v
How to disable the directory display in Apache webserver
Environment: Apache Webserver
Solution :
- In
the absence of index file by default apache server will list the default
content root directories
- We
can turn off the directory listing by using Options directive in
the httpd.conf or apache2.conf configuration file for any
specific directory
1. Open the Httpd.conf
or apache2.conf file
Options –Indexes
2. Restart the server
3. Go to website and access for the
content root -/var/www/html or /content
4. You must see the Forbiden
error(You don’t have permission to access/ on this sever.
v How to hide Apache Version and OS
Identity from Errors in Apache HTTP server
-
When you install apache with source or
package through installer like Yum, it display the version of Apache and OS
version in the errors.
-
It also shows the module installed in
the apache server
Steps to follow in RHEL, CentOS ,
Fedora, Debian and Ubuntu
1. Open the httpd.conf/apache2.conf file based on the OS
# vim /etc/httpd/conf/httpd.conf
(RHEL/CentOS/Fedora)
# vim /etc/apache2/apache2.conf
(Debian/Ubuntu)
2. Add the below configuration to httpd.conf/apache2.conf
and Save the file
ServerSignature Off
ServerTokens Prod
3. Restart the Server and That’s It
# service httpd restart (RHEL/CentOS/Fedora)
# service apache2 restart (Debian/Ubuntu)
v
How to Keep updating Apache
Regularly
Environment : Apache Web server
Solution :
1. Check the apache version by using
#httpd –v
2. Run the below command to update
the version
# yum update httpd
#apt-get
install apache2
3. That’s it!, again check for the version
of apache post upgrade #httpd -v
v
Disable the Unnecessary modules
1.
Insert # beginning at the module to comment the unnecessary module
for loading
v
Disable Apache’s following of
Symbolic Links
-
By default
Apache webserver follows symlinks,
-
We can turn
off this feature with FollowSymLinks with Options directive.
-
Open the httpd.conf
file and add the below line.
# Options -FollowSymLinks
-
If there is
a need for FollowSymLinks feature, can be enabled by writing in the rule in
“.htaccess” file from that website.
# Enable symbolic links
# Options +FollowSymLinks
Note: To
enable rewrite rules inside “.htaccess” file “AllowOverride All” should be
present in the main configuration globally.
v
Turn off Server Side Includes and
CGI Execution
Environment: Apache
Solution :
-
Steps to turn
off server side includes (mod_include)
-
And CGI
execution
-
Modify the
httpd.conf or apache2.conf file in the
main configuration file.
-
This can be
applied to root directory or specific directory
-
Open the
main configuration file and add the below details
Options -Includes -ExecCGI
Or
Options -Includes -ExecCGI
-
Restart the server. That’s it!.
v
Statement
:Below directives will help to prevent the DoS attacks and completely cannot be
prevented
Environment : Apache webserver
Solution :
-
Set the TimeOut :.
- Its default value is 300
secs, set the value to lower depending on the website functionalities.
- This will wait for the
certain amount of time to complete the event. post the request will be failed.
-
MaxClients :
- Default value is 256 ,
set this value to lower to prevent DoS atatcks
- It allows you to set the no of maximum
connection and to be served simultaneously.
- Once the limit cross the
every new connection will be queued up.
-
KeepAliveTimeout :
- Default value is 5 sec
- Default value indicates
the amount of time server will wait for the subsequent request before closing the connection
-
LimitRequestFields : default value is 100 , set this value to lower to
prevent DoS atatcks
-
LimitRequestFieldSize : it helps to set a size limit on the http request
headers.
v
Use mod_security and mod_evasive Modules to Secure Apache
-
Mod_security :
§
It will act
as Firewall for web application and allow to monitor the traffic on real time
basis
§
It also
protects the website or web server from brute force attacks
§
Install the
Mod_security directive
-
Install
mod_security on Ubuntu/Debian
o
$ sudo
apt-get install libapache2-modsecurity
o
$ sudo
a2enmod mod-security
o
$ sudo
/etc/init.d/apache2 force-reload
-
Install
mod_security on RHEL/CentOS/Fedora/
o
# yum
install mod_security
o
#
/etc/init.d/httpd restart
-
Mod_evasive
§
It handle the
DoS
§
it handles
the DDoS atatcks
§
It handles
the Brute force attacks
§
This module
detects three atatcks
o
If Multiple requests
comes to a same page in a few times per second.
o
If child
process creates more than 50 concurrent requests.
o
If temporarily
blacklisted IP is trying to make new requests