Securing apache

[imported_Affix]

Securing Apache

Apache is by far the most common web server on the planet earth. It is small, durable and light weight. But how do we go about securing it. This section will teach you various methods on how to secure you apache configuration from attackers and other malicious users.

Patches
Always ensure your apache installation is always up to date. You can find out the latest apache version by going to apache.org if the version there is newer than your current installation please update. There is no point locking the door while its already open.

Hiding the Version Number
Ok we don't want the attacker knowing what version we run. This is basically like giving them the key to your house. If they know the version number ll they need is the matching vulnerability to you version and they have access. To hide your version number open up httpd.conf in a text editor. Once open add these to directives.

Code:

ServerSignature Off
ServerTokens Prod

ServerSignature
This is the thing that appears at the very bottom of all the pages Apache generates. Such as the 404, 503 etc.. Error pages. It usually looks like the following

Code:

Apache/2.2.8 (Unix) Server at apache.org Port 80

As you can see there is a lot of information you may not want disclosed to the general public. This information can be potentially fatal to any web server that is not protected from such attacks.

ServerTokens
ServerTokens are the words displayed in the HTTP Response Header by setting it to prod you make the ServerToken similar to the one below

Code:

Server : Apache

This makes sure no one can get your server version using the banner grabbing side of enumeration.

Never Run as Root
Make sure your apache server is NOT running as root. This is the single worst thing you can possibly do to your servers security. If apache runs as root and the apache server is compromised by an attacker they can do whatever they wish with your server. To make sure your server is not running as root when you launch apache create a new user called apache and `su` to the user before launching. To make sure it is not running as root simply list your processes and check the process ownership.

Chroot
You can never be to careful be sure to chroot apache. By doing this you will limit the amount of damage done to your server if one site is compromized. Chroot will only allow apache to access files assigned to the apache user. This is a pretty confusing task but if you follow this guide you should have your apache chrooted in no time. We need to make a new “root” directory. We are going to make this /chroot/apache to do this we need to do the following SSH commands.

Code:

mkdir -p /chroot/apache/dev
mkdir -p /chroot/apache/etc
mkdir -p /chroot/apache/var/run
mkdir -p /chroot/apache/usr/lib
mkdir -p /chroot/apache/usr/libexec
mkdir -p /chroot/apache/usr/local/apache/bin
mkdir -p /chroot/apache/usr/local/apache/logs
mkdir -p /chroot/apache/usr/local/apache/conf
mkdir -p /chroot/apache/www

The owner of the above files should be root and the permissions set to 0755. We now need to create a new device in /dev/null this is known as the CHROOT filesystem. To do this we use the following commands in SSH.

Code:

ls -al /dev/null
crw-rw-rw- 1 root wheel 2, 2 Mar 14 12:53 /dev/null
mknod /chroot/apache/dev/null c 2 2
chown root:sys /chroot/apache/dev/null
chmod 666 /chroot/apache/dev/null

Now for our changes to take affect we need to reboot syslogd or the system syslogd is a lot quicker than rebooting the system so I suggest doing this.
Now we need to add the binaries and libs to the chrooted directory. To find what you need to add use the ldd command. For example :

Code:

ldd /usr/local/apache/bin/httpd
/usr/local/apache/bin/httpd:
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280bd000)
libc.so.4 => /usr/lib/libc.so.4 (0x280d6000)
truss /usr/local/apache/bin/httpd | grep open
(...)
open("/var/run/ld-elf.so.hints",0,00) = 3 (0x3)
open("/usr/lib/libcrypt.so.2",0,027757775370) = 3 (0x3)
open("/usr/lib/libc.so.4",0,027757775370) = 3 (0x3)
open("/etc/spwd.db",0,00) = 3 (0x3)
open("/etc/group",0,0666) = 3 (0x3)
open("/usr/local/apache/conf/httpd.conf",0,0666) = 3 (0x3)
(...)

Now this needs to be done to all the binaries and libs for your apache installation. For my BSD box I need to use the following commands to copy my files.

Code:

cp /usr/local/apache/bin/apache /chroot/apache/usr/local/apache/bin/
cp /var/run/ld-elf.so.hints /chroot/apache/var/run/
cp /usr/lib/libcrypt.so.2 /chroot/apache/usr/lib/
cp /usr/lib/libc.so.4 /chroot/apache/usr/lib/
cp /usr/libexec/ld-elf.so.1 /chroot/apache/usr/libexec/

the truss command also shows I need to do the following also.

Code:

cp /etc/hosts /chroot/apache/etc/
cp /etc/host.conf /chroot/apache/etc/
cp /etc/resolv.conf /chroot/apache/etc/
cp /etc/group /chroot/apache/etc/
cp /etc/master.passwd /chroot/apache/etc/passwords
cp /usr/local/apache/conf/mime.types /chroot/apache/usr/local/apache/conf/

NOTE :
In passwords we need to copy all the lines except from nobody and apache. In a similar way we need to remove nobody and apache fom /chroot/apache/etc/group
To build the passwords database run the following commands :

Code:

cd /chroot/httpd/etc
pwd_mkdb -d /chroot/httpd/etc passwords
rm -rf /chroot/httpd/etc/master.passwd

Now we need to test our chrooted apache copy across httpd.conf and change the document root directive to /www. Also add a test index.html Once you have completed all of the above we can attempt to run the server. To run the CHROOT server simply try the following command.

Code:

chroot /chroot/httpd /usr/local/apache/bin/httpd

If you have any problems check the apache logs. If you cannot find the problem run the following

Code:

truss chroot /chroot/httpd /usr/local/apache/bin/httpd

Truss should show all of the errors with the Apache lanch command.
Congratulations you have chrooted apache.

Code:

Mod Security

mod_security is a very useful apache mod written by Ivan Ristec. Mod Security has the ability to do the follwing:

• Regular Expression based filtering
• Simple Filtering
• URL Encoding Validation
• Unicode Encoding Validation
• Auditing
• Null byte attack prevention
• Upload memory limits
• Server identity masking
• Built in Chroot support
• And more

Conclusion
The above information will help you create a more secure apache installation than the default configuration the apache software foundation give you to begin with.

[Jordan]

Excellent tutorial Affix! +rep.

[Kristian Finlay]

Mod Security is an open source, free web application firewall WAF Apache module. With over 70 percentage of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAF are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications.

[Guest]

Good Job! +rep from me.