Showing posts with label Webserver hardening. Show all posts
Showing posts with label Webserver hardening. Show all posts

Few list of Apache We server Security and Harding Tips


v  How to disable the directory display in Apache webserver
Environment: Apache Webserver

Solution :

-       In the absence of index file by default apache server will list the default content root directories
-       We can turn off the directory listing by using Options directive in the httpd.conf or apache2.conf configuration file for any specific directory

1.       Open the Httpd.conf or apache2.conf file
Options –Indexes

2.                     Restart the server
3.                     Go to website and access for the content root -/var/www/html or /content
4.                     You must see the Forbiden error(You don’t have permission to access/ on this sever.

v  How to hide Apache Version and OS Identity from Errors in Apache HTTP server

-          When you install apache with source or package through installer like Yum, it display the version of Apache and OS version in the errors.
-          It also shows the module installed in the apache server

         Steps to follow in RHEL, CentOS , Fedora, Debian and Ubuntu

1.       Open the httpd.conf/apache2.conf  file based on the OS

# vim /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
# vim /etc/apache2/apache2.conf (Debian/Ubuntu)

2.       Add the below configuration to httpd.conf/apache2.conf   and Save the file
ServerSignature Off
ServerTokens Prod

3.       Restart the Server and That’s It

# service httpd restart (RHEL/CentOS/Fedora)
# service apache2 restart (Debian/Ubuntu)

v  How to Keep updating Apache Regularly

Environment : Apache Web server

Solution :

1.       Check the apache version by using #httpd –v
2.       Run the below command to update the version
 # yum update httpd
#apt-get install apache2
3.       That’s it!, again check for the version of apache post upgrade #httpd -v


v  Disable the Unnecessary modules
1.       Insert # beginning at the module to comment the unnecessary module for loading

v  Disable Apache’s following of Symbolic Links

-          By default Apache webserver follows symlinks,
-          We can turn off this feature with FollowSymLinks with Options directive.
-          Open the httpd.conf file and add the below line.
# Options -FollowSymLinks

-          If there is a need for FollowSymLinks feature, can be enabled by writing in the rule in “.htaccess” file from that website.
# Enable symbolic links
              # Options +FollowSymLinks
Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should be present in the main configuration globally.

v  Turn off Server Side Includes and CGI Execution

Environment: Apache
Solution :
-          Steps to turn off server side includes (mod_include)
-          And CGI execution
-          Modify the httpd.conf  or apache2.conf file in the main configuration file.
-          This can be applied to root directory or specific directory
-          Open the main configuration file and add the below details

Options -Includes -ExecCGI

Or
Options -Includes -ExecCGI
-          Restart the server. That’s it!.


v  Statement :Below directives will help to prevent the DoS attacks and completely cannot be prevented

Environment : Apache webserver
Solution :
-          Set the TimeOut :.

                     - Its default value is 300 secs, set the value to lower depending on the website functionalities.

                    - This will wait for the certain amount of time to complete the event. post the request will be failed.

-          MaxClients :

                    - Default value is 256 , set this value to lower to prevent DoS atatcks
                    -  It allows you to set the no of maximum connection and to be served simultaneously.
                    - Once the limit cross the every new connection will be queued up.

-          KeepAliveTimeout :
                   - Default value is 5 sec

                   - Default value indicates the amount of time server will wait for the subsequent request before               closing the connection

-          LimitRequestFields : default value is 100 , set this value to lower to prevent DoS atatcks

-          LimitRequestFieldSize : it helps to set a size limit on the http request headers.


v  Use mod_security and mod_evasive Modules to Secure Apache

-          Mod_security :
§  It will act as Firewall for web application and allow to monitor the traffic on real time basis
§  It also protects the website or web server from brute force attacks
§  Install the Mod_security directive
-          Install mod_security on Ubuntu/Debian
o    $ sudo apt-get install libapache2-modsecurity
o    $ sudo a2enmod mod-security
o    $ sudo /etc/init.d/apache2 force-reload

-          Install mod_security on RHEL/CentOS/Fedora/
o    # yum install mod_security
o    # /etc/init.d/httpd restart
-          Mod_evasive
§  It handle the DoS
§  it handles the DDoS atatcks
§  It handles the Brute force attacks
§  This module detects three atatcks
o    If Multiple requests comes to a same page in a few times per second.
o    If child process creates more than 50 concurrent requests.
o    If temporarily blacklisted IP is trying to make new requests


How to Use mod_security and mod_evasive Modules to Secure and Prevent DoS , DDoS and Brute Force attacks in Apache Webserver

Statement : Use mod_security and mod_evasive Modules to Secure Apache

Environment : Apache webserver  


-          Mod_security :
§  It will act as Firewall for web application and allow to monitor the traffic on real time basis
§  It also protects the website or web server from brute force attacks
§  Install the Mod_security directive
-          Install mod_security on Ubuntu/Debian
o   $ sudo apt-get install libapache2-modsecurity
o   $ sudo a2enmod mod-security
o   $ sudo /etc/init.d/apache2 force-reload

-          Install mod_security on RHEL/CentOS/Fedora/
o   # yum install mod_security
o   # /etc/init.d/httpd restart
-          Mod_evasive
§  It handle the DoS
§  it handles the DDoS atatcks
§  It handles the Brute force attacks
§  This module detects three atatcks
o   If Multiple requests comes to a same page in a few times per second.
o   If child process creates more than 50 concurrent requests.
o   If temporarily blacklisted IP is trying to make new requests

Protect DDOS attacks in Apache Webserver



Statement :Below directives will help to prevent the DoS attacks and completely cannot be prevented

Environment : Apache webserver

Solution :

-          Set the TimeOut :
                     - Its default value is 300 secs, set the value to lower depending on the website functionalities.
                    - This will wait for the certain amount of time to complete the event. post the request will be                    Failed.
                    

-          MaxClients : 
                    - Default value is 256 , set this value to lower to prevent DoS atatcks
                    -  It allows you to set the no of maximum connection and to be served simultaneously.

                    - Once the limit cross the every new connection will be queued up.

-          KeepAliveTimeout : 
                   - Default value is 5 sec
                   - Default value indicates the amount of time server will wait for the subsequent request before               closing the connection
-          LimitRequestFields : default value is 100 , set this value to lower to prevent DoS atatcks
-          LimitRequestFieldSize : it helps to set a size limit on the http request headers.

Disable Apache’s following of Symbolic Links


Environment : APache webserver

-          By default Apache webserver follows symlinks,
-          We can turn off this feature with FollowSymLinks with Options directive.
-          Open the HTTD.conf file and add the below line.
# Options -FollowSymLinks

-          If there is a need for FollowSymLinks feature, can be enabled by writing in the rule in “.htaccess” file from that website.
# Enable symbolic links
              # Options +FollowSymLinks
Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should be present in the main configuration globally.

How to upgrade Apache version regulaly


Environment : Apache Web server


Solution :

1.       Check the apache version by using #httpd –v
2.       Run the below command to update the version
 # yum update httpd
#apt-get install apache2
3.       That’s it!, again check for the version of apache post upgrade #httpd -v

How to Disable Directory Listing in Apache Webserver



Environment: Apache Webserver


Solution :

-       In the absence of index file by default apache server will list the default content root directories
-       We can turn off the directory listing by using Options directive in the httpd.conf or apache2.conf configuration file for any specific directory

1.       Open the Httpd.conf or apache2.conf file
Options –Indexes

2.       Restart the server
3.       Go to website and access for the content root -/var/www/html or /content
4.       You must see the Forbiden error(You don’t have permission to access/ on this sever.



How to hide Apache Version and OS Identity from Errors in Apache HTTP server


Environment  : Apache Web server


-          When you install apache with source or package through installer like Yum, it display the version of Apache and OS version in the errors.
-          It also shows the module installed in the Apache server
- It also shows the Port number

Steps to follow in RHEL, CentOS , Fedora, Debian and Ubuntu

1.       Open the httpd.conf/apache2.conf  file based on the OS

# vim /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
# vim /etc/apache2/apache2.conf (Debian/Ubuntu)

2.       Add the below configuration to httpd.conf/apache2.conf   and Save the file
ServerSignature Off
ServerTokens Prod

3.       Restart the Server and That’s It

# service httpd restart (RHEL/CentOS/Fedora)
# service apache2 restart (Debian/Ubuntu)