServerTokens Prod
ServerSignature Off

ServerSignature Off removes the version message from the generated page for common errors 403, 404, etc..ServerTokens Type=Prod or Minimal defines the content of the Header.

HTTP TRACE TOOLS :
https://addons.mozilla.org/en-US/firefox/addon/firebug/
www.seositecheckup.com

Disable Directory browsing listing

In order to protect the access to files located in other directories than your Web Server Root Directory, disable browsing and listing from the other directories with the Options directive None or–Indexes

The user will have a Forbidden Error Message on his browser.


<Directory /var/www/html>
Options None
Order allow,deny
Allow from all
</Directory>

(or)

<Directory /opt/apache/htdocs>
Options -Indexes
Order allow,deny
Allow from all
</Directory>

Remove Etags from HTTP Headers

With the ETAG header, leaks and inode number which can be used with PCI and File System attacks.

FileETag None
Header unset ETag

Run Apache as Apache user

Apache should not run as root, it should run as a separate user. Create a group apache and a user apache and add lines to httpd.conf


Linux/Unix commands :
#groupadd apache
#useradd –G apache apache
#chown –R /opt/apache


httpd.conf modifications :
User apache
Group apache

Protect binary and configuration files

The defaults permissions for /bin and /etc/httpd/conf are 755 but you may change it to 750 :
#chown –R 750 bin conf

Apache Override System Settings Protection

In default installation, users can override apache configuration by using .htaccess. You may add AllowOverride to None in the different directories :

<Directory />

AllowOverride None

</Directory>

Limit Apache available HTTP Methods

Most of the time in web applications, you only need HEAD, GET and POST. This can be configured as a Directory Directive . The default methods packed with a fresh apache installation are HTTP 1.1 protocol support many request methods which may not be required and some of them are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT in HTTP 1.1.
In the Directory Directive, add the following :

<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>

Defines Content Security Policy

Set the following rules in http.conf :

Header set X-Content-Type-Options "nosniff"

Header set X-XSS-Protection "1; mode=block"

Header set X-Frame-Options "SAMEORIGIN"

Header set Strict-Transport-Security "max-age=631138519"

Header unset x-webkit-csp

Header unset x-ob_mode

Disable Trace/Track HTTP Requests

XST or Cross Site Tracing attacks are possible if Trace or Track is enabled in Apache configuration. Cross-Site Scripting (XSS) are then possible to steal cookies for example. Method Not Allowed is the only message back to Trace/Track methods.

TraceEnable off
The other thing is to make sure that mod_rewrite is loaded

LoadModule rewrite_module "/usr/local/apache/modules/mod_rewrite.so"

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

Set cookie with HttpOnly and Secure flag

Having correct cookies less vulnerable to XSS attacks needs to set cookie production and use to HttpOnly and Secure Flag. Do the folowing modification of httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Measure against Clickjacking Attack

Clickjacking is using user clicks for another purpose that they intent to be used for launching programs that the attackers wants to launch on the server. Ensure mod_headers.so is enabled and add following directive to httpd.conf

Header always append X-Frame-Options SAMEORIGIN

Disable Server Side Include

Server Side Include (SSI) allows to inject scripts and remote code execution in HTML pages or in the application and should be avoided by adding Includes in the folder Directives.

<Directory /var/www/html>

Options –Indexes -Includes

Order allow,deny

Allow from all

</Directory>

Protect your server against X-XSS Attacks

X-XSS attacks can bypass the XSS-Protection of many browsers therefore it's required to block the protection on :

Header set X-XSS-Protection “1; mode=block”

Disable HTTP 1.0 Protocol

HTTP 1.0 has evolved in HTTP 1.1 and was subject to session hijacking so we can rewrite requests that were forged in HTTP 1.0 to HTTP 1.1 by using mod_rewrite

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteRule .* – [F]

Apache Timeout value configuration

The default value of timeout for apache httpd is 300 seconds which is big, and enough for amplifying DOS attacks so you can change this timeout to 30 seconds.

Timeout 30

Configure Apache SSL/TLS

SSL today TLS bring a very important level of encryption in the communication processes and is to be considered as an important security factor. OpenSSL is an open Source SSL provider and should be installed along with mod_ssl.

Installation . On Red/Hat systems : yum install mod_ssl openssl

This will create the mod_ssl configuration file at /etc/httpd/conf.d/ssl.conf




Free SSL analysis tools for Linux : SSL Scan http://sourceforge.net/projects/sslscan/ or a windows version : http://code.google.com/p/sslscan-win/

SSL Key discovery : sslscan localhost | grep –i key
SSL Cipher discovery (MD5, SHA, RC4, ...) : sslscan –no-failed localhost

SSL Keys can be breaked especially if forged under 1024 bits. Generate keys at 2048 like Google :

Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt

Generate new CSR and private key
openssl req -out localhost.csr -new -newkey rsa:2048 -nodes -keyout localhost.key

In /etc/httpd/conf.d/ssl.conf include the definition of secured SSL/TLS protocols,disable SSLv2 for example .
SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

Ciphers have to be over 256bits.

SSLRandomSeed startup file:/dev/urandom 512

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4 or even better because RC4 was cracked, and can be considered as a weak cipher only MD5 :
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
Save your configuration file for SSH, restart sshd and restart apache server.

WEB TOOL : Qualys SSL Labs ssh cipher vulnerability scanner

Install Mod Security in Apache

Open-source Web Application Firewall module for Apache that has many features including :

HTTP DOS Denial of Service Protection, Common Web Attacks Protection, Antivirus integration, Google Safe Browsing API checkup, electronic discretion...

You will need eventually the following packages : libpcre libxml2 libcurl libapr libapr-util and the module loaded in apache : mod_unique_id , bundled with Apache web server

Download it from : http://www.modsecurity.org/download/ then Install it

Add following lines to load module for Mod Security in httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

Then download OWASP Mod Security Core Rule : https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/master

Unzip it to /etc/httpd/conf. OWASP has rules defined as base_rules, optional_rules and experimental_rules. Base Rules are typcial attacks. 

Rename modsecurity_crs11_setup.conf.example to modsecurity_crs11_setup.conf
Add in httpd.conf
<IfModule security2_module>
Include conf/crs/modsecurity_crs_11_setup.conf
Include conf/crs/base_rules/*.conf
</IfModule>
then in /etc/httpd/conf/modsecurity_crs_11_setup.conf
SecAuditLog /var/logs/httpd/modsec_audit.log
SecRuleEngine On

Now web server is ready to protect against common attacks types like X-XSS, SQL Injection, Directory traversal Attack, Protocol Manipulation, etc..

Change Server Banner
in order to use Mod Security to manipulate Server Banner from header, you must set ServerToken to Full in httpd.conf of Apache web server.

SecServerSignature YourServerName