Web
server security is an important factor, especially if this server
lives in the World Wide Web. The Internet is populated with
inter-related risks, that are nowadays common : botnets, malwares,
trojans, hackers, ...Some groups of people have really no barriers
and feroce willingness to break into systems using advanced
technology. It is therefore important to implement countermeasures
and risk mitigations on your Web Server.
How
to secure my Web server ?
In this
article, we will see an overview of Most Common Attacks Types on
Web Servers Apache and their countermeasures. These are
especially valid for Apache servers running on Windows and
Linux/Unix. In our case, the systems runs Apache
HTTPD and risks mitigations measures are done on System Level
with preventive actions on the Operating System, and on an
Application Level with modifications of the Configuration File
options (httpd.conf in /etc/httpd/conf) and the installation of
module mod_security.
We have
repertoried around 20
measures and
tips
for securing a web server Apache.
Note that these are applicable to the last version of HTTPD 2.4.10.
which
contains already numerous fixes against security breaches.
Apache
server tweaks tips and best practices
Table
List of 20 vulnerabilities fixes of Apache Server
- Configure Apache Listen for IP and port
- A More Verbose Apache Log
- Disable Loading Apache unwanted modules
- Remove Server Version Banner
- Disable Directory browsing listing
- Remove Etags from HTTP Headers
- Run Apache as Apache user
- Protect binary and configuration files
- Apache Override System Settings Protection
- Limit Apache available HTTP Methods
- Defines Content Security Policy
- Disable Trace/Track HTTP Requests
- Set cookie with HttpOnly and Secure flag
- Measure against Clickjacking Attack
- Disable Server Side Include
- Protect your server against X-XSS Attacks
- Disable HTTP 1.0 Protocol
- Apache Timeout value configuration
- Configure Apache SSL/TLS
- Install Mod Security in Apache
Configure Apache Listen for IP and port
We recommand to have Listen directive in httpd.conf configured with a dedicated IP and port number. This specifies the target and avoid some traffic redirection.Listen 10.10.10.1:80
A More Verbose Apache Log
Httpd logs are often located /var/log/httpd and contains 2 files : an access_log file and an error_log file. We can add more fields in the logs, for example the important SESSION ID and Request Service Time by prototyping the Log Format. Add %T & %sessionID in httpd.conf under LogFormat directiveLogFormat “%h %l %u %t \”%{sessionID}C\” \”%r\” %>s %b%T” common
More information you can find on Log formats on Apache Web Server Documentation http://httpd.apache.org/docs
Disable Loading Apache unwanted modules
When you install Apache it comes with modules that are not always necessary, so you can disable their loading with httpd.conf by commenting the directive LoadModule.Examples :
- webdav (Web-based Distributed Authoring and Versioning). Allows FILE property to clients and subject to DOS attacks. Recommandation :
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#Include conf/extra/httpd-dav.conf
- Info Module. This module can use .htaccess once loaded
#LoadModule info_module modules/mod_info.so
Remove Server Version Banner
Minimal information exposure is likely to avoid reconnaissance scans, therefore we should remove if possible the banner sent from the Apache in response to HTTP requests.ServerTokens Prod
ServerSignature Off
ServerSignature Off removes the version message from the generated page for common errors 403, 404, etc..ServerTokens Type=Prod or Minimal defines the content of the Header.
HTTP TRACE TOOLS :
https://addons.mozilla.org/en-US/firefox/addon/firebug/
www.seositecheckup.com
Disable Directory browsing listing
In order to protect the access to files located in other directories than your Web Server Root Directory, disable browsing and listing from the other directories with the Options directive None or–IndexesThe user will have a Forbidden Error Message on his browser.
<Directory /var/www/html>
Options None
Order allow,deny
Allow from all
</Directory>
(or)
<Directory /opt/apache/htdocs>
Options -Indexes
Order allow,deny
Allow from all
</Directory>
Remove Etags from HTTP Headers
With the ETAG header, leaks and inode number which can be used with PCI and File System attacks.FileETag None
Header unset ETag
Run Apache as Apache user
Apache should not run as root, it should run as a separate user. Create a group apache and a user apache and add lines to httpd.confLinux/Unix commands :
#groupadd apache
#useradd –G apache apache
#chown –R /opt/apache
httpd.conf modifications :
User apache
Group apache
Protect binary and configuration files
The defaults permissions for /bin and /etc/httpd/conf are 755 but you may change it to 750 :#chown –R 750 bin conf
Apache Override System Settings Protection
In default installation, users can override apache configuration by using .htaccess. You may add AllowOverride to None in the different directories :
<Directory
/>
AllowOverride
None
</Directory>
Limit Apache available HTTP Methods
Most of the time in web applications, you only need HEAD, GET and POST. This can be configured as a Directory Directive . The default methods packed with a fresh apache installation are HTTP 1.1 protocol support many request methods which may not be required and some of them are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT in HTTP 1.1.In the Directory Directive, add the following :
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
Defines Content Security Policy
Set the following rules in http.conf :
Header
set X-Content-Type-Options "nosniff"
Header
set X-XSS-Protection "1; mode=block"
Header
set X-Frame-Options "SAMEORIGIN"
Header
set Strict-Transport-Security "max-age=631138519"
Header
unset x-webkit-csp
Header
unset x-ob_mode
Disable Trace/Track HTTP Requests
XST or
Cross Site Tracing attacks are possible if Trace or Track is enabled
in Apache configuration. Cross-Site Scripting (XSS) are then possible
to steal cookies for example. Method Not Allowed is the only
message back to Trace/Track methods.
TraceEnable
offThe other thing is to make sure that mod_rewrite is loaded
LoadModule
rewrite_module "/usr/local/apache/modules/mod_rewrite.so"
RewriteEngine
On
RewriteCond
%{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule
.* - [F]
Set cookie with HttpOnly and Secure flag
Having
correct cookies less vulnerable to XSS attacks needs to set cookie
production and use to HttpOnly and Secure Flag. Do the folowing
modification of httpd.conf
Header
edit Set-Cookie ^(.*)$ $1;HttpOnly;SecureMeasure against Clickjacking Attack
Clickjacking is using user clicks for another purpose that they intent to be used for launching programs that the attackers wants to launch on the server. Ensure mod_headers.so is enabled and add following directive to httpd.confHeader always append X-Frame-Options SAMEORIGIN
Disable Server Side Include
Server Side Include (SSI) allows to inject scripts and remote code execution in HTML pages or in the application and should be avoided by adding Includes in the folder Directives.
<Directory
/var/www/html>
Options
–Indexes -Includes
Order
allow,deny
Allow
from all
</Directory>
Protect your server against X-XSS Attacks
X-XSS attacks can bypass the XSS-Protection of many browsers therefore it's required to block the protection on :Header set X-XSS-Protection “1; mode=block”
Disable HTTP 1.0 Protocol
HTTP 1.0 has evolved in HTTP 1.1 and was subject to session hijacking so we can rewrite requests that were forged in HTTP 1.0 to HTTP 1.1 by using mod_rewriteRewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteRule .* – [F]
Apache Timeout value configuration
The default value of timeout for apache httpd is 300 seconds which is big, and enough for amplifying DOS attacks so you can change this timeout to 30 seconds.Timeout 30
Configure Apache SSL/TLS
SSL
today TLS bring a very important level of encryption in the
communication processes and is to be considered as an important
security factor. OpenSSL is an open Source SSL provider and should be
installed along with mod_ssl.
Installation
. On Red/Hat systems :
yum
install mod_ssl openssl
This
will create the
mod_ssl
configuration file at
/etc/httpd/conf.d/ssl.conf
Free SSL
analysis tools for
Linux :
SSL Scan http://sourceforge.net/projects/sslscan/
or a
windows
version : http://code.google.com/p/sslscan-win/
SSL Cipher discovery (MD5, SHA, RC4, ...) : sslscan –no-failed localhost
SSL Keys can be breaked especially if forged under 1024 bits. Generate keys at 2048 like Google :
Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt
Generate new CSR and private key
openssl req -out localhost.csr -new -newkey rsa:2048 -nodes -keyout localhost.key
In
/etc/httpd/conf.d/ssl.conf
include the d
efinition of secured SSL/TLS
protocols,disable
SSLv2 for example .SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
Ciphers
have to be over 256bits.
SSLRandomSeed
startup file:/dev/urandom 512
SSLCipherSuite
HIGH:!MEDIUM:!aNULL:!MD5:!RC4
or even better because RC4 was cracked, and
can be considered as a weak cipher
only MD5 :SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
Save your configuration file for SSH, restart sshd and restart apache server.
WEB TOOL : Qualys SSL Labs ssh cipher vulnerability scanner
Install Mod Security in Apache
Open-source Web Application Firewall module for Apache that has many features including :HTTP DOS Denial of Service Protection, Common Web Attacks Protection, Antivirus integration, Google Safe Browsing API checkup, electronic discretion...
You will need eventually the following packages : libpcre libxml2 libcurl libapr libapr-util and the module loaded in apache : mod_unique_id , bundled with Apache web server
Download it from : http://www.modsecurity.org/download/ then Install it
Add following lines to load module for Mod Security in httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
Then download OWASP Mod Security Core Rule : https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/master
Unzip it to /etc/httpd/conf. OWASP has rules defined as base_rules, optional_rules and experimental_rules. Base Rules are typcial attacks.
Rename modsecurity_crs11_setup.conf.example to modsecurity_crs11_setup.conf
Add in httpd.conf
<IfModule security2_module>
Include conf/crs/modsecurity_crs_11_setup.conf
Include conf/crs/base_rules/*.conf
</IfModule>
then in /etc/httpd/conf/modsecurity_crs_11_setup.conf
SecAuditLog /var/logs/httpd/modsec_audit.log
SecRuleEngine On
Now web server is ready to protect against common attacks types like X-XSS, SQL Injection, Directory traversal Attack, Protocol Manipulation, etc..
Change Server Banner
in order to use Mod Security to manipulate Server Banner from header, you must set ServerToken to Full in httpd.conf of Apache web server.
SecServerSignature YourServerName
No comments:
Post a Comment