20 Tips Tweaks and Vulnerability fixes for securing & hardening Apache HTTPD

Web server security is an important factor, especially if this server lives in the World Wide Web. The Internet is populated with inter-related risks, that are nowadays common : botnets, malwares, trojans, hackers, ...Some groups of people have really no barriers and feroce willingness to break into systems using advanced technology. It is therefore important to implement countermeasures and risk mitigations on your Web Server.

How to secure my Web server ?

In this article, we will see an overview of Most Common Attacks Types on Web Servers Apache and their countermeasures. These are especially valid for Apache servers running on Windows and Linux/Unix. In our case, the systems runs Apache HTTPD and risks mitigations measures are done on System Level with preventive actions on the Operating System, and on an Application Level with modifications of the Configuration File options (httpd.conf in /etc/httpd/conf) and the installation of module mod_security.

We have repertoried around 20 measures and tips for securing a web server Apache. Note that these are applicable to the last version of HTTPD 2.4.10. which contains already numerous fixes against security breaches.

Apache server tweaks tips and best practices

Table List of 20 vulnerabilities fixes of Apache Server

1. Configure Apache Listen for IP and port
2. A More Verbose Apache Log
3. Disable Loading Apache unwanted modules
4. Remove Server Version Banner
5. Disable Directory browsing listing
6. Remove Etags from HTTP Headers
7. Run Apache as Apache user
8. Protect binary and configuration files
9. Apache Override System Settings Protection
10. Limit Apache available HTTP Methods
11. Defines Content Security Policy
12. Disable Trace/Track HTTP Requests
13. Set cookie with HttpOnly and Secure flag
14. Measure against Clickjacking Attack
15. Disable Server Side Include
16. Protect your server against X-XSS Attacks
17. Disable HTTP 1.0 Protocol
18. Apache Timeout value configuration
19. Configure Apache SSL/TLS
20. Install Mod Security in Apache

Configure Apache Listen for IP and port

We recommand to have Listen directive in httpd.conf configured with a dedicated IP and port number. This specifies the target and avoid some traffic redirection.

Listen 10.10.10.1:80

A More Verbose Apache Log

Httpd logs are often located /var/log/httpd and contains 2 files : an access_log file and an error_log file. We can add more fields in the logs, for example the important SESSION ID and Request Service Time by prototyping the Log Format. Add %T & %sessionID in httpd.conf under LogFormat directive

LogFormat “%h %l %u %t \”%{sessionID}C\” \”%r\” %>s %b%T” common

More information you can find on Log formats on Apache Web Server Documentation http://httpd.apache.org/docs

Disable Loading Apache unwanted modules

When you install Apache it comes with modules that are not always necessary, so you can disable their loading with httpd.conf by commenting the directive LoadModule.
Examples :
- webdav (Web-based Distributed Authoring and Versioning). Allows FILE property to clients and subject to DOS attacks. Recommandation :

#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#Include conf/extra/httpd-dav.conf

- Info Module. This module can use .htaccess once loaded

#LoadModule info_module modules/mod_info.so

Remove Server Version Banner

Minimal information exposure is likely to avoid reconnaissance scans, therefore we should remove if possible the banner sent from the Apache in response to HTTP requests.

ServerTokens Prod
ServerSignature Off

ServerSignature Off removes the version message from the generated page for common errors 403, 404, etc..ServerTokens Type=Prod or Minimal defines the content of the Header.

HTTP TRACE TOOLS :
https://addons.mozilla.org/en-US/firefox/addon/firebug/
www.seositecheckup.com

Disable Directory browsing listing

In order to protect the access to files located in other directories than your Web Server Root Directory, disable browsing and listing from the other directories with the Options directive None or–Indexes

The user will have a Forbidden Error Message on his browser.


<Directory /var/www/html>
Options None
Order allow,deny
Allow from all
</Directory>

(or)

<Directory /opt/apache/htdocs>
Options -Indexes
Order allow,deny
Allow from all
</Directory>

Remove Etags from HTTP Headers

With the ETAG header, leaks and inode number which can be used with PCI and File System attacks.

FileETag None
Header unset ETag

Run Apache as Apache user

Apache should not run as root, it should run as a separate user. Create a group apache and a user apache and add lines to httpd.conf


Linux/Unix commands :
#groupadd apache
#useradd –G apache apache
#chown –R /opt/apache


httpd.conf modifications :
User apache
Group apache

Protect binary and configuration files

The defaults permissions for /bin and /etc/httpd/conf are 755 but you may change it to 750 :
#chown –R 750 bin conf

Apache Override System Settings Protection

In default installation, users can override apache configuration by using .htaccess. You may add AllowOverride to None in the different directories :

<Directory />

AllowOverride None

</Directory>

Limit Apache available HTTP Methods

Most of the time in web applications, you only need HEAD, GET and POST. This can be configured as a Directory Directive . The default methods packed with a fresh apache installation are HTTP 1.1 protocol support many request methods which may not be required and some of them are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT in HTTP 1.1.
In the Directory Directive, add the following :

<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>

Defines Content Security Policy

Set the following rules in http.conf :

Header set X-Content-Type-Options "nosniff"

Header set X-XSS-Protection "1; mode=block"

Header set X-Frame-Options "SAMEORIGIN"

Header set Strict-Transport-Security "max-age=631138519"

Header unset x-webkit-csp

Header unset x-ob_mode

Disable Trace/Track HTTP Requests

XST or Cross Site Tracing attacks are possible if Trace or Track is enabled in Apache configuration. Cross-Site Scripting (XSS) are then possible to steal cookies for example. Method Not Allowed is the only message back to Trace/Track methods.

TraceEnable off
The other thing is to make sure that mod_rewrite is loaded

LoadModule rewrite_module "/usr/local/apache/modules/mod_rewrite.so"

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

Set cookie with HttpOnly and Secure flag

Having correct cookies less vulnerable to XSS attacks needs to set cookie production and use to HttpOnly and Secure Flag. Do the folowing modification of httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Measure against Clickjacking Attack

Clickjacking is using user clicks for another purpose that they intent to be used for launching programs that the attackers wants to launch on the server. Ensure mod_headers.so is enabled and add following directive to httpd.conf

Header always append X-Frame-Options SAMEORIGIN

Disable Server Side Include

Server Side Include (SSI) allows to inject scripts and remote code execution in HTML pages or in the application and should be avoided by adding Includes in the folder Directives.

<Directory /var/www/html>

Options –Indexes -Includes

Order allow,deny

Allow from all

</Directory>

Protect your server against X-XSS Attacks

X-XSS attacks can bypass the XSS-Protection of many browsers therefore it's required to block the protection on :

Header set X-XSS-Protection “1; mode=block”

Disable HTTP 1.0 Protocol

HTTP 1.0 has evolved in HTTP 1.1 and was subject to session hijacking so we can rewrite requests that were forged in HTTP 1.0 to HTTP 1.1 by using mod_rewrite

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteRule .* – [F]

Apache Timeout value configuration

The default value of timeout for apache httpd is 300 seconds which is big, and enough for amplifying DOS attacks so you can change this timeout to 30 seconds.

Timeout 30

Configure Apache SSL/TLS

SSL today TLS bring a very important level of encryption in the communication processes and is to be considered as an important security factor. OpenSSL is an open Source SSL provider and should be installed along with mod_ssl.

Installation . On Red/Hat systems : yum install mod_ssl openssl

This will create the mod_ssl configuration file at /etc/httpd/conf.d/ssl.conf




Free SSL analysis tools for Linux : SSL Scan http://sourceforge.net/projects/sslscan/ or a windows version : http://code.google.com/p/sslscan-win/

SSL Key discovery : sslscan localhost | grep –i key
SSL Cipher discovery (MD5, SHA, RC4, ...) : sslscan –no-failed localhost

SSL Keys can be breaked especially if forged under 1024 bits. Generate keys at 2048 like Google :

Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt

Generate new CSR and private key
openssl req -out localhost.csr -new -newkey rsa:2048 -nodes -keyout localhost.key

In /etc/httpd/conf.d/ssl.conf include the definition of secured SSL/TLS protocols,disable SSLv2 for example .
SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

Ciphers have to be over 256bits.

SSLRandomSeed startup file:/dev/urandom 512

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4 or even better because RC4 was cracked, and can be considered as a weak cipher only MD5 :
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
Save your configuration file for SSH, restart sshd and restart apache server.

WEB TOOL : Qualys SSL Labs ssh cipher vulnerability scanner

Install Mod Security in Apache

Open-source Web Application Firewall module for Apache that has many features including :

HTTP DOS Denial of Service Protection, Common Web Attacks Protection, Antivirus integration, Google Safe Browsing API checkup, electronic discretion...

You will need eventually the following packages : libpcre libxml2 libcurl libapr libapr-util and the module loaded in apache : mod_unique_id , bundled with Apache web server

Download it from : http://www.modsecurity.org/download/ then Install it

Add following lines to load module for Mod Security in httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

Then download OWASP Mod Security Core Rule : https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/master

Unzip it to /etc/httpd/conf. OWASP has rules defined as base_rules, optional_rules and experimental_rules. Base Rules are typcial attacks. 

Rename modsecurity_crs11_setup.conf.example to modsecurity_crs11_setup.conf
Add in httpd.conf
<IfModule security2_module>
Include conf/crs/modsecurity_crs_11_setup.conf
Include conf/crs/base_rules/*.conf
</IfModule>
then in /etc/httpd/conf/modsecurity_crs_11_setup.conf
SecAuditLog /var/logs/httpd/modsec_audit.log
SecRuleEngine On

Now web server is ready to protect against common attacks types like X-XSS, SQL Injection, Directory traversal Attack, Protocol Manipulation, etc..

Change Server Banner
in order to use Mod Security to manipulate Server Banner from header, you must set ServerToken to Full in httpd.conf of Apache web server.

SecServerSignature YourServerName

How to configure your server for SSL/TLS HTTPS (Linux/RedHat/Fedora)

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are modern technologies to secure communication between different systems.

Hyper Text Transfer Protocol (HTTP) in versions 1.1 and older was making encryption optional but HTTP 2.0 will require use of TLS.

A commonly referred to as SSL server can be set using Apache HTTP server in combination with mod_ssl and the OpenSSL toolkit.

Installation . On Red/Hat systems : yum install mod_ssl openssl

This will create the mod_ssl configuration file at /etc/httpd/conf.d/ssl.conf



In the Internet Protocol Suite, TLS and SSL encrypt the communication in the application layer. In OSI TLS/SSL is initialized at layer 5 (session) and works at layer 6 (presentation). The session layer establish cipher settings with an asymetric cipher and a shared key for that session then the presentation layer encrypts with a symetric cipher that session key. TLS is an Internet Engineering Task Force (IETF) standard protocol, designed to prevent eavesdropping and tampering.




SSL/TLS Keys and Certificates :

SSL/TLS uses certificates to identify the connections. You can generate your own certificate or get it from a Certification Authority. Authority Certificates are often issued for a particular IP adress and domain name, sometimes, in the case of VeriSign also with a running software parameter to define the certificate properties so if you change IP or name or modify your software configuration you will have to ask for another certificate.

The Public Key Infrastructure access-list is stored in the PKI folder /etc/pki/ - especially for TLS in : /etc/pki/tls/

/etc/pki/tls/private/

/etc/pki/tls/certs/

The directory /etc/pki/ca-trust/extracted/openssl/ contains CA certificate bundle files which are automatically created based on the information found in the /usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/

directories.

If you wish to use an existing key and certificate, move the relevant files to the /etc/pki/tls/private/ and/etc/pki/tls/certs/ directories respectively.

:

~]# mv key_file.key /etc/pki/tls/private/hostname.key
~]# mv certificate.crt /etc/pki/tls/certs/hostname.crt

Then add the following lines to the /etc/httpd/conf.d/ssl.conf configuration file:

SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key

Restart the httpd service

To Generate your own certificates, run the command : # openssl genrsa -out ca.key 2048
root@localhost Documents# openssl genrsa -out ca.key 2048

Generating RSA private key, 2048 bit long modulus
..........................................+++
............................+++
e is 65437 (0x01001)

Now Copy all certifates and keys to /etc/pki/tls/ folders

[root@system ~]# cp ca.crt /etc/pki/tls/certs
[root@system ~]# cp ca.key /etc/pki/tls/private/ca.key
[root@system ~]# cp ca.csr /etc/pki/tls/private/ca.csr

Correct SELinux Contexts : [root@system ~]# restorecon -RvF /etc/pki Now Open SSL.conf file to configure the APACHE SSL and replace the certificate / key paths : [root@opensourceeducation ~]# vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

ssl.conf example configuration file Linux RedHat / Fedora

Listen 443 https SSLRandomSeed startup file:/dev/urandom 512 <VirtualHost _default_:443> DocumentRoot "/var/www/html" ServerName newgoogle.org:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel Debug SSLEngine on SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite HIGH:!aNULL:!MD5 SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key #SSLVerifyClient require #SSLVerifyDepth 10

SSL/TLS Algorithms

SSL 2.0 is out-passed, SSL 3.0 served as base for development of TLS 1.0, 1.1, 1.2. This definition : SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 gives accesses to a wide range of current protocols but recent attacks modes like BEAST attacks can break SSL3.0/TLS1.0. Forward Secrety seems to be te most secured protocol in use today.

The line :
SSLCipherSuite HIGH:!aNULL:!MD5

defines strong encryption only for the ciphering

While with the following command you can specify specific speed-optimized ciphers depending on your clients

SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

SSL/TLS Attacks Types

SSL/TLS Attacks Types Table :

Renegotiation attack	Vulnerability of the renegotiation procedure plain text injection of SSH sessions allowing an attacker to splice their own requests into the beginning of the conversation the client has with the web server. No decryption from the communication. Different from a typical man-in-the-middle attack. Fix : RFC 5746
Version rollback attacks	Modifications to the client cipher suite to get a weaker certificate. Protocols, like snap start or False Start (used in Google Chrome) allowed modification to the cipher suite list sent by the client to the server.
BEAST attack	BEAST (Browser Exploit Against SSL/TLS) using a Java program CBC (cipher block Chaining) vulnerability in TLS1.0 fixed in TLS1.1
CRIME and BREACH attacks	CRIME attack allow an attacker to recover the content of cookies when HTTP compression is used along with TLS to perform web session hijacking. BREACH based on the CRIME attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic. CRIME can be fixed by turning off HTTP compression or SPDY header. BREACH exploits HTTP compression which cannot be turned really off, as many WWW servers use it to improve their own performance. This is a known limitation of TLS as it is susceptible to chosen-plaintext attack against the application-layer data.
Padding attacks	Earlier TLS versions were vulnerable against the padding oracle attack discovered in 2002. A novel variant, called the Lucky Thirteen attack, was published in 2013. As of February 2013, TLS implementors were still working on developing fixes to protect against this form of attack.
RC4 attack	new attacks disclosed in March 2013 allowed RC4 in TLS to be feasibly completely broken. In 2011 the RC4 suite was actually recommended as a work around for the BEAST attack.
Truncation attack	A TLS truncation attack blocks a victim's account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencrypted TCP FIN message (no more data from sender) to close the connection. The server therefore doesn't receive the logout request and is unaware of the abnormal termination.[126]
Heartbleed Bug	The Heartbleed bug was a serious vulnerability in OpenSSL affecting versions 1.0.1 to 1.0.1f. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the data payloads.

SSL/TLS Useful Websites

http://httpd.apache.org/
http://www.modssl.org/
http://www.openssl.org/