Sunday, 8 December 2013

Secure Apache Configuration | Retraction of Various Web Attacks

Secure Apache Server installation


Apache web server installation using yum ( Yellow dog Update Modifier )

Apache is a freeware & opensource Web Server which is mostly used for the web server approx 70 % web servers are Apache web server .Apache web server is basically used to launch the web pages or the web sites.

we need to install latest Apache server with latest patches

some Important Info for Apache


  • Service  : V-managed Service
  • package : httpd, httpd-devel,httpd-manual
  • Demon   : /usr/sbin/httpd
  • script      : /etc/init.d/httpd
  • port used: 80 & 443 (http & https )
  • conf. file  : /etc/httpd/conf/httpd.conf
  • Default selinux deamon : /var/www
step 1 : Login as root user & then type yum install httpd-* -y
#su
password:
#yum install httpd-* -y



Now yum install the Apache server

#service httpd start  ( this is used to start the Apache service )
#service httpd stop   ( this is used to stop the Apache service )
#service httpd restart ( this is used to restart or refress the Apache service )
#chkconfig httpd on    ( this is used to continue running of Apache services Automatically after restarting the machine )

now we need to config the Apache server

Step 2 : now we need to open the conf file of Apache too config the Apache server

from here our security part begins 

Remove the default config  files 

#rm -f /etc/httpd/conf.d/welcome.conf
#rm -f /var/www/error/noindex.html

Hide the Apache version number and other sensitive info 

How we can hide Apache version & sensitive directory ?
Now we need to edit httpd.conf file

we need to add server signature off & server token prod
 find ServerSignature if it is on then off it or mark as comments using before the line ServerSignature
& now find the ServerToken it is off by default you may Prod it or use it as comments same as for ServerSignature.

Apache is must be running under it's own user account and group

use it as apache find these lines
user nobody
group nobody

both must be as 
user apache
group apache 

Conform the file outside the web root are not served 

it means we Don't want that the files from outside the web root not be run remotely 
Now how to do that ?

so for web server directory conf like

<Directory />
     Order Deny,Allow
     Deny from all
     Options None
     AllowOverride None
</Directory>
we set Options None and AllowOverride None this will turn off all options and override for the servers you now add that explicitly  for each dir that have the Options or Override .

Directory traversing turning off

how to turn off Dirctory traverse browsing  ?

this is same done by the Options  inside the Directory tag we have to set it as Options to either None or       -Includes
Options -Includes  

& same if you are not using CGI execution then turn it off with same Directory tag Options  set it either None or -ExecCGI

Options -ExecCGI

Next closing symbolic Links , How to do that ??

we knows the symbolic links are also vary important in web server . this can be done by using the same method in the Directory tag set Option None else  -FollowSymLinks 

Options -FollowSymlinks

Now Lets Combine them all to close the all Options 

either we can use :

Options None 

or else 

Options  -FollowSymlinks -ExecCGI  -Includes  

in Directory tag

Turn off Support for .htaccess files, No need to explain about .htaccess file . 
So how to do that ?

this is all done by Directory tag but with AllowOverride directive. Set it to None 
AllowOverride None 

if you require Overrides ensure that they cannot be downloaded , and /or change the name of .htaccess that start with .ht  name like .htnulloverride etc 

AccessFileName .htnulloverride
<Files ~ "^\.ht">
     Order allow,deny
     Deny from all
     Satisfy All
</Files>

Next we have to Disable unnecessary modules

Apache comes with various modules installed in it which are used by the programmers to run and use to retrieve data from the server always a good programmer need to study them that where a php programmer use there skills to secure the web site by scripts & also how to Destroy the sites just by using these modules .

to study these modules please refers to Module Documents of Apache Server .

Study these Modules & enables & Disables them according to Security .

So how to Disable  these modules ??
In httpd.conf  file there is LoadModule to disable these modules just comments it by using in front of this line

i have some modules which are enables but not needed like 
mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.

Run mod_security for security ..

mod_security is a very important mod for the security 

if you want to learn in deep with mod_security module then study from here
we can perform various Security axns with mod_security 

few are here
  • Simple Filtering
  • Regular Expression bashed filtering 
  • URL Encoding Validation
  • Auditing
  • And various more 
Run the Apache config & binaries with read access only to the root user 

this is done by permissions as 

chown -R root:root /usr/local/apache
chown -R o-rwx /usr/local/apache

here /usr/local/apache is Apache installation  directory 

Now Let's work for DDos attack 
the DDos Attack is basically on Apache server so i have a que how to prevent DDos or Dos Attack 

in httpd.conf file i have find the resign for Dos Attack that means time to send request to a web server & then Returning back time . means to say if we restrict or limit the time out value just as 50 sec or 60 sec then we can restrict the DDos attack on the Apache server 
so set 
Timeout 50
in httpd.conf the old version having 200 to 300 so they are easily DDosed or Dosed by the Attacker 

and we need to Limiting large Requests 

there is one option of LimitRequestBody in httpd.conf to limiting the DDos & if you are allowing file uploads of not longer than 1MB we need to set this setting like this 

LimitRequestBody 1048638

& if you are not allowing file uploading then you can set this value more smaller

Limiting IP Address Access 

if i want to go in a particular IP Regions so  how we can do that ?
wow i want to assign that my website can be access only by IP range from 117.86.0.0/24

so how we can do that ?

we just Allow from 117.86.0.0/24

Order Deny,Allow
Deny from all
Allow from 117.86.0.0/24

by default it is Allow from all in Directory tags


"Thnx for Reading to Protect Indian Cyber Space "  i will try to find more staff like that  

"Respect The Tri-Color"

0 comments:

Post a Comment