Hints and tips on how to “harden” any Apache based web server.
I did, a while back now, a blog on the steps needed to set up a basic home based web server. At the time, the project was aimed at getting the site up and running quickly. What it did not do was make it secure when it was used on the Internet. It was fine for use on a private network or as a project to teach you the basics of setting up a web server. This blog will cover some of the steps you could take to “harden” your web server. These steps also apply to the later blog I did on setting up a WordPress site. These instructions are for a Debian based system. The only difference might be the name of the main configuration file. Refer to your systems documentation for guidance.
Web servers are by their very nature a target for attack. They are after all a computer that is sat on the Internet that can be subverted to another use. That use could be as a stepping stone to other machines, as away to infect visitors with booby trapped pages, or steel their data, or as away to spread a message other than the one the site owners wish by use of compromised pages. All of which the site owner could become under suspicion for doing but have no knowledge off. So you see a secure site is a good idea. You may not be able to keep out the most determined of attackers but you can at least make it harder and so less attractive for them.
There are a number of things that you can do and these are just some to get you started. Please use Google or another search engine to find out more. First some file locations and default ports.
Document root Directory
Main Configuration file
Default HTTP Port
Access Log files of Web Server
Error Log files of Web Server
Now the standard disclaimer. Any changes you make to your system based on this article are made at your own risk. Back up your system before you start. Take notes of any changes you make, what you typed in, what you installed. Back up system configuration files before they are changed to give you away back other then a full reinstall. After you make a change make sure the system is working correctly before you make another change.
Right then so what can you do to make your system more secure? Firstly keep updating your system regularly. This well keep your installed software up to the latest standard as security fixes are released. It is also a good idea to install not only updates for Apache but all software on your system. A security hole in software not normally associated with a web server might just provide a way into your system. On a Debian based system this is done with the following two commands:
sudo apt-get update sudo apt-get upgrade
Out of the box Apache installs lots of module’s that you may never actually use. It is a good idea to disable any that you do not need. After all the less that you having running on your server the less you have to worry about. To find out what module’s are installed just use the following command:
grep LoadModule /etc/apache2/apache2.conf
In the listing that you will see on screen will be lots of lines starting with LoadModule. As in the example below.
LoadModule ext_filter_module modules/mod_ext_filter.so
This indicates that the module listed is loaded by Apache at start up. Now not every one of them is essential for Apache to work so those could be disabled. In order to disable a module use the tool provided by Apache. This is called a2dismod. For example the following command would disable the rewrite module.
sudo a2dismod rewrite
If a module being disabled well have a detrimental affect on the running of the server you will be prompted to confirm it before it is disabled. If you do disable any modules then Apache well need to be restarted.
Apache does not install all the modules you may need and one that it does not install that is a puzzle to me as to why not is modsecurity. To install it is how ever quite simple.
sudo apt-get install libapache2-mod-security2 libapache2-modsecurity
This will install the module but it is still no use to us. To set it up you need to edit two configuration files. The first is the modsecurity.conf file. There is a sample one installed by default and that needs to be renamed so we can use it. The best way is to make a copy of it with the new name that way we have a way back if we really mess it up. Use the following command:
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
This is all one command on one line. It copies the file and renames it at the same time. We now need to make a change to the new file so open it with a text editor. I use nano for this and the command is:
sudo nano /etc/modsecurity/modsecurity.conf
Search through the file and find the Rule engine initialization section. Now add the following line to this section.
It is also a good idea to increase the SecRequestBodyLimit value to the maximum file size you would except uploading to the server. A suggested size is 16 MB if you have just a standard set up. It is a good idea to disallow mod_security to access response bodies as this saves on system resources.
SecRequestBodyLimit 16384 SecRequestBodyInMemoryLimit 16384 SecResponseBodyAccess Off
The value quoted here is in bytes. Save the file out and close your text editor. The second file is the security2.conf file and that is stored in /etc/apache2/mods-enabled folder. To edit it use the following command:
sudo nano /etc/apache2/mods-enabled/security2.conf
Now add the following lines to the end of it.
IncludeOptional "/usr/share/modsecurity-crs/*.conf" IncludeOptional "/usr/share/modsecurity-crs/base_rules/*.conf”
Save the file out. You now need to enable modsecurity in Apache To do that just use the following command:
sudo a2enmod security2
You can now restart Apache. You now have modsecurity running and are a lot more secure. But we can improve on that.
Sometimes you will get, while using a site, a file not found error. This page can give an attacker some useful information like for example the OS with release number and version number of Apache. To disable this is easy. Open the Apache configuration apache2.conf file with nano.
sudo nano /etc/apache2/apache2.conf
Now search for the word ServerSignature. This will be set to on so just change the word on to off. Add the line ServerTokens Prod to the file below it. The server well no longer report the OS and version number of Apache on error pages. By replacing TraceEnable on with TraceEnable off you also disable the HTTP Trace request. Save the file and restart Apache for the changes to take effect.
There are methods for swamping a web server with requests that can result in your site going off line. This is known as DDOS (Distributed Denial Of Service) attacks. One way of combating these I have already mentioned. The HTTP Trace request. In the next two changes you well Limit large requests and install mod_evasive. These well help keep your site on line for longer. A determined attacker with a large amount of resources will still be able to bring your site down though.
By default there is no limit set by Apache on the size of a HTTP request that it well deal with. This means an attacker could send a lot of data and take down your server. To set this up takes a bit of work as it is done on a per-directory basis. In my example I well use a directory called holidays. You may have set up rules to serve this directory as detailed below:
Alias /holidays "/var/www/html/holidays" <Directory /var/www/html/holidays/> Options -Indexes AllowOverride All SetEnv HOME /var/www/html/holidays SetEnv HTTP_HOME /var/www/html/holidays </Directory>
To lock down the directory to large requests use the command LimitRequestBody. In my example we will use the value of 100k this is translated to bytes. Just add the line below AllowOverride All. For example:
Save the file and exit the text editor. For the change to take affect you need to restart Apache with:
sudo service apache restart
To install mod_evasive use the following command:
sudo apt-get install libapache2-mod-evasive
It is a good idea to have mod_evasive log what it does. This can provide you with useful information. To create a log file for mod_evasive use the following commands:
sudo touch /var/log/apache2/mod_evasive.log sudo chown www-data:www-data /var/log/apache2/mod_evasive.log
To set up the mod_evasive module you need to edit the mod-evasive.conf file. To do that use the following command:
sudo nano /etc/apache2/mods-available/mod-evasive.conf
Please refer to the README file that is included with mod_evasive for more details on the various config parameters. Add the following to the file.
<ifmodule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 10 DOSSiteCount 30 DOSPageInterval 1 DOSSiteInterval 3 DOSBlockingPeriod 3600 DOSLogDir /var/log/apache2/mod_evasive.log </ifmodule>
Save the file and exit the text editor. As with modsecurity the mod_evasive module needs to be enabled in Apache. To do that just use the following:
sudo a2enmod evasive
For the change to take affect you need to restart Apache with:
sudo service apache restart
In the absence of an index.html file by default Apache will list all the contents of the Document root directory. You can easily switch off directory listing by using the Options directive in the configuration file for a specific directory. For that we need to make an entry in the apache2.conf file.
<Directory /var/www/html> Options -Indexes </Directory>
Save the file and restart Apache for the change to take affect.
You can restrict access to directories. This is done with the Allow or Deny options in the apache2.conf. For example here we well deny access the root directory. Always a good idea. Open apache2.conf in your text editor and at the bottom add the following text:
<Directory /> Options None Order deny,allow Deny from all </Directory>
You need to enter the full path for the directory. The sequence above breaks down as follows:
Options None – This does not allow users to enable any additional options.
Order deny,allow – The order in which the deny, allow directives well be handled.
Deny from all – Nobody well be able to get access to the root directory.
A default install of Apache will automatically follow symlinks. This feature can de turned off. Just use the command -FollowSymLinks in your apache2.conf file:
While you are at it it may be a good idea to disable the execution of CGI files. This is turned off by adding the following to your apache2.conf file:
Save the file and close your text editor. To get Apache to pick up the new settings just restart it.
sudo service apache restart
There are plenty of ways to secure your Apache server. The suggestions I have made here are a good start. You can use any or all of them. Please take the time to look on Google and research methods to lock down your server against attack or malicious users. Also keep it and your system up to date.