Apache

Posted on Sunday March 13, 2016 / by Eric Potvin

Clickjacking Attack

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

To prevent Clickjacking attacks, edit the apache2.conf:

sudo vi /etc/apache2/apache2.conf

If you want to prevent sites other than your current site from framing your pages, add the following line:

<IfModule mod_headers.c>
 Header always append X-Frame-Options SAMEORIGIN
</IfModule>

If you want to prevent all sites (including the one that you're protecting) from framing your site, add the following line instead:

<IfModule mod_headers.c>
 Header always append X-FRAME-OPTIONS DENY
</IfModule>
Do not add both lines. Either add the SAMEORIGIN line or the DENY line, not both.

Disable ETAG

It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary and child process through Etag header.

To secure etag, edit the apache2.conf:

sudo vi /etc/apache2/apache2.conf

Add the following line:

FileETag None

Disable Old Protocol

Old HTTP protocol, like HTTP 1.0 protocol, should be disable. HTTP 1.0 has security weakness related to session hijacking.

To prevent Clickjacking attacks, edit the apache2.conf:

sudo vi /etc/apache2/apache2.conf

You can disable it using mod_rewrite by only allowing HTTP 1.1:

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteRule .* - [F]

Disable SSI

Server Side Include (SSI) has a potential risk in increasing load on the server. You should consider disable SSI by adding Includes in Options directive.

SSI attack allows the exploitation of a web application by injecting scripts in HTML pages or executing codes remotely.

To disable SSI, edit the apache2.conf:

sudo vi /etc/apache2/apache2.conf

Search for Directory and add Includes in Options directive:

<Directory /path/to/htdocs>
  Options -Indexes -Includes
  Order allow,deny
  Allow from all
</Directory>

Disable CGI execution

CGI Execution should also be disabled. Similar to SSI, you can disable CGI Execution in the apache2.conf by adding the -ExecCGI option.

<Directory /path/to/htdocs>
  Options -Indexes -Includes -ExecCGI
  Order allow,deny
  Allow from all
</Directory>

Disable Trace HTTP Request

Trace method is enable by default Apache. This allow Cross Site Tracing attack and potentially giving an option to hacker to steal cookie information. This should be disable.

To disable Trace method, edit the apache2.conf:

sudo vi /etc/apache2/apache2.conf

Add or update the TraceEnable to Off:

TraceEnable off

Disable Unnecessary Modules

Confirm Minimal Built-in Modules

By default, Apache installation minimizes the number of modules that are compiled into the core.

To make sure everything is properly installed, run the following command:

apache2 -l

The output should look like this:

core.c
mod_log_config.c
mod_logio.c
prefork.c
http_core.c
mod_so.c

If you have more modules than the one listed above, verify each modules and uninstall them if necessary.

Modules can be disabled by running the a2dismod command.

sudo a2dismod <module>
Module List

Here's a list of modules you can disable if you don't use them.

Module Description
userdir Mapping of requests to user-specific directories. i.e ~username in URL will get translated to a directory in the server.
include Server Side Includes
autoindex Displays directory listing when no index.html file is present
alias Mapping of requests to different filesystem parts
status Displays server stats
negotiation Content negotiation
filter Smart filtering of request
version Handling version information in config files using IfVersion
as-is as-is filetypes
auth_digest This module provides encrypted authentication sessions. However, this module is rarely used and considered experimental. Alternate methods of encrypted authentication are recommended, such as SSL. If the above functionality is unnecessary, comment out the related module.
setenvif Placing ENV vars on headers
authnz_ldap & ldap This module provides HTTP authentication via an LDAP directory
mime_magic This module provides a second layer of MIME support that in most configurations is likely extraneous
dav_module & dav_fs_module WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. Due to a number of security concerns with WebDAV, its use is not recommended
info This module creates a web page illustrating the configuration of the web server. This is an unnecessary security leak and should be disabled
speling This module attempts to find a document match by allowing one misspelling in an otherwise failed request. If the above functionality is unnecessary, comment out the related module
proxy, proxy_balancer, proxy_ftp, proxy_http & proxy_connect This module provides proxying support, allowing Apache to forward requests and serve as a gateway for other servers
cache, disk_cache, file_cache and mem_cache This module allows Apache to cache data, optimizing access to frequently accessed content. However, not only is it an experimental module, but it also introduces potential security flaws into the web server such as the possibility of circumventing Allow and Deny directives
ext_filter Response passed through external program prior to client delivery
headers HTTP Response/Request Header Customization
usertrack User activity monitoring via cookies
vhost_alias Dynamically configured mass virtual hosting
env Clearing/setting of ENV vars
cgi This module allows HTML to interact with the CGI web programming language
actions Action triggering on requests
suexec The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web server

Example, you can run this command:

sudo a2dismod userdir include autoindex status negotiation version auth_digest authnz_ldap ldap dav_module dav_fs_module info speling proxy proxy_balancer proxy_ftp proxy_http proxy_connect cache disk_cache file_cache mem_cache usertrack vhost_alias cgi suexec

There might be more module installed, you can find out which one installed by running this command:

grep -r LoadModule /etc/apache2/mods-enabled/*

Enable Logging

Apache allows you to log web activity. It is important to enable Apache logging because it provides crutial information that can help you to find out about your traffic.

To enable logging, you need to include the mod_log_config module. There are three main logging-related directives available with Apache.

You can also setup web logs per virtual host:

<VirtualHost *:80>
 DocumentRoot /path/to/www/
 ServerName www.domain.com
 DirectoryIndex index.php
 ServerAlias domain.com
 ErrorDocument 404 /404.php
 ErrorLog /var/log/apache2/domain.com_error_log
 CustomLog /var/log/apache2/domain.com_access_log combined
</VirtualHost>l;

Harden Configuration

Disable Apache's Symbolic Links

Apache enables follows symlinks. It is recommended to turn it off using the FollowSymLinks Options directive.

<Directory /path/to/www>
 Options -FollowSymLinks
</Directory>l;

If you still need this feature, you can always enable it in your .htaccess for a specific website.

<Directory /path/to/another_www>
 Options +FollowSymLinks
</Directory>l;

Limit Request Size

Apache has no limit on the total size of the HTTP request. This means, unlimited data can be sent on any requests to the Apache server. This will allow hackers to send large amount of data and therefore, you will be a victim of Denial of service attacks. To fix this, you can set a limit in the LimitRequestBody directive.

You can set the value (in bytes) from 0 (which will be unlimited) to 2,147,483,647 (2GB).

<Directory "/path/to/www/">
 LimitRequestBody 512000
</Directory>

Timeout value configuration

This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. The default value is 300 secs. It is recommended to keep this value low on those sites which are subject to DDOS attacks.

You can lower this to 45 seconds in your apache2.conf:

Timeout 45

Hide Apache Information

The ServerTokens and ServerSignature directives determine the information the web server will display about the configuration. This will restricts information in page headers, showing minimal information. It is recommended to limit the information provided to the world.

To fix this, edit the apache configuration:

sudo vi /etc/apache2/apache2.conf

Add or update the following lines:

ServerTokens Prod
ServerSignature Off
<IfModule mod_headers.c>
  Header unset Server
  Header unset X-Powered-By
</IfModule>

If you still want to show some information, here are your options you can use:

ServerToken Displays
Prod Apache
Major Apache/2
Minor Apache/2.2
Min Apache/2.2.17
OS Apache/2.2.17 (Unix)
Full Apache/2.2.17 (Unix) PHP/5.3.5

HTTP Request Methods

HTTP 1.1 protocol support many request methods which may not be required. Some of them have a potential risk. It is recommended to only enable the GET, HEAD, POST request methods.

Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.

To fix this, edit the apache configuration:

sudo vi /etc/apache2/apache2.conf

Look for the Directory and add following (inside the <Directory>):

<LimitExcept GET POST HEAD>
 deny from all
</LimitExcept>
Example
<Location />
 Order allow,deny
 Allow from all
 <LimitExcept HEAD POST GET>
  Deny from all
 </LimitExcept>
</Location>

HTTPOnly Cookie

You can avoid most of the common attacks (like Cross Site Scripting, cookies attacks, cookies injections) by using HttpOnly and Secure flag in cookie. Without these, it is very easy to steal cookies information.

To fix this, edit the apache configuration:

sudo vi /etc/apache2/apache2.conf

And add this code:

<IfModule mod_headers.c>
 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>

ModSecurity

For complete detail on how to install ModSecurity, please visit:

http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

Protect Apache

Run Apache as separate User and Group

Apache runs its process with a default user account and group. For many security reasons, it is recommended to run change this and let Apache runs with its own non-privileged account.

For example, let's create the uesr and group: webuser.

Create Apache User and Group:
sudo groupadd webuser
sudo useradd -d /var/www/ -g webuser -s /bin/nologin webuser

Make sure Apache knows this setting by editing the etc/apache2/envvars.

sudo vi etc/apache2/envvars

Edit the User and Group settings:

User webuser
Group webuser

Restrict local access

It is safe to restrict the access to the Apache files and folders. You can restrict the access by executing the following command:

sudo chown -R 750 /etc/apache2/bin /etc/apache2/conf
sudo chmod 511 /usr/sbin/apache2
sudo chmod 750 /var/log/apache2/
sudo chmod 750 /etc/apache2/conf/
sudo chmod 640 /etc/apache2/conf/*
sudo chgrp -R <MyApacheUser> /etc/apache2/conf

Restrict Directories Access

It is important to restrict access to directories using the Allow and Deny options. The first thing to do is to secure the / folder.

Here's how to secure the root directory. Now, open the apache2.conf file.

sudo vi /etc/apache2/apache2.conf

And add the following lines:

<Directory />
 Options None
 Order deny,allow
 Deny from all
</Directory>

These options means:

Then restart apache:

sudo /etc/init.d/apache2 restart

Disable Directory Listing

Apache list all the content of Document root directory in the absence of directory index file. To fix this, simply add this in your apache2.conf file.

<Directory /var/www/html>
    Options -Indexes
</Directory>

SSL Certificates

You can secure your all the communication by encrypting data using a SSL certificate. With a SSL certificates, Apache sends all this information in encrypted text.

You can purchase SSl certificates from So many different SSL providers or you can create your own.

openssl genrsa -des3 -out mydomain.com.key 1024
openssl req -new -key mydomain.com.key -out exmaple.csr
openssl x509 -req -days 365 -in mydomain.com.com.csr -signkey mydomain.com.com.key -out mydomain.com.com.crt

After your certificate has been created and signed, you can add it to the Apache configuration.

You will need to open the /etc/apache2/sites-available/ file that belongs to your site:

sudo vi /etc/apache2/sites-available/mydomain.com.conf

And add the following code (might need some changes):

<VirtualHost 1.1.1.1:443>
 SSLEngine on
 SSLCertificateFile /path/to/certs/mydomain.com.crt
 SSLCertificateKeyFile /path/to/certs/mydomain.com.key
 SSLCertificateChainFile /path/to/certs/sf_bundle.crt
 ServerAdmin admin@mydomain.com
 ServerName mydomain.com
 DocumentRoot /path/to/mydomain/www/
 ErrorLog /var/log/www/mydomain.com-ssl-error_log
 CustomLog /var/log/www/mydomain.com-ssl-access_log common
</VirtualHost>

Now, you can open your site using https.

XSS Protection

Cross Site Scripting (XSS) protection can be avoided in many browsers. You can force apply this protection for web application if it was disabled by the user.

To fix this, edit the apache configuration:

sudo vi /etc/apache2/apache2.conf

And add the following line:

<IfModule mod_headers.c>
 Header set X-XSS-Protection "1; mode=block"
</IfModule>

Restart Apache:

sudo /etc/init.d/apache2 restart